From: nicolas.iooss@m4x.org (Nicolas Iooss)
Date: Thu, 27 Oct 2016 09:59:53 +0200
Subject: [refpolicy] [PATCH 2/4] gpg: add new socket paths
In-Reply-To: <1477502361-20223-2-git-send-email-jason@perfinion.com>
References: <1477502361-20223-1-git-send-email-jason@perfinion.com>
	<1477502361-20223-2-git-send-email-jason@perfinion.com>
Message-ID: <CAJfZ7==+W8EC1+=i5J41bgDM7F-z=ZusGKb2FN-rTpJrrCpShg@mail.gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, Oct 26, 2016 at 7:19 PM, Jason Zaman via refpolicy <
refpolicy@oss.tresys.com> wrote:

> GPG 2.1 has sockets in /run/user/UID/gnupg/ and
> ~/.gnupg/S.gpg-agent{,.ssh}.
>
> also allow pinentry to dbus chat gkeyring
> ---
>  gpg.fc | 4 ++++
>  gpg.if | 4 ++++
>  gpg.te | 8 ++++++++
>  3 files changed, 16 insertions(+)
>
> diff --git a/gpg.fc b/gpg.fc
> index 888cd2c..dcd6a16 100644
> --- a/gpg.fc
> +++ b/gpg.fc
> @@ -1,5 +1,7 @@
>  HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
>  HOME_DIR/\.gnupg/log-socket    -s      gen_context(system_u:object_r:
> gpg_agent_tmp_t,s0)
> +HOME_DIR/\.gnupg/S.gpg-agent   -s      gen_context(system_u:object_r:
> gpg_agent_tmp_t,s0)
> +HOME_DIR/\.gnupg/S.gpg-agent.ssh -s    gen_context(system_u:object_r:
> gpg_agent_tmp_t,s0)
>

Hi,
In these file patterns you might want to escape the dots with backslashes
so that they only match S.gpg-agent{,.ssh} and not files which have any
character where the dots are in the pattern.

Otherwise the patches look good to me.
Nicolas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20161027/4b546832/attachment.html