From: pebenito@ieee.org (Chris PeBenito)
Date: Sun, 11 Dec 2016 14:32:02 -0500
Subject: [refpolicy] [PATCH 1/3] gpg: Add filetrans for scdaemon socket
 and gpg-agent extra sockets
In-Reply-To: <20161209181423.29820-1-aranea@aixah.de>
References: <20161209181423.29820-1-aranea@aixah.de>
Message-ID: <d864913a-b343-e49e-665d-a8dc84f92fa9@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/09/16 13:14, Luis Ressel via refpolicy wrote:
> scdaemon is part of gnupg's subsystem for handling smartcards. The two
> new gpg-agent sockets are used by gnupg 2.1.16.
> ---
>  gpg.fc | 4 ++--
>  gpg.te | 3 +++
>  2 files changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/gpg.fc b/gpg.fc
> index 3f1d1d2..eee870e 100644
> --- a/gpg.fc
> +++ b/gpg.fc
> @@ -1,7 +1,7 @@
>  HOME_DIR/\.gnupg(/.+)?	gen_context(system_u:object_r:gpg_secret_t,s0)
>  HOME_DIR/\.gnupg/log-socket	-s	gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> -HOME_DIR/\.gnupg/S\.gpg-agent	-s	gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> -HOME_DIR/\.gnupg/S\.gpg-agent\.ssh -s	gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> +HOME_DIR/\.gnupg/S\.gpg-agent.*	-s	gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> +HOME_DIR/\.gnupg/S\.scdaemon	-s	gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
>
>  /usr/bin/gpg(2)?	--	gen_context(system_u:object_r:gpg_exec_t,s0)
>  /usr/bin/gpgsm	--	gen_context(system_u:object_r:gpg_exec_t,s0)
> diff --git a/gpg.te b/gpg.te
> index 02e868d..a671ffe 100644
> --- a/gpg.te
> +++ b/gpg.te
> @@ -230,7 +230,10 @@ files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
>
>  filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
>  filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent")
> +filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.browser")
> +filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.extra")
>  filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh")
> +filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.scdaemon")
>
>  domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)

Merged.

-- 
Chris PeBenito