From: guido@trentalancia.com (Guido Trentalancia) Date: Tue, 23 May 2017 03:04:52 +0200 Subject: [refpolicy] [PATCH] gpg: manage user runtime socket files and directories In-Reply-To: References: <1495383664.21167.2.camel@trentalancia.com> Message-ID: <1F5CB8FD-2213-4ADC-B078-EDD507FA9500@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello and thanks for getting back... On the 23rd of May 2017 01:24:59 CEST, Chris PeBenito wrote: >On 05/21/2017 12:21 PM, Guido Trentalancia via refpolicy wrote: >> Update the gpg module so that it can correctly manage socket files >> and directories in the user runtime directories. >> >> Some other minor fixes are also included in this patch. >> >> Signed-off-by: Guido Trentalancia >> --- >> policy/modules/contrib/gpg.te | 10 +++++++++- >> 1 file changed, 9 insertions(+), 1 deletion(-) >> >> --- a/policy/modules/contrib/gpg.te 2017-04-26 17:47:20.555423022 >+0200 >> +++ b/policy/modules/contrib/gpg.te 2017-05-21 18:13:36.728343506 >+0200 >> @@ -124,6 +124,8 @@ miscfiles_read_localization(gpg_t) >> >> userdom_use_user_terminals(gpg_t) >> >> +userdom_manage_user_runtime_dirs(gpg_t) >> +userdom_manage_user_tmp_dirs(gpg_t) >> userdom_manage_user_tmp_files(gpg_t) >> userdom_manage_user_home_content_files(gpg_t) >> userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) >> @@ -247,10 +249,14 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t) >> >> miscfiles_read_localization(gpg_agent_t) >> >> +userdom_manage_user_runtime_dirs(gpg_agent_t) >> +userdom_manage_user_tmp_dirs(gpg_agent_t) >> +userdom_manage_user_tmp_files(gpg_agent_t) > >It's not clear whats going on here, but perhaps these make more sense >as >a new gpg_runtime_t? The agent should be able to create a gnupg directory in /var/run/user/USERID/ and manage socket files in that directory... >> userdom_use_user_terminals(gpg_agent_t) >> userdom_search_user_home_dirs(gpg_agent_t) >> userdom_search_user_runtime(gpg_agent_t) >> -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir) >> +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir >file sock_file }) >> >> ifdef(`hide_broken_symptoms',` >> userdom_dontaudit_read_user_tmp_files(gpg_agent_t) >> @@ -310,6 +316,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p >> >> can_exec(gpg_pinentry_t, gpg_pinentry_exec_t) >> >> +kernel_dontaudit_search_sysctl(gpg_pinentry_t) >> kernel_read_system_state(gpg_pinentry_t) >> >> corecmd_exec_shell(gpg_pinentry_t) >> @@ -327,6 +334,7 @@ domain_use_interactive_fds(gpg_pinentry_ >> >> files_read_usr_files(gpg_pinentry_t) >> >> +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t) >> fs_dontaudit_list_inotifyfs(gpg_pinentry_t) >> >> auth_use_nsswitch(gpg_pinentry_t)