[refpolicy] gpg domains

Russell Coker russell at coker.com.au
Fri Oct 3 08:47:57 UTC 2014

In Debian/Testing we have the gpg-agent launching the dbus session, which then 
launches the user session.  So we have user_t -> gpg_agent_t -> user_dbusd_t
 -> user_t.  Making this work for multiple user domains requires having 
multiple gpg_agent_t domains (which we apparently used to have).

Removing the multiple $1_gpg_t domains without removing the 
user_t/unconfined_t/staff_t split doesn't seem to be viable.

Also why do we have gpg_agent_t, gpg_helper_t, and gpg_pinentry_t?  What 
benefit does this give us over having a single domain for GPG stuff that's other 
than gpg_t?  What is the logic behind a gpg_pinentry_t/gpg_agent_t anyway?  
Are those things that can even be properly split?

My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

More information about the refpolicy mailing list