From: jason@perfinion.com (Jason Zaman) Date: Sat, 27 May 2017 00:01:27 +0800 Subject: [refpolicy] [PATCH 4/6] dirmngr: Network rules to connect to keyserver In-Reply-To: <20170526155801.5441-4-jason@perfinion.com> References: <20170526155801.5441-1-jason@perfinion.com> <20170526155801.5441-4-jason@perfinion.com> Message-ID: <20170526160127.GA22062@meriadoc.perfinion.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Ugh ... i forgot to add the v2 to all these ... :( On Fri, May 26, 2017 at 11:57:59PM +0800, Jason Zaman wrote: > type=AVC msg=audit(1494163667.921:24917): avc: denied { name_bind } for pid=15683 comm=636F6E6E2066643D36 src=19321 scontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0 > --- > dirmngr.te | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/dirmngr.te b/dirmngr.te > index 17cce56..4cec7fc 100644 > --- a/dirmngr.te > +++ b/dirmngr.te > @@ -62,6 +62,10 @@ manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) > files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file }) > > kernel_read_crypto_sysctls(dirmngr_t) > +dev_read_rand(dirmngr_t) > +sysnet_dns_name_resolve(dirmngr_t) > + > +corenet_tcp_connect_pgpkeyserver_port(dirmngr_t) I dropped the binds from here. I will confirm if dns needs them and send a patch for this later. Figured it was better to get the rest merged first. -- Jason > > files_read_etc_files(dirmngr_t) > > -- > 2.13.0 >