From: nicolas.iooss@m4x.org (Nicolas Iooss)
Date: Tue, 11 Aug 2015 10:31:42 +0800
Subject: [refpolicy] [PATCH 1/2] Policy for gpg's dirmngr
In-Reply-To: <20150810140510.GD3707@x250>
References: <1439154658-18322-1-git-send-email-aranea@aixah.de>
	<20150810072526.GA3707@x250> <20150810154234.7e0c7aa3@gentp.lnet>
	<20150810140510.GD3707@x250>
Message-ID: <55C95E8E.1020406@m4x.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello,

On 08/10/2015 10:05 PM, Dominick Grift wrote:
> On Mon, Aug 10, 2015 at 03:42:34PM +0200, Luis Ressel wrote:
<snip>
>>
>> On my system, dirmngr fails to start without those.
>>
>> avc:  denied  { read } for  pid=2126 comm=636F6E6E2066643D30
>> name="random" dev="devtmpfs" ino=1032
>> scontext=staff_u:staff_r:gpg_dirmngr_t
>> tcontext=system_u:object_r:random_device_t tclass=chr_file permissive=0
>>
> 
> Assuming 636F6E6E2066643D30 translates to "dirmngr", then i guess it is needed. I havent encountered this on my implementation.

To decode this string, several ways exist [1], for example in Python:

    python -c 'import binascii;
print(binascii.unhexlify("636F6E6E2066643D30"))'

This gives "conn fd=0", which is not directly "dirmngr".  But in fact
dirmngr seems to spawn a thread with this name [2] so this process is
really dirmngr.  Moreover in dirmngr/ks-engine-hkp.c in gnupg code,
function select_random_host seems to need a random number generator to
choose an host, which could explain the access to /dev/random (I have
not checked deeply the code to understand how this function gets called).

--
Nicolas Iooss

[1]
http://blog.siphos.be/2014/03/decoding-the-hex-coded-path-information-in-avc-denials/
[2]
https://github.com/unofficial-mirrors/gnupg/blob/gnupg-2.1.3/dirmngr/dirmngr.c#L2048-L2059