From: jason@perfinion.com (Jason Zaman)
Date: Thu, 14 Dec 2017 02:17:20 +0800
Subject: [refpolicy] [PATCH 3/5] gpg: Add gpg_agent_use_card boolean for
	OpenPGP cards
In-Reply-To: <20171213181722.28545-1-jason@perfinion.com>
References: <20171213181722.28545-1-jason@perfinion.com>
Message-ID: <20171213181722.28545-3-jason@perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

---
 gpg.te | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/gpg.te b/gpg.te
index 619fdb4..0ad774e 100644
--- a/gpg.te
+++ b/gpg.te
@@ -14,6 +14,14 @@ policy_module(gpg, 2.12.3)
 ## </desc>
 gen_tunable(gpg_agent_env_file, false)
 
+## <desc>
+##	<p>
+##	Determine whether GPG agent can use OpenPGP
+##	cards or Yubikeys over USB
+##	</p>
+## </desc>
+gen_tunable(gpg_agent_use_card, false)
+
 attribute_role gpg_roles;
 roleattribute system_r gpg_roles;
 
@@ -274,6 +282,11 @@ tunable_policy(`gpg_agent_env_file',`
 	userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
 ')
 
+tunable_policy(`gpg_agent_use_card',`
+	dev_read_sysfs(gpg_agent_t)
+	dev_rw_generic_usb_dev(gpg_agent_t)
+')
+
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(gpg_agent_t)
 	fs_manage_nfs_files(gpg_agent_t)
-- 
2.13.6