From: aranea@aixah.de (Luis Ressel) Date: Sun, 11 Dec 2016 20:55:30 +0100 Subject: [refpolicy] [PATCH 3/3] Policy for gpg's dirmngr In-Reply-To: <6f7e52bb-668b-0d6b-de45-8a490488a4ae@ieee.org> References: <20161209181423.29820-1-aranea@aixah.de> <20161209181423.29820-3-aranea@aixah.de> <6f7e52bb-668b-0d6b-de45-8a490488a4ae@ieee.org> Message-ID: <20161211205530.5194a7af@gentp.lnet> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sun, 11 Dec 2016 14:27:56 -0500 Chris PeBenito via refpolicy wrote: > On 12/09/16 13:14, Luis Ressel via refpolicy wrote: > > GnuPG 2.1 uses a separate dirmngr process for retrieving keys from a > > keyserver. > > > > This policy may be lacking permissions for some of dirmngr's > > features I don't use, such as key retrieval via http or ldap and > > OCSP lookups. > > How does this relate to the existing dirmngr module? There is a > conflict in the /usr/bin/dirmngr labeling. WHOOOPS, I hadn't noticed the dirmngr module. Looks like dirmngr was originally a separate program, which has only been bundled with gnupg since gnupg 2.1. Thanks for noticing! I'll go over the dirmngr module and check if it provides all permissions required by gnupg 2.1's dirmngr. (And I obviously retract this patch.) Regards, Luis