From mboxrd@z Thu Jan  1 00:00:00 1970
From: aranea@aixah.de (Luis Ressel)
Date: Wed, 28 Dec 2016 17:32:33 +0100
Subject: [refpolicy] gpg policy
Message-ID: <20161228173233.6aa17b2d@gentp.lnet>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

I'm currently trying to re-write the contrib/gpg module a bit. In
particular, I intend to change the types used for the data in
~/.gnupg/. This is what I have in mind:

* .gnupg/ itself: gpg_home_t (all gpg-related programs can create
  files/directories inside this)
* .gnupg/*.conf: gpg_conf_t (all gpg-related programs can read, but not
  write, those files)
* .gnupg/{trustdb.gpg,pubring*} and similar: gpg_home_t (only gpg_t
  can manage those files; perhaps I'll need to allow other gpg-related
  tools read access)
* .gnupg/* (everything else): gpg_secret_t (only gpg_t and gpg_agent_t
  can manage those files)

With gnupg 2.1, only gpg_agent_t needs access to gpg_secret_t data;
perhaps I'll add a boolean to configure this.

Any thoughts?

Regards,
Luis