From: jason@perfinion.com (Jason Zaman)
Date: Sat, 27 May 2017 00:01:27 +0800
Subject: [refpolicy] [PATCH 4/6] dirmngr: Network rules to connect to
	keyserver
In-Reply-To: <20170526155801.5441-4-jason@perfinion.com>
References: <20170526155801.5441-1-jason@perfinion.com>
	<20170526155801.5441-4-jason@perfinion.com>
Message-ID: <20170526160127.GA22062@meriadoc.perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Ugh ... i forgot to add the v2 to all these ... :(

On Fri, May 26, 2017 at 11:57:59PM +0800, Jason Zaman wrote:
> type=AVC msg=audit(1494163667.921:24917): avc:  denied  { name_bind } for  pid=15683 comm=636F6E6E2066643D36 src=19321 scontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0
> ---
>  dirmngr.te | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/dirmngr.te b/dirmngr.te
> index 17cce56..4cec7fc 100644
> --- a/dirmngr.te
> +++ b/dirmngr.te
> @@ -62,6 +62,10 @@ manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
>  files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file })
>  
>  kernel_read_crypto_sysctls(dirmngr_t)
> +dev_read_rand(dirmngr_t)
> +sysnet_dns_name_resolve(dirmngr_t)
> +
> +corenet_tcp_connect_pgpkeyserver_port(dirmngr_t)

I dropped the binds from here. I will confirm if dns needs them and send
a patch for this later. Figured it was better to get the rest merged
first.

-- Jason
>  
>  files_read_etc_files(dirmngr_t)
>  
> -- 
> 2.13.0
>