From: guido@trentalancia.com (Guido Trentalancia) Date: Sun, 21 May 2017 18:21:04 +0200 Subject: [refpolicy] [PATCH] gpg: manage user runtime socket files and directories Message-ID: <1495383664.21167.2.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Update the gpg module so that it can correctly manage socket files and directories in the user runtime directories. Some other minor fixes are also included in this patch. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/gpg.te | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) --- a/policy/modules/contrib/gpg.te 2017-04-26 17:47:20.555423022 +0200 +++ b/policy/modules/contrib/gpg.te 2017-05-21 18:13:36.728343506 +0200 @@ -124,6 +124,8 @@ miscfiles_read_localization(gpg_t) userdom_use_user_terminals(gpg_t) +userdom_manage_user_runtime_dirs(gpg_t) +userdom_manage_user_tmp_dirs(gpg_t) userdom_manage_user_tmp_files(gpg_t) userdom_manage_user_home_content_files(gpg_t) userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) @@ -247,10 +249,14 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t) miscfiles_read_localization(gpg_agent_t) +userdom_manage_user_runtime_dirs(gpg_agent_t) +userdom_manage_user_tmp_dirs(gpg_agent_t) +userdom_manage_user_tmp_files(gpg_agent_t) + userdom_use_user_terminals(gpg_agent_t) userdom_search_user_home_dirs(gpg_agent_t) userdom_search_user_runtime(gpg_agent_t) -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir) +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir file sock_file }) ifdef(`hide_broken_symptoms',` userdom_dontaudit_read_user_tmp_files(gpg_agent_t) @@ -310,6 +316,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p can_exec(gpg_pinentry_t, gpg_pinentry_exec_t) +kernel_dontaudit_search_sysctl(gpg_pinentry_t) kernel_read_system_state(gpg_pinentry_t) corecmd_exec_shell(gpg_pinentry_t) @@ -327,6 +334,7 @@ domain_use_interactive_fds(gpg_pinentry_ files_read_usr_files(gpg_pinentry_t) +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t) fs_dontaudit_list_inotifyfs(gpg_pinentry_t) auth_use_nsswitch(gpg_pinentry_t)