From: guido@trentalancia.com (Guido Trentalancia) Date: Tue, 23 May 2017 23:21:53 +0200 Subject: [refpolicy] [PATCH v2] gpg: manage user runtime socket files and directories In-Reply-To: References: <1495383664.21167.2.camel@trentalancia.com> Message-ID: <1495574513.16791.0.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Update the gpg module so that it can correctly manage socket files and directories in the user runtime directories. Some other minor fixes are also included in this patch. This is the second version (v2) of this patch and it features some improvements thanks to feedback received from Christopher PeBenito. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/gpg.te | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/policy/modules/contrib/gpg.te 2017-04-26 17:47:20.555423022 +0200 +++ b/policy/modules/contrib/gpg.te 2017-05-21 18:13:36.728343506 +0200 @@ -124,6 +124,8 @@ miscfiles_read_localization(gpg_t) userdom_use_user_terminals(gpg_t) +userdom_manage_user_runtime_dirs(gpg_t) +userdom_manage_user_tmp_dirs(gpg_t) userdom_manage_user_tmp_files(gpg_t) userdom_manage_user_home_content_files(gpg_t) userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) @@ -247,10 +249,12 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t) miscfiles_read_localization(gpg_agent_t) +userdom_manage_user_runtime_dirs(gpg_agent_t) + userdom_use_user_terminals(gpg_agent_t) userdom_search_user_home_dirs(gpg_agent_t) userdom_search_user_runtime(gpg_agent_t) -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir) +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir file sock_file }) ifdef(`hide_broken_symptoms',` userdom_dontaudit_read_user_tmp_files(gpg_agent_t) @@ -310,6 +316,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p can_exec(gpg_pinentry_t, gpg_pinentry_exec_t) +kernel_dontaudit_search_sysctl(gpg_pinentry_t) kernel_read_system_state(gpg_pinentry_t) corecmd_exec_shell(gpg_pinentry_t) @@ -327,6 +334,7 @@ domain_use_interactive_fds(gpg_pinentry_ files_read_usr_files(gpg_pinentry_t) +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t) fs_dontaudit_list_inotifyfs(gpg_pinentry_t) auth_use_nsswitch(gpg_pinentry_t)