From: aranea@aixah.de (Luis Ressel) Date: Mon, 10 Aug 2015 15:49:00 +0200 Subject: [refpolicy] [PATCH 2/2] gpg 2.1 places gpg-agent sockets in ~/.gnupg/ In-Reply-To: <20150810133313.GC3707@x250> References: <1439154658-18322-1-git-send-email-aranea@aixah.de> <1439154658-18322-2-git-send-email-aranea@aixah.de> <20150810072718.GB3707@x250> <20150810151526.2bccf6d0@gentp.lnet> <20150810133313.GC3707@x250> Message-ID: <20150810154900.1ac4edb8@gentp.lnet> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 10 Aug 2015 15:33:14 +0200 Dominick Grift wrote: > On Mon, Aug 10, 2015 at 03:15:26PM +0200, Luis Ressel wrote: > > On Mon, 10 Aug 2015 09:27:18 +0200 > > Dominick Grift wrote: > > > > > On Sun, Aug 09, 2015 at 11:10:58PM +0200, Luis Ressel wrote: > > > > --- > > > > gpg.if | 3 ++- > > > > gpg.te | 3 +++ > > > > 2 files changed, 5 insertions(+), 1 deletion(-) > > > > > > > > diff --git a/gpg.if b/gpg.if > > > > index 13149ca..4141add 100644 > > > > --- a/gpg.if > > > > +++ b/gpg.if > > > > @@ -205,10 +205,11 @@ interface(`gpg_rw_agent_pipes',` > > > > # > > > > interface(`gpg_stream_connect_agent',` > > > > gen_require(` > > > > - type gpg_agent_t, gpg_agent_tmp_t; > > > > + type gpg_agent_t, gpg_agent_tmp_t, > > > > gpg_secret_t; ') > > > > > > > > stream_connect_pattern($1, gpg_agent_tmp_t, > > > > gpg_agent_tmp_t, gpg_agent_t) > > > > + stream_connect_pattern($1, gpg_secret_t, > > > > gpg_agent_tmp_t, gpg_agent_t) ') > > > > > > > > ######################################## > > > > diff --git a/gpg.te b/gpg.te > > > > index a40ac69..edf238a 100644 > > > > --- a/gpg.te > > > > +++ b/gpg.te > > > > @@ -241,6 +241,9 @@ manage_sock_files_pattern(gpg_agent_t, > > > > gpg_agent_tmp_t, gpg_agent_tmp_t) > > > > files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file > > > > sock_file dir }) filetrans_pattern(gpg_agent_t, gpg_secret_t, > > > > gpg_agent_tmp_t, sock_file, "log-socket") > > > > +filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, > > > > sock_file, "S.gpg-agent") +filetrans_pattern(gpg_agent_t, > > > > gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh") > > > > +filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, > > > > sock_file, "S.scdaemon") > > > > > > I would probably instead confine scdaemon ( i have confined > > > scdaemon in my personal policy) > > > > I'll have a look into confining scdaemon. But for now, it's running > > as gpg_agent_t, so we should label its socket accordingly. > > How about then just remove the names from the transitions that will > make it so that if agent creates any sockfiles in ~/.gnupg theyll get > automatically created with the agent type "do as i say and not as i > do": we should be conservative with the use of name-based auto type > transitions > Yes, it'd probably be okay to mark all sock_files as gpg_agent_tmp_t. > also this above S.scdaemon sock file has no accompanying file context > specification? Good catch, I forgot this. -- Luis Ressel