From: guido@trentalancia.net (Guido Trentalancia) Date: Fri, 02 Sep 2016 16:42:06 +0200 Subject: [refpolicy] [PATCH] gpg: public key signature verification in evolution In-Reply-To: <09e0ed56-7f4d-71e8-d970-acecc18e2376@gmail.com> References: <1472737946.17989.0.camel@trentalancia.net> <7958812d-93fe-ded7-fb23-6d02c150bcb3@ieee.org> <1472815602.23008.8.camel@trentalancia.net> <09e0ed56-7f4d-71e8-d970-acecc18e2376@gmail.com> Message-ID: <1472827326.21408.7.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 02/09/2016 at 15.48 +0200, Dominick Grift wrote: > On 09/02/2016 01:26 PM, Guido Trentalancia wrote: > > > > Hello Dominick. > > > > On Fri, 02/09/2016 at 10.48 +0200, Dominick Grift via refpolicy > > wrote: > > > > > > On 09/02/2016 01:26 AM, Chris PeBenito via refpolicy wrote: > > > > > > > > > > > > On 09/01/16 09:52, Guido Trentalancia via refpolicy wrote: > > > > > > > > > > > > > > > Let gpg verify public key signatures in the evolution mail > > > > > client > > > > > application. > > > > > > > > > > Signed-off-by: Guido Trentalancia > > > > > --- > > > > > ?policy/modules/contrib/evolution.if |???21 > > > > > +++++++++++++++++++++ > > > > > ?policy/modules/contrib/gpg.te???????|????4 ++++ > > > > > ?2 files changed, 25 insertions(+) > > > > > > > > > > --- refpolicy-git-06082016- > > > > > orig/policy/modules/contrib/evolution.if 2016-08-06 > > > > > 21:27:11.349094280 +0200 > > > > > +++ refpolicy-git- > > > > > 06082016/policy/modules/contrib/evolution.if > > > > > 2016-09-01 15:33:27.072148930 +0200 > > > > > @@ -128,6 +128,27 @@ interface(`evolution_stream_connect',` > > > > > > > > > > ?######################################## > > > > > ?## > > > > > +## Read evolution orbit temporary > > > > > +## files. > > > > > +## > > > > > +## > > > > > +## > > > > > +## Domain allowed access. > > > > > +## > > > > > +## > > > > > +# > > > > > +interface(`evolution_read_orbit_tmp_t',` > > > > > > > > evolution_read_orbit_tmp_files() > > > > > > > > > > > > > > You dont have to mention "orbit" at all. There are only sockets > > > in > > > orbit, and push comes to show that's just a evolution socket. > > > This > > > file > > > is outside of orbit and so it have nothing to do with orbit > > > > > > so i would just use evolution_read_tmp_files() There are different types of evolution temporary files, so it is necessary to distinguish amongst them. > > > however eventually it probably need rw instead of r, For example > > > when > > > you sign emails. > > > > Let's try to sign this message and see if it also requires write > > permissions... It doesn't require write permissions, as it is evident in the new version of the patch. > is that PGP/MIME or in-line signing? I dont use evolution so not sure > if > it even support in-line signatures or PGP/MIME It's PGP signing. SMIME signing does not use gpg. > Either way, would be easy enough to adjust if and when someone needs > it It works as it is, without write permissions on that temporary file. There is nothing to adjust. > I still don't like the reference to orbit though See above (different types of temporary files). Originally I typed a wrong name by mistake (you know, copy and paste the type name). I have now amended the name, as kindly suggested by Christopher. See version 2. Regards, Guido