[refpolicy] [PATCH] gpg: manage user runtime socket files and directories

Guido Trentalancia guido at trentalancia.com
Tue May 23 21:20:37 UTC 2017


Hello Christopher.

On Mon, 22/05/2017 at 19.24 -0400, Chris PeBenito wrote:
> On 05/21/2017 12:21 PM, Guido Trentalancia via refpolicy wrote:
> > Update the gpg module so that it can correctly manage socket files
> > and directories in the user runtime directories.
> > 
> > Some other minor fixes are also included in this patch.
> > 
> > Signed-off-by: Guido Trentalancia <guido at trentalancia.com>
> > ---
> >  policy/modules/contrib/gpg.te |   10 +++++++++-
> >  1 file changed, 9 insertions(+), 1 deletion(-)
> > 
> > --- a/policy/modules/contrib/gpg.te	2017-04-26
> > 17:47:20.555423022 +0200
> > +++ b/policy/modules/contrib/gpg.te	2017-05-21
> > 18:13:36.728343506 +0200
> > @@ -124,6 +124,8 @@ miscfiles_read_localization(gpg_t)
> > 
> >  userdom_use_user_terminals(gpg_t)
> > 
> > +userdom_manage_user_runtime_dirs(gpg_t)
> > +userdom_manage_user_tmp_dirs(gpg_t)
> >  userdom_manage_user_tmp_files(gpg_t)
> >  userdom_manage_user_home_content_files(gpg_t)
> >  userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
> > @@ -247,10 +249,14 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
> > 
> >  miscfiles_read_localization(gpg_agent_t)
> > 
> > +userdom_manage_user_runtime_dirs(gpg_agent_t)
> > +userdom_manage_user_tmp_dirs(gpg_agent_t)
> > +userdom_manage_user_tmp_files(gpg_agent_t)
> 
> It's not clear whats going on here, but perhaps these make more sense
> as 
> a new gpg_runtime_t?

The directory, as already explained is /var/run/user/USERID/gnupg.

I think there is very little gain in defining a new gpg_runtime_t file
type, because "runtime" here is equivalent to "temporary", in the sense
that the files refer to a specific instance of a gpg_agent process and
they do not survive after process termination.

As for the extra userdom_manage_user_tmp_{dirs,files}() interfaces, I
have removed them in a new version. They are not really needed, I did
previously add them just in case or for future use and because they are
currently used by gpg_t.

I hope you can now merge the new version (v2) which will follow
shortly.

> >  userdom_use_user_terminals(gpg_agent_t)
> >  userdom_search_user_home_dirs(gpg_agent_t)
> >  userdom_search_user_runtime(gpg_agent_t)
> > -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
> > +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir
> > file sock_file })
> > 
> >  ifdef(`hide_broken_symptoms',`
> >  	userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
> > @@ -310,6 +316,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p
> > 
> >  can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)
> > 
> > +kernel_dontaudit_search_sysctl(gpg_pinentry_t)
> >  kernel_read_system_state(gpg_pinentry_t)
> > 
> >  corecmd_exec_shell(gpg_pinentry_t)
> > @@ -327,6 +334,7 @@ domain_use_interactive_fds(gpg_pinentry_
> > 
> >  files_read_usr_files(gpg_pinentry_t)
> > 
> > +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
> >  fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
> > 
> >  auth_use_nsswitch(gpg_pinentry_t)
> 
> 

Regards,

Guido


More information about the refpolicy mailing list