From: pebenito@ieee.org (Chris PeBenito)
Date: Wed, 13 Dec 2017 18:21:10 -0500
Subject: [refpolicy] [PATCH 2/5] dirmngr: allow filetrans in
	gpg_runtime_t
In-Reply-To: <20171213181722.28545-2-jason@perfinion.com>
References: <20171213181722.28545-1-jason@perfinion.com>
	<20171213181722.28545-2-jason@perfinion.com>
Message-ID: <7fce1677-3c31-dfb2-a1c1-55f5e79577fb@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/13/2017 01:17 PM, Jason Zaman wrote:
> commit 1b9cd3bd9c44732bdf756301408582bcfe9073c9
> ("gpg: manage user runtime socket files and directories")
> changed /run/user/%{USERID}/gnupg/ to gpg_runtime_t, so the filetrans
> for gpg_agent_tmp_t needs updating.
> ---
>   dirmngr.te |  3 +++
>   gpg.if     | 19 +++++++++++++++++++
>   2 files changed, 22 insertions(+)
> 
> diff --git a/dirmngr.te b/dirmngr.te
> index 8f4cb99..75833a4 100644
> --- a/dirmngr.te
> +++ b/dirmngr.te
> @@ -69,6 +69,7 @@ dev_read_rand(dirmngr_t)
>   sysnet_dns_name_resolve(dirmngr_t)
>   
>   corenet_tcp_connect_pgpkeyserver_port(dirmngr_t)
> +corenet_udp_bind_generic_node(dirmngr_t)
>   
>   files_read_etc_files(dirmngr_t)
>   
> @@ -81,5 +82,7 @@ userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
>   
>   optional_policy(`
>   	gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
> +	gpg_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
>   	gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
> +	gpg_stream_connect_agent(dirmngr_t)
>   ')
> diff --git a/gpg.if b/gpg.if
> index 6266019..359560f 100644
> --- a/gpg.if
> +++ b/gpg.if
> @@ -239,6 +239,25 @@ interface(`gpg_agent_tmp_filetrans',`
>   
>   ########################################
>   ## <summary>
> +##	filetrans in gpg_runtime_t dirs
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`gpg_runtime_filetrans',`
> +	gen_require(`
> +		type gpg_runtime_t;
> +	')
> +
> +	filetrans_pattern($1, gpg_runtime_t, $2, $3, $4)
> +	userdom_search_user_runtime($1)
> +')
> +
> +########################################
> +## <summary>
>   ##	filetrans in gpg_secret_t dirs
>   ## </summary>
>   ## <param name="domain">

Merged.

-- 
Chris PeBenito