From: guido@trentalancia.com (Guido Trentalancia)
Date: Sun, 21 May 2017 18:21:04 +0200
Subject: [refpolicy] [PATCH] gpg: manage user runtime socket files and
	directories
Message-ID: <1495383664.21167.2.camel@trentalancia.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Update the gpg module so that it can correctly manage socket files
and directories in the user runtime directories.

Some other minor fixes are also included in this patch.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/contrib/gpg.te |   10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

--- a/policy/modules/contrib/gpg.te	2017-04-26 17:47:20.555423022 +0200
+++ b/policy/modules/contrib/gpg.te	2017-05-21 18:13:36.728343506 +0200
@@ -124,6 +124,8 @@ miscfiles_read_localization(gpg_t)
 
 userdom_use_user_terminals(gpg_t)
 
+userdom_manage_user_runtime_dirs(gpg_t)
+userdom_manage_user_tmp_dirs(gpg_t)
 userdom_manage_user_tmp_files(gpg_t)
 userdom_manage_user_home_content_files(gpg_t)
 userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
@@ -247,10 +249,14 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
 
 miscfiles_read_localization(gpg_agent_t)
 
+userdom_manage_user_runtime_dirs(gpg_agent_t)
+userdom_manage_user_tmp_dirs(gpg_agent_t)
+userdom_manage_user_tmp_files(gpg_agent_t)
+
 userdom_use_user_terminals(gpg_agent_t)
 userdom_search_user_home_dirs(gpg_agent_t)
 userdom_search_user_runtime(gpg_agent_t)
-userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
+userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir file sock_file })
 
 ifdef(`hide_broken_symptoms',`
 	userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
@@ -310,6 +316,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p
 
 can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)
 
+kernel_dontaudit_search_sysctl(gpg_pinentry_t)
 kernel_read_system_state(gpg_pinentry_t)
 
 corecmd_exec_shell(gpg_pinentry_t)
@@ -327,6 +334,7 @@ domain_use_interactive_fds(gpg_pinentry_
 
 files_read_usr_files(gpg_pinentry_t)
 
+fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
 fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
 
 auth_use_nsswitch(gpg_pinentry_t)