From: guido@trentalancia.com (Guido Trentalancia) Date: Wed, 24 May 2017 02:41:22 +0200 Subject: [refpolicy] [PATCH] gpg: manage user runtime socket files and directories In-Reply-To: <80180dd6-3ff2-d132-9c30-322e9798d653@ieee.org> References: <1495383664.21167.2.camel@trentalancia.com> <1F5CB8FD-2213-4ADC-B078-EDD507FA9500@trentalancia.com> <20170523070600.GB23273@julius.enp8s0.d30> <1495552329.6640.3.camel@trentalancia.com> <20170523155926.GA26271@julius.enp8s0.d30> <80180dd6-3ff2-d132-9c30-322e9798d653@ieee.org> Message-ID: <867E665F-8057-490C-8BEA-E311D83363DD@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello again. On the 24th of May 2017 02:18:03 CEST, Chris PeBenito via refpolicy wrote: >On 05/23/2017 11:59 AM, Dominick Grift via refpolicy wrote: >> On Tue, May 23, 2017 at 05:12:09PM +0200, Guido Trentalancia via >refpolicy wrote: >>> On Tue, 23/05/2017 at 09.06 +0200, Dominick Grift via >>> refpolicy wrote: >>>> On Tue, May 23, 2017 at 03:04:52AM +0200, Guido Trentalancia via >>>> refpolicy wrote: >>>>> Hello and thanks for getting back... >>>>> >>>>> On the 23rd of May 2017 01:24:59 CEST, Chris PeBenito >>>>> e.org> wrote: >>>>>> On 05/21/2017 12:21 PM, Guido Trentalancia via refpolicy wrote: >>>>>>> Update the gpg module so that it can correctly manage socket >>>>>>> files >>>>>>> and directories in the user runtime directories. >>>>>>> >>>>>>> Some other minor fixes are also included in this patch. >>>>>>> >>>>>>> Signed-off-by: Guido Trentalancia >>>>>>> --- >>>>>>> policy/modules/contrib/gpg.te | 10 +++++++++- >>>>>>> 1 file changed, 9 insertions(+), 1 deletion(-) >>>>>>> [...] >>>>>>> @@ -247,10 +249,14 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t) >>>>>>> >>>>>>> miscfiles_read_localization(gpg_agent_t) >>>>>>> >>>>>>> +userdom_manage_user_runtime_dirs(gpg_agent_t) >>>> >>>> gpg_agent_t cannot create user_runtime dirs because that requires >>>> root access >>> >>> This is not necessarily true (see above). >>> >> >> I think we should probably make a distinction between what the root >of the user runtime dirs is and what the content is. currently, i >believe, user_runtime_t is used for the runtime root i suspect >(/run/user/USERID) > >Yes, there is a user_runtime_root_t. I do not clearly understand the point. However the patch has been tested and it works fine! It only needs to manage user_runtime_t directories, not the user_runtime_root_t if this is what you mean... A new version (v2) of this patch has been posted. I hope it helps! Regards, Guido