From: dac.override@gmail.com (Dominick Grift) Date: Tue, 11 Aug 2015 08:30:58 +0200 Subject: [refpolicy] [PATCH 1/2] Policy for gpg's dirmngr In-Reply-To: <55C95E8E.1020406@m4x.org> References: <1439154658-18322-1-git-send-email-aranea@aixah.de> <20150810072526.GA3707@x250> <20150810154234.7e0c7aa3@gentp.lnet> <20150810140510.GD3707@x250> <55C95E8E.1020406@m4x.org> Message-ID: <20150811063057.GA1884@x250> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, Aug 11, 2015 at 10:31:42AM +0800, Nicolas Iooss wrote: > Hello, > > On 08/10/2015 10:05 PM, Dominick Grift wrote: > > On Mon, Aug 10, 2015 at 03:42:34PM +0200, Luis Ressel wrote: > > >> > >> On my system, dirmngr fails to start without those. > >> > >> avc: denied { read } for pid=2126 comm=636F6E6E2066643D30 > >> name="random" dev="devtmpfs" ino=1032 > >> scontext=staff_u:staff_r:gpg_dirmngr_t > >> tcontext=system_u:object_r:random_device_t tclass=chr_file permissive=0 > >> > > > > Assuming 636F6E6E2066643D30 translates to "dirmngr", then i guess it is needed. I havent encountered this on my implementation. > > To decode this string, several ways exist [1], for example in Python: > > python -c 'import binascii; > print(binascii.unhexlify("636F6E6E2066643D30"))' Thanks, yes. reading the avc denial with ausearch -i will also interpret it. > > This gives "conn fd=0", which is not directly "dirmngr". But in fact > dirmngr seems to spawn a thread with this name [2] so this process is > really dirmngr. Moreover in dirmngr/ks-engine-hkp.c in gnupg code, > function select_random_host seems to need a random number generator to > choose an host, which could explain the access to /dev/random (I have > not checked deeply the code to understand how this function gets called). > > -- > Nicolas Iooss > > [1] > http://blog.siphos.be/2014/03/decoding-the-hex-coded-path-information-in-avc-denials/ > [2] > https://github.com/unofficial-mirrors/gnupg/blob/gnupg-2.1.3/dirmngr/dirmngr.c#L2048-L2059 > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 648 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150811/4023282c/attachment.bin