http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_gpg.patch
gpg dontaudit leaks.
Added policy so apache can execute gpg
On 06/02/10 16:05, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_gpg.patch
>
> gpg dontaudit leaks.
Merged.
> Added policy so apache can execute gpg
I don't understand this part. It seems more like it should be a domain
in the apache module instead.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 07/06/2010 10:59 AM, Christopher J. PeBenito wrote:
> On 06/02/10 16:05, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_gpg.patch
>>
>> gpg dontaudit leaks.
>
> Merged.
>
>> Added policy so apache can execute gpg
>
> I don't understand this part. It seems more like it should be a domain
> in the apache module instead.
>
I guess we could go that way, but you need interfaces including gpg_exec_t.
On 07/13/10 08:15, Daniel J Walsh wrote:
> On 07/06/2010 10:59 AM, Christopher J. PeBenito wrote:
>> On 06/02/10 16:05, Daniel J Walsh wrote:
>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_gpg.patch
>>>
>>> gpg dontaudit leaks.
>>
>> Merged.
>>
>>> Added policy so apache can execute gpg
>>
>> I don't understand this part. It seems more like it should be a domain
>> in the apache module instead.
>>
> I guess we could go that way, but you need interfaces including gpg_exec_t.
How is this used? Is it run from a CGI script to check the signature or
(en|de)crypt a file?
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/19/2010 01:45 PM, Christopher J. PeBenito wrote:
> On 07/13/10 08:15, Daniel J Walsh wrote:
>> On 07/06/2010 10:59 AM, Christopher J. PeBenito wrote:
>>> On 06/02/10 16:05, Daniel J Walsh wrote:
>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_gpg.patch
>>>>
>>>> gpg dontaudit leaks.
>>>
>>> Merged.
>>>
>>>> Added policy so apache can execute gpg
>>>
>>> I don't understand this part. It seems more like it should be a domain
>>> in the apache module instead.
>>>
>> I guess we could go that way, but you need interfaces including
>> gpg_exec_t.
>
> How is this used? Is it run from a CGI script to check the signature or
> (en|de)crypt a file?
>
Yes and Yes, I think.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkxEkw0ACgkQrlYvE4MpobP5PQCghfRZmBU9jAJKqInOupTCscKj
QbkAoNE0YRTo7HSdry4fyyIG+JGlg+3r
=ObBx
-----END PGP SIGNATURE-----
On 07/19/2010 08:01 PM, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 07/19/2010 01:45 PM, Christopher J. PeBenito wrote:
>
>> On 07/13/10 08:15, Daniel J Walsh wrote:
>>
>>> On 07/06/2010 10:59 AM, Christopher J. PeBenito wrote:
>>>
>>>> On 06/02/10 16:05, Daniel J Walsh wrote:
>>>>
>>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_gpg.patch
>>>>>
>>>>> gpg dontaudit leaks.
>>>>>
>>>> Merged.
>>>>
>>>>
>>>>> Added policy so apache can execute gpg
>>>>>
>>>> I don't understand this part. It seems more like it should be a domain
>>>> in the apache module instead.
>>>>
>>>>
>>> I guess we could go that way, but you need interfaces including
>>> gpg_exec_t.
>>>
>> How is this used? Is it run from a CGI script to check the signature or
>> (en|de)crypt a file?
>>
>>
Yes, it is run from a CGI script to check the signature or (en|de)crypt
a file. Related bug #562083.
We also added the following change
optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
- gpg_domtrans(httpd_t)
+ gpg_domtrans_web(httpd_t)
')
')
Regards,
Miroslav
> Yes and Yes, I think.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkxEkw0ACgkQrlYvE4MpobP5PQCghfRZmBU9jAJKqInOupTCscKj
> QbkAoNE0YRTo7HSdry4fyyIG+JGlg+3r
> =ObBx
> -----END PGP SIGNATURE-----
>