From: pebenito@ieee.org (Chris PeBenito)
Date: Mon, 22 May 2017 19:24:59 -0400
Subject: [refpolicy] [PATCH] gpg: manage user runtime socket files and
 directories
In-Reply-To: <1495383664.21167.2.camel@trentalancia.com>
References: <1495383664.21167.2.camel@trentalancia.com>
Message-ID: <f345f89d-7ee2-b84e-fcfd-c8f718ab9a50@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 05/21/2017 12:21 PM, Guido Trentalancia via refpolicy wrote:
> Update the gpg module so that it can correctly manage socket files
> and directories in the user runtime directories.
>
> Some other minor fixes are also included in this patch.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> ---
>  policy/modules/contrib/gpg.te |   10 +++++++++-
>  1 file changed, 9 insertions(+), 1 deletion(-)
>
> --- a/policy/modules/contrib/gpg.te	2017-04-26 17:47:20.555423022 +0200
> +++ b/policy/modules/contrib/gpg.te	2017-05-21 18:13:36.728343506 +0200
> @@ -124,6 +124,8 @@ miscfiles_read_localization(gpg_t)
>
>  userdom_use_user_terminals(gpg_t)
>
> +userdom_manage_user_runtime_dirs(gpg_t)
> +userdom_manage_user_tmp_dirs(gpg_t)
>  userdom_manage_user_tmp_files(gpg_t)
>  userdom_manage_user_home_content_files(gpg_t)
>  userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
> @@ -247,10 +249,14 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
>
>  miscfiles_read_localization(gpg_agent_t)
>
> +userdom_manage_user_runtime_dirs(gpg_agent_t)
> +userdom_manage_user_tmp_dirs(gpg_agent_t)
> +userdom_manage_user_tmp_files(gpg_agent_t)

It's not clear whats going on here, but perhaps these make more sense as 
a new gpg_runtime_t?


>  userdom_use_user_terminals(gpg_agent_t)
>  userdom_search_user_home_dirs(gpg_agent_t)
>  userdom_search_user_runtime(gpg_agent_t)
> -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
> +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir file sock_file })
>
>  ifdef(`hide_broken_symptoms',`
>  	userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
> @@ -310,6 +316,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p
>
>  can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)
>
> +kernel_dontaudit_search_sysctl(gpg_pinentry_t)
>  kernel_read_system_state(gpg_pinentry_t)
>
>  corecmd_exec_shell(gpg_pinentry_t)
> @@ -327,6 +334,7 @@ domain_use_interactive_fds(gpg_pinentry_
>
>  files_read_usr_files(gpg_pinentry_t)
>
> +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
>  fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
>
>  auth_use_nsswitch(gpg_pinentry_t)


-- 
Chris PeBenito