From: dac.override@gmail.com (Dominick Grift) Date: Tue, 16 May 2017 19:23:32 +0200 Subject: [refpolicy] [PATCH 4/6] dirmngr: Network rules to connect to keyserver In-Reply-To: <20170516170045.GC9284@meriadoc.perfinion.com> References: <20170507174343.30160-1-jason@perfinion.com> <20170507174343.30160-4-jason@perfinion.com> <11a613f8-48d4-bcbf-d5ef-746305b8d404@ieee.org> <20170516170045.GC9284@meriadoc.perfinion.com> Message-ID: <20170516172332.GA20929@julius.enp8s0.d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, May 17, 2017 at 01:00:45AM +0800, Jason Zaman via refpolicy wrote: > On Thu, May 11, 2017 at 07:32:02PM -0400, Chris PeBenito wrote: > > On 05/07/2017 01:43 PM, Jason Zaman wrote: > > > type=AVC msg=audit(1494163667.921:24917): avc: denied { name_bind } for pid=15683 comm=636F6E6E2066643D36 src=19321 scontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0 > > > --- > > > dirmngr.te | 6 ++++++ > > > 1 file changed, 6 insertions(+) > > > > > > diff --git a/dirmngr.te b/dirmngr.te > > > index 17cce56..b64fc61 100644 > > > --- a/dirmngr.te > > > +++ b/dirmngr.te > > > @@ -62,6 +62,12 @@ manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) > > > files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file }) > > > > > > kernel_read_crypto_sysctls(dirmngr_t) > > > +dev_read_rand(dirmngr_t) > > > +sysnet_dns_name_resolve(dirmngr_t) > > > + > > > +corenet_tcp_connect_pgpkeyserver_port(dirmngr_t) > > > +corenet_udp_bind_generic_node(dirmngr_t) > > > +corenet_udp_bind_all_unreserved_ports(dirmngr_t) > > > > > > files_read_etc_files(dirmngr_t) > > > > I'm confused. If this is for connecting, why are there binding rules? > > I dont really know why it needs to bind to random udp ports. It failed > hard for me without them tho :(. I could poke around in the source for > an exact answer if you want tho. dns AFAIK > > I was testing it with gpg --refresh-keys > > -- Jason > > > > > -- > > Chris PeBenito > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170516/aacb196c/attachment.bin