[selinux-policy: 2767/3172] GPG patch from Dan Walsh.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:06:13 UTC 2010
commit a3b0dc5b3c316d388f329d5c4e4a4c1f2ad64e92
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Jul 6 10:58:40 2010 -0400
GPG patch from Dan Walsh.
policy/modules/apps/gpg.if | 4 +++-
policy/modules/apps/gpg.te | 23 +++++++++++++++++++++--
2 files changed, 24 insertions(+), 3 deletions(-)
---
diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if
index d5f53b6..793cde7 100644
--- a/policy/modules/apps/gpg.if
+++ b/policy/modules/apps/gpg.if
@@ -60,8 +60,10 @@ interface(`gpg_role',`
ifdef(`hide_broken_symptoms',`
#Leaked File Descriptors
- dontaudit gpg_t $2:socket_class_set { read write };
+ dontaudit gpg_t $2:socket_class_set { getattr read write };
dontaudit gpg_t $2:fifo_file rw_fifo_file_perms;
+ dontaudit gpg_agent_t $2:socket_class_set { getattr read write };
+ dontaudit gpg_agent_t $2:fifo_file rw_fifo_file_perms;
')
')
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
index 8f3261f..4525c37 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.3.0)
+policy_module(gpg, 2.3.1)
########################################
#
@@ -226,11 +226,16 @@ files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
# allow gpg to connect to the gpg agent
stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+corecmd_read_bin_symlinks(gpg_agent_t)
corecmd_search_bin(gpg_agent_t)
corecmd_exec_shell(gpg_agent_t)
+dev_read_urand(gpg_agent_t)
+
domain_use_interactive_fds(gpg_agent_t)
+fs_dontaudit_list_inotifyfs(gpg_agent_t)
+
miscfiles_read_localization(gpg_agent_t)
# Write to the user domain tty.
@@ -238,6 +243,10 @@ userdom_use_user_terminals(gpg_agent_t)
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
userdom_search_user_home_dirs(gpg_agent_t)
+ifdef(`hide_broken_symptoms',`
+ userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
+')
+
tunable_policy(`gpg_agent_env_file',`
# write ~/.gpg-agent-info or a similar to the users home dir
# or subdir (gpg-agent --write-env-file option)
@@ -259,6 +268,10 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_symlinks(gpg_agent_t)
')
+optional_policy(`
+ mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
+')
+
##############################
#
# Pinentry local policy
@@ -284,7 +297,6 @@ userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
-fs_getattr_tmpfs(gpg_pinentry_t)
# read /proc/meminfo
kernel_read_system_state(gpg_pinentry_t)
@@ -307,6 +319,11 @@ files_read_usr_files(gpg_pinentry_t)
# read /etc/X11/qtrc
files_read_etc_files(gpg_pinentry_t)
+fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
+fs_getattr_tmpfs(gpg_pinentry_t)
+
+auth_use_nsswitch(gpg_pinentry_t)
+
logging_send_syslog_msg(gpg_pinentry_t)
miscfiles_read_fonts(gpg_pinentry_t)
@@ -331,8 +348,10 @@ optional_policy(`
optional_policy(`
pulseaudio_exec(gpg_pinentry_t)
+ pulseaudio_rw_home_files(gpg_pinentry_t)
pulseaudio_setattr_home_dir(gpg_pinentry_t)
pulseaudio_stream_connect(gpg_pinentry_t)
+ pulseaudio_signull(gpg_pinentry_t)
')
optional_policy(`
More information about the scm-commits
mailing list