[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Wed, 13 Dec 2017 21:16:38 -0800 

commit:     d56f72e0072b149d996caa98425c90be16aa5410
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Dec 13 18:17:19 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 14 05:09:40 2017 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d56f72e0

dirmngr: allow filetrans in gpg_runtime_t

commit 1b9cd3bd9c44732bdf756301408582bcfe9073c9
("gpg: manage user runtime socket files and directories")
changed /run/user/%{USERID}/gnupg/ to gpg_runtime_t, so the filetrans
for gpg_agent_tmp_t needs updating.

 policy/modules/contrib/dirmngr.te |  3 +++
 policy/modules/contrib/gpg.if     | 19 +++++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/policy/modules/contrib/dirmngr.te 
b/policy/modules/contrib/dirmngr.te
index 8f4cb991..75833a42 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -69,6 +69,7 @@ dev_read_rand(dirmngr_t)
 sysnet_dns_name_resolve(dirmngr_t)
 
 corenet_tcp_connect_pgpkeyserver_port(dirmngr_t)
+corenet_udp_bind_generic_node(dirmngr_t)
 
 files_read_etc_files(dirmngr_t)
 
@@ -81,5 +82,7 @@ userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
 
 optional_policy(`
        gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
+       gpg_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
        gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
+       gpg_stream_connect_agent(dirmngr_t)
 ')

diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index 6266019b..359560f8 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -239,6 +239,25 @@ interface(`gpg_agent_tmp_filetrans',`
 
 ########################################
 ## <summary>
+##     filetrans in gpg_runtime_t dirs
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`gpg_runtime_filetrans',`
+       gen_require(`
+               type gpg_runtime_t;
+       ')
+
+       filetrans_pattern($1, gpg_runtime_t, $2, $3, $4)
+       userdom_search_user_runtime($1)
+')
+
+########################################
+## <summary>
 ##     filetrans in gpg_secret_t dirs
 ## </summary>
 ## <param name="domain">

Reply via email to