From: guido@trentalancia.com (Guido Trentalancia) Date: Tue, 23 May 2017 23:20:37 +0200 Subject: [refpolicy] [PATCH] gpg: manage user runtime socket files and directories In-Reply-To: References: <1495383664.21167.2.camel@trentalancia.com> Message-ID: <1495574437.16351.7.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Christopher. On Mon, 22/05/2017 at 19.24 -0400, Chris PeBenito wrote: > On 05/21/2017 12:21 PM, Guido Trentalancia via refpolicy wrote: > > Update the gpg module so that it can correctly manage socket files > > and directories in the user runtime directories. > > > > Some other minor fixes are also included in this patch. > > > > Signed-off-by: Guido Trentalancia > > --- > > ?policy/modules/contrib/gpg.te |???10 +++++++++- > > ?1 file changed, 9 insertions(+), 1 deletion(-) > > > > --- a/policy/modules/contrib/gpg.te 2017-04-26 > > 17:47:20.555423022 +0200 > > +++ b/policy/modules/contrib/gpg.te 2017-05-21 > > 18:13:36.728343506 +0200 > > @@ -124,6 +124,8 @@ miscfiles_read_localization(gpg_t) > > > > ?userdom_use_user_terminals(gpg_t) > > > > +userdom_manage_user_runtime_dirs(gpg_t) > > +userdom_manage_user_tmp_dirs(gpg_t) > > ?userdom_manage_user_tmp_files(gpg_t) > > ?userdom_manage_user_home_content_files(gpg_t) > > ?userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) > > @@ -247,10 +249,14 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t) > > > > ?miscfiles_read_localization(gpg_agent_t) > > > > +userdom_manage_user_runtime_dirs(gpg_agent_t) > > +userdom_manage_user_tmp_dirs(gpg_agent_t) > > +userdom_manage_user_tmp_files(gpg_agent_t) > > It's not clear whats going on here, but perhaps these make more sense > as? > a new gpg_runtime_t? The directory, as already explained is /var/run/user/USERID/gnupg. I think there is very little gain in defining a new gpg_runtime_t file type, because "runtime" here is equivalent to "temporary", in the sense that the files refer to a specific instance of a gpg_agent process and they do not survive after process termination. As for the extra userdom_manage_user_tmp_{dirs,files}() interfaces, I have removed them in a new version. They are not really needed, I did previously add them just in case or for future use and because they are currently used by gpg_t. I hope you can now merge the new version (v2) which will follow shortly. > > ?userdom_use_user_terminals(gpg_agent_t) > > ?userdom_search_user_home_dirs(gpg_agent_t) > > ?userdom_search_user_runtime(gpg_agent_t) > > -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir) > > +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir > > file sock_file }) > > > > ?ifdef(`hide_broken_symptoms',` > > ? userdom_dontaudit_read_user_tmp_files(gpg_agent_t) > > @@ -310,6 +316,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p > > > > ?can_exec(gpg_pinentry_t, gpg_pinentry_exec_t) > > > > +kernel_dontaudit_search_sysctl(gpg_pinentry_t) > > ?kernel_read_system_state(gpg_pinentry_t) > > > > ?corecmd_exec_shell(gpg_pinentry_t) > > @@ -327,6 +334,7 @@ domain_use_interactive_fds(gpg_pinentry_ > > > > ?files_read_usr_files(gpg_pinentry_t) > > > > +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t) > > ?fs_dontaudit_list_inotifyfs(gpg_pinentry_t) > > > > ?auth_use_nsswitch(gpg_pinentry_t) > > Regards, Guido