diff options
author | Jason Zaman <jason@perfinion.com> | 2017-12-14 02:17:19 +0800 |
---|---|---|
committer | Jason Zaman <jason@perfinion.com> | 2017-12-14 13:09:40 +0800 |
commit | d56f72e0072b149d996caa98425c90be16aa5410 (patch) | |
tree | 56e52287fee19732065fd14a99402e0c8c1ce870 | |
parent | Add missing mmap_*_files_pattern macros. (diff) | |
download | hardened-refpolicy-d56f72e0072b149d996caa98425c90be16aa5410.tar.gz hardened-refpolicy-d56f72e0072b149d996caa98425c90be16aa5410.tar.bz2 hardened-refpolicy-d56f72e0072b149d996caa98425c90be16aa5410.zip |
dirmngr: allow filetrans in gpg_runtime_t
commit 1b9cd3bd9c44732bdf756301408582bcfe9073c9
("gpg: manage user runtime socket files and directories")
changed /run/user/%{USERID}/gnupg/ to gpg_runtime_t, so the filetrans
for gpg_agent_tmp_t needs updating.
-rw-r--r-- | policy/modules/contrib/dirmngr.te | 3 | ||||
-rw-r--r-- | policy/modules/contrib/gpg.if | 19 |
2 files changed, 22 insertions, 0 deletions
diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te index 8f4cb991c..75833a427 100644 --- a/policy/modules/contrib/dirmngr.te +++ b/policy/modules/contrib/dirmngr.te @@ -69,6 +69,7 @@ dev_read_rand(dirmngr_t) sysnet_dns_name_resolve(dirmngr_t) corenet_tcp_connect_pgpkeyserver_port(dirmngr_t) +corenet_udp_bind_generic_node(dirmngr_t) files_read_etc_files(dirmngr_t) @@ -81,5 +82,7 @@ userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir) optional_policy(` gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file) + gpg_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file) gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir) + gpg_stream_connect_agent(dirmngr_t) ') diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if index 6266019b2..359560f84 100644 --- a/policy/modules/contrib/gpg.if +++ b/policy/modules/contrib/gpg.if @@ -239,6 +239,25 @@ interface(`gpg_agent_tmp_filetrans',` ######################################## ## <summary> +## filetrans in gpg_runtime_t dirs +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gpg_runtime_filetrans',` + gen_require(` + type gpg_runtime_t; + ') + + filetrans_pattern($1, gpg_runtime_t, $2, $3, $4) + userdom_search_user_runtime($1) +') + +######################################## +## <summary> ## filetrans in gpg_secret_t dirs ## </summary> ## <param name="domain"> |