From: nicolas.iooss@m4x.org (Nicolas Iooss) Date: Tue, 11 Aug 2015 10:31:42 +0800 Subject: [refpolicy] [PATCH 1/2] Policy for gpg's dirmngr In-Reply-To: <20150810140510.GD3707@x250> References: <1439154658-18322-1-git-send-email-aranea@aixah.de> <20150810072526.GA3707@x250> <20150810154234.7e0c7aa3@gentp.lnet> <20150810140510.GD3707@x250> Message-ID: <55C95E8E.1020406@m4x.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello, On 08/10/2015 10:05 PM, Dominick Grift wrote: > On Mon, Aug 10, 2015 at 03:42:34PM +0200, Luis Ressel wrote: >> >> On my system, dirmngr fails to start without those. >> >> avc: denied { read } for pid=2126 comm=636F6E6E2066643D30 >> name="random" dev="devtmpfs" ino=1032 >> scontext=staff_u:staff_r:gpg_dirmngr_t >> tcontext=system_u:object_r:random_device_t tclass=chr_file permissive=0 >> > > Assuming 636F6E6E2066643D30 translates to "dirmngr", then i guess it is needed. I havent encountered this on my implementation. To decode this string, several ways exist [1], for example in Python: python -c 'import binascii; print(binascii.unhexlify("636F6E6E2066643D30"))' This gives "conn fd=0", which is not directly "dirmngr". But in fact dirmngr seems to spawn a thread with this name [2] so this process is really dirmngr. Moreover in dirmngr/ks-engine-hkp.c in gnupg code, function select_random_host seems to need a random number generator to choose an host, which could explain the access to /dev/random (I have not checked deeply the code to understand how this function gets called). -- Nicolas Iooss [1] http://blog.siphos.be/2014/03/decoding-the-hex-coded-path-information-in-avc-denials/ [2] https://github.com/unofficial-mirrors/gnupg/blob/gnupg-2.1.3/dirmngr/dirmngr.c#L2048-L2059