From: guido@trentalancia.net (Guido Trentalancia) Date: Fri, 02 Sep 2016 13:35:53 +0200 Subject: [refpolicy] [PATCH v2] gpg: public key signature verification in evolution In-Reply-To: <7958812d-93fe-ded7-fb23-6d02c150bcb3@ieee.org> References: <1472737946.17989.0.camel@trentalancia.net> <7958812d-93fe-ded7-fb23-6d02c150bcb3@ieee.org> Message-ID: <1472816153.25473.3.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Let gpg verify public key signatures in the evolution mail client application. It doesn't need write permissions on such files for signing/encrypting messages. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/evolution.if | 21 +++++++++++++++++++++ policy/modules/contrib/gpg.te | 4 ++++ 2 files changed, 25 insertions(+) --- refpolicy-git-06082016-orig/policy/modules/contrib/evolution.if 2016-08-06 21:27:11.349094280 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/evolution.if 2016-09-01 15:33:27.072148930 +0200 @@ -128,6 +128,27 @@ interface(`evolution_stream_connect',` ######################################## ## +## Read evolution orbit temporary +## files. +## +## +## +## Domain allowed access. +## +## +# +interface(`evolution_read_orbit_tmp_files',` + gen_require(` + type evolution_orbit_tmp_t; + ') + + files_search_tmp($1) + read_files_pattern($1, evolution_orbit_tmp_t, evolution_orbit_tmp_t) +') + + +######################################## +## ## Send and receive messages from ## evolution over dbus. ## --- refpolicy-git-06082016-orig/policy/modules/contrib/gpg.te 2016-08-06 21:27:11.355094349 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/gpg.te 2016-09-01 15:34:13.366784842 +0200 @@ -147,6 +147,10 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` + evolution_read_orbit_tmp_files(gpg_t) + ') + +optional_policy(` gnome_read_generic_home_content(gpg_t) gnome_stream_connect_all_gkeyringd(gpg_t) ')