From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 22 May 2017 19:24:59 -0400 Subject: [refpolicy] [PATCH] gpg: manage user runtime socket files and directories In-Reply-To: <1495383664.21167.2.camel@trentalancia.com> References: <1495383664.21167.2.camel@trentalancia.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 05/21/2017 12:21 PM, Guido Trentalancia via refpolicy wrote: > Update the gpg module so that it can correctly manage socket files > and directories in the user runtime directories. > > Some other minor fixes are also included in this patch. > > Signed-off-by: Guido Trentalancia > --- > policy/modules/contrib/gpg.te | 10 +++++++++- > 1 file changed, 9 insertions(+), 1 deletion(-) > > --- a/policy/modules/contrib/gpg.te 2017-04-26 17:47:20.555423022 +0200 > +++ b/policy/modules/contrib/gpg.te 2017-05-21 18:13:36.728343506 +0200 > @@ -124,6 +124,8 @@ miscfiles_read_localization(gpg_t) > > userdom_use_user_terminals(gpg_t) > > +userdom_manage_user_runtime_dirs(gpg_t) > +userdom_manage_user_tmp_dirs(gpg_t) > userdom_manage_user_tmp_files(gpg_t) > userdom_manage_user_home_content_files(gpg_t) > userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) > @@ -247,10 +249,14 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t) > > miscfiles_read_localization(gpg_agent_t) > > +userdom_manage_user_runtime_dirs(gpg_agent_t) > +userdom_manage_user_tmp_dirs(gpg_agent_t) > +userdom_manage_user_tmp_files(gpg_agent_t) It's not clear whats going on here, but perhaps these make more sense as a new gpg_runtime_t? > userdom_use_user_terminals(gpg_agent_t) > userdom_search_user_home_dirs(gpg_agent_t) > userdom_search_user_runtime(gpg_agent_t) > -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir) > +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir file sock_file }) > > ifdef(`hide_broken_symptoms',` > userdom_dontaudit_read_user_tmp_files(gpg_agent_t) > @@ -310,6 +316,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p > > can_exec(gpg_pinentry_t, gpg_pinentry_exec_t) > > +kernel_dontaudit_search_sysctl(gpg_pinentry_t) > kernel_read_system_state(gpg_pinentry_t) > > corecmd_exec_shell(gpg_pinentry_t) > @@ -327,6 +334,7 @@ domain_use_interactive_fds(gpg_pinentry_ > > files_read_usr_files(gpg_pinentry_t) > > +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t) > fs_dontaudit_list_inotifyfs(gpg_pinentry_t) > > auth_use_nsswitch(gpg_pinentry_t) -- Chris PeBenito