From: jason@perfinion.com (Jason Zaman)
Date: Thu, 14 Dec 2017 02:17:19 +0800
Subject: [refpolicy] [PATCH 2/5] dirmngr: allow filetrans in gpg_runtime_t
In-Reply-To: <20171213181722.28545-1-jason@perfinion.com>
References: <20171213181722.28545-1-jason@perfinion.com>
Message-ID: <20171213181722.28545-2-jason@perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
commit 1b9cd3bd9c44732bdf756301408582bcfe9073c9
("gpg: manage user runtime socket files and directories")
changed /run/user/%{USERID}/gnupg/ to gpg_runtime_t, so the filetrans
for gpg_agent_tmp_t needs updating.
---
dirmngr.te | 3 +++
gpg.if | 19 +++++++++++++++++++
2 files changed, 22 insertions(+)
diff --git a/dirmngr.te b/dirmngr.te
index 8f4cb99..75833a4 100644
--- a/dirmngr.te
+++ b/dirmngr.te
@@ -69,6 +69,7 @@ dev_read_rand(dirmngr_t)
sysnet_dns_name_resolve(dirmngr_t)
corenet_tcp_connect_pgpkeyserver_port(dirmngr_t)
+corenet_udp_bind_generic_node(dirmngr_t)
files_read_etc_files(dirmngr_t)
@@ -81,5 +82,7 @@ userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
optional_policy(`
gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
+ gpg_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
+ gpg_stream_connect_agent(dirmngr_t)
')
diff --git a/gpg.if b/gpg.if
index 6266019..359560f 100644
--- a/gpg.if
+++ b/gpg.if
@@ -239,6 +239,25 @@ interface(`gpg_agent_tmp_filetrans',`
########################################
##
+## filetrans in gpg_runtime_t dirs
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gpg_runtime_filetrans',`
+ gen_require(`
+ type gpg_runtime_t;
+ ')
+
+ filetrans_pattern($1, gpg_runtime_t, $2, $3, $4)
+ userdom_search_user_runtime($1)
+')
+
+########################################
+##
## filetrans in gpg_secret_t dirs
##
##
--
2.13.6