From: guido@trentalancia.com (Guido Trentalancia)
Date: Tue, 23 May 2017 23:21:53 +0200
Subject: [refpolicy] [PATCH v2] gpg: manage user runtime socket files and
	directories
In-Reply-To: <f345f89d-7ee2-b84e-fcfd-c8f718ab9a50@ieee.org>
References: <1495383664.21167.2.camel@trentalancia.com>
	<f345f89d-7ee2-b84e-fcfd-c8f718ab9a50@ieee.org>
Message-ID: <1495574513.16791.0.camel@trentalancia.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Update the gpg module so that it can correctly manage socket files
and directories in the user runtime directories.

Some other minor fixes are also included in this patch.

This is the second version (v2) of this patch and it features some
improvements thanks to feedback received from Christopher PeBenito.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/contrib/gpg.te |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/policy/modules/contrib/gpg.te	2017-04-26 17:47:20.555423022 +0200
+++ b/policy/modules/contrib/gpg.te	2017-05-21 18:13:36.728343506 +0200
@@ -124,6 +124,8 @@ miscfiles_read_localization(gpg_t)
 
 userdom_use_user_terminals(gpg_t)
 
+userdom_manage_user_runtime_dirs(gpg_t)
+userdom_manage_user_tmp_dirs(gpg_t)
 userdom_manage_user_tmp_files(gpg_t)
 userdom_manage_user_home_content_files(gpg_t)
 userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
@@ -247,10 +249,12 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
 
 miscfiles_read_localization(gpg_agent_t)
 
+userdom_manage_user_runtime_dirs(gpg_agent_t)
+
 userdom_use_user_terminals(gpg_agent_t)
 userdom_search_user_home_dirs(gpg_agent_t)
 userdom_search_user_runtime(gpg_agent_t)
-userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
+userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir file sock_file })
 
 ifdef(`hide_broken_symptoms',`
 	userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
@@ -310,6 +316,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p
 
 can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)
 
+kernel_dontaudit_search_sysctl(gpg_pinentry_t)
 kernel_read_system_state(gpg_pinentry_t)
 
 corecmd_exec_shell(gpg_pinentry_t)
@@ -327,6 +334,7 @@ domain_use_interactive_fds(gpg_pinentry_
 
 files_read_usr_files(gpg_pinentry_t)
 
+fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
 fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
 
 auth_use_nsswitch(gpg_pinentry_t)