From: jason@perfinion.com (Jason Zaman)
Date: Fri,  3 Nov 2017 01:31:21 +0800
Subject: [refpolicy] [PATCH 3/3] gpg: search dir when connecting to agent
	socket
In-Reply-To: <20171102173121.22531-1-jason@perfinion.com>
References: <20171102173121.22531-1-jason@perfinion.com>
Message-ID: <20171102173121.22531-3-jason@perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

commit 96ac8920f55e5a652c20aba99a599ce23a4d3c0d
(gpg: manage user runtime socket files and directories)
moved /run/user/UID/gnupg/ to gpg_runtime_t. this updates the interface
so it grants search perms on the dir too.
---
 gpg.if | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gpg.if b/gpg.if
index c4b7c4c..6266019 100644
--- a/gpg.if
+++ b/gpg.if
@@ -191,11 +191,11 @@ interface(`gpg_rw_agent_pipes',`
 interface(`gpg_stream_connect_agent',`
 	gen_require(`
 		type gpg_agent_t, gpg_agent_tmp_t;
-		type gpg_secret_t;
+		type gpg_secret_t, gpg_runtime_t;
 	')
 
 	stream_connect_pattern($1, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
-	allow $1 gpg_secret_t:dir search_dir_perms;
+	allow $1 { gpg_secret_t gpg_runtime_t }:dir search_dir_perms;
 	userdom_search_user_runtime($1)
 	userdom_search_user_home_dirs($1)
 ')
-- 
2.13.6