From: dac.override@gmail.com (Dominick Grift) Date: Wed, 24 May 2017 07:36:26 +0200 Subject: [refpolicy] [PATCH] gpg: manage user runtime socket files and directories In-Reply-To: <867E665F-8057-490C-8BEA-E311D83363DD@trentalancia.com> References: <1495383664.21167.2.camel@trentalancia.com> <1F5CB8FD-2213-4ADC-B078-EDD507FA9500@trentalancia.com> <20170523070600.GB23273@julius.enp8s0.d30> <1495552329.6640.3.camel@trentalancia.com> <20170523155926.GA26271@julius.enp8s0.d30> <80180dd6-3ff2-d132-9c30-322e9798d653@ieee.org> <867E665F-8057-490C-8BEA-E311D83363DD@trentalancia.com> Message-ID: <20170524053626.GA12833@julius.enp8s0.d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, May 24, 2017 at 02:41:22AM +0200, Guido Trentalancia via refpolicy wrote: > Hello again. > > On the 24th of May 2017 02:18:03 CEST, Chris PeBenito via refpolicy wrote: > >On 05/23/2017 11:59 AM, Dominick Grift via refpolicy wrote: > >> On Tue, May 23, 2017 at 05:12:09PM +0200, Guido Trentalancia via > >refpolicy wrote: > >>> On Tue, 23/05/2017 at 09.06 +0200, Dominick Grift via > >>> refpolicy wrote: > >>>> On Tue, May 23, 2017 at 03:04:52AM +0200, Guido Trentalancia via > >>>> refpolicy wrote: > >>>>> Hello and thanks for getting back... > >>>>> > >>>>> On the 23rd of May 2017 01:24:59 CEST, Chris PeBenito > > >>>>> e.org> wrote: > >>>>>> On 05/21/2017 12:21 PM, Guido Trentalancia via refpolicy wrote: > >>>>>>> Update the gpg module so that it can correctly manage socket > >>>>>>> files > >>>>>>> and directories in the user runtime directories. > >>>>>>> > >>>>>>> Some other minor fixes are also included in this patch. > >>>>>>> > >>>>>>> Signed-off-by: Guido Trentalancia > >>>>>>> --- > >>>>>>> policy/modules/contrib/gpg.te | 10 +++++++++- > >>>>>>> 1 file changed, 9 insertions(+), 1 deletion(-) > >>>>>>> > > [...] > > >>>>>>> @@ -247,10 +249,14 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t) > >>>>>>> > >>>>>>> miscfiles_read_localization(gpg_agent_t) > >>>>>>> > >>>>>>> +userdom_manage_user_runtime_dirs(gpg_agent_t) > >>>> > >>>> gpg_agent_t cannot create user_runtime dirs because that requires > >>>> root access > >>> > >>> This is not necessarily true (see above). > >>> > >> > >> I think we should probably make a distinction between what the root > >of the user runtime dirs is and what the content is. currently, i > >believe, user_runtime_t is used for the runtime root i suspect > >(/run/user/USERID) > > > >Yes, there is a user_runtime_root_t. > > I do not clearly understand the point. Well the runtime root its owned by root, is used as a mountpoint, and is potentially a poly-instantiation parent > However the patch has been tested and it works fine! > > It only needs to manage user_runtime_t directories, not the user_runtime_root_t if this is what you mean... > > A new version (v2) of this patch has been posted. > > I hope it helps! > > Regards, > > Guido > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170524/6cae7206/attachment.bin