[refpolicy] gpg domains
russell at coker.com.au
Fri Oct 3 08:47:57 UTC 2014
In Debian/Testing we have the gpg-agent launching the dbus session, which then
launches the user session. So we have user_t -> gpg_agent_t -> user_dbusd_t
-> user_t. Making this work for multiple user domains requires having
multiple gpg_agent_t domains (which we apparently used to have).
Removing the multiple $1_gpg_t domains without removing the
user_t/unconfined_t/staff_t split doesn't seem to be viable.
Also why do we have gpg_agent_t, gpg_helper_t, and gpg_pinentry_t? What
benefit does this give us over having a single domain for GPG stuff that's other
than gpg_t? What is the logic behind a gpg_pinentry_t/gpg_agent_t anyway?
Are those things that can even be properly split?
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
More information about the refpolicy