[refpolicy] [PATCH 1/4] pcscd: dbus and domain lookup

[refpolicy] [PATCH 1/4] pcscd: dbus and domain lookup

[Jason Zaman]

Allow dbus chat to policykit.
pcscd needs to lookup the domain that connects to the socket.

type=AVC msg=audit(1477409841.224:12512): avc:  denied  { open } for  pid=16611 comm="pcscd" path="/proc/10610/stat" dev="proc" ino=29254 scontext=system_u:system_r:pcscd_t:s0 tcontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tclass=file permissive=1
type=AVC msg=audit(1477409841.224:12513): avc:  denied  { getattr } for  pid=16611 comm="pcscd" path="/proc/10610/stat" dev="proc" ino=29254 scontext=system_u:system_r:pcscd_t:s0 tcontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tclass=file permissive=1
---
 pcscd.if | 3 +++
 pcscd.te | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/pcscd.if b/pcscd.if
index ac7e60c..b5c522d 100644
--- a/pcscd.if
+++ b/pcscd.if
@@ -101,6 +101,9 @@ interface(`pcscd_stream_connect',`
 
 	files_search_pids($1)
 	stream_connect_pattern($1, pcscd_var_run_t, pcscd_var_run_t, pcscd_t)
+
+	allow pcscd_t $1:dir list_dir_perms;
+	allow pcscd_t $1:file read_file_perms;
 ')
 
 ########################################
diff --git a/pcscd.te b/pcscd.te
index 1828900..bcc863c 100644
--- a/pcscd.te
+++ b/pcscd.te
@@ -73,6 +73,10 @@ optional_policy(`
 	optional_policy(`
 		hal_dbus_chat(pcscd_t)
 	')
+
+	optional_policy(`
+		policykit_dbus_chat(pcscd_t)
+	')
 ')
 
 optional_policy(`
-- 
2.7.3

[refpolicy] [PATCH 2/4] gpg: add new socket paths

[Jason Zaman]

GPG 2.1 has sockets in /run/user/UID/gnupg/ and
~/.gnupg/S.gpg-agent{,.ssh}.

also allow pinentry to dbus chat gkeyring
---
 gpg.fc | 4 ++++
 gpg.if | 4 ++++
 gpg.te | 8 ++++++++
 3 files changed, 16 insertions(+)

diff --git a/gpg.fc b/gpg.fc
index 888cd2c..dcd6a16 100644
--- a/gpg.fc
+++ b/gpg.fc
@@ -1,5 +1,7 @@
 HOME_DIR/\.gnupg(/.+)?	gen_context(system_u:object_r:gpg_secret_t,s0)
 HOME_DIR/\.gnupg/log-socket	-s	gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg/S.gpg-agent	-s	gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg/S.gpg-agent.ssh -s	gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
 
 /usr/bin/gpg(2)?	--	gen_context(system_u:object_r:gpg_exec_t,s0)
 /usr/bin/gpgsm	--	gen_context(system_u:object_r:gpg_exec_t,s0)
@@ -8,3 +10,5 @@ HOME_DIR/\.gnupg/log-socket	-s	gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
 
 /usr/lib/gnupg/.*	--	gen_context(system_u:object_r:gpg_exec_t,s0)
 /usr/lib/gnupg/gpgkeys.*	--	gen_context(system_u:object_r:gpg_helper_exec_t,s0)
+
+/var/run/user/%{USERID}/gnupg(/.*)?	gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
diff --git a/gpg.if b/gpg.if
index 0370dd1..5f4cefc 100644
--- a/gpg.if
+++ b/gpg.if
@@ -205,9 +205,13 @@ interface(`gpg_rw_agent_pipes',`
 interface(`gpg_stream_connect_agent',`
 	gen_require(`
 		type gpg_agent_t, gpg_agent_tmp_t;
+		type gpg_secret_t;
 	')
 
 	stream_connect_pattern($1, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+	allow $1 gpg_secret_t:dir search_dir_perms;
+	userdom_search_user_runtime($1)
+	userdom_search_user_home_dirs($1)
 ')
 
 ########################################
diff --git a/gpg.te b/gpg.te
index 7b4ba9d..61da3a7 100644
--- a/gpg.te
+++ b/gpg.te
@@ -229,6 +229,8 @@ manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
 
 filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
+filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent")
+filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh")
 
 domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
 
@@ -250,6 +252,8 @@ miscfiles_read_localization(gpg_agent_t)
 
 userdom_use_user_terminals(gpg_agent_t)
 userdom_search_user_home_dirs(gpg_agent_t)
+userdom_search_user_runtime(gpg_agent_t)
+userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
 
 ifdef(`hide_broken_symptoms',`
 	userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
@@ -339,6 +343,10 @@ tunable_policy(`use_samba_home_dirs',`
 optional_policy(`
 	dbus_all_session_bus_client(gpg_pinentry_t)
 	dbus_system_bus_client(gpg_pinentry_t)
+
+	optional_policy(`
+		gnome_dbus_chat_all_gkeyringd(gpg_pinentry_t)
+	')
 ')
 
 optional_policy(`
-- 
2.7.3

[refpolicy] [PATCH 3/4] devicekit: fcontext for udisks2

[Jason Zaman]

---
 devicekit.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/devicekit.fc b/devicekit.fc
index ae49c9d..8908ab6 100644
--- a/devicekit.fc
+++ b/devicekit.fc
@@ -10,6 +10,7 @@
 /usr/libexec/devkit-disks-daemon	--	gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
 /usr/libexec/devkit-power-daemon	--	gen_context(system_u:object_r:devicekit_power_exec_t,s0)
 /usr/libexec/udisks-daemon	--	gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+/usr/libexec/udisks2/udisksd	--	gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
 /usr/libexec/upowerd	--	gen_context(system_u:object_r:devicekit_power_exec_t,s0)
 
 /var/lib/DeviceKit-.*	gen_context(system_u:object_r:devicekit_var_lib_t,s0)
-- 
2.7.3

[refpolicy] [PATCH 4/4] gnome: add gkeyring rules and fcontext

[Jason Zaman]

---
 gnome.fc | 1 +
 gnome.if | 2 ++
 gnome.te | 4 +++-
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/gnome.fc b/gnome.fc
index 230ee6c..43c0ed2 100644
--- a/gnome.fc
+++ b/gnome.fc
@@ -17,5 +17,6 @@ HOME_DIR/orcexec\..*	gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
 /usr/lib/[^/]*/gconf/gconfd-2	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
 /usr/libexec/gconfd-2	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
 
+/var/run/user/%{USERID}/keyring(/.*)?		gen_context(system_u:object_r:gnome_keyring_tmp_t,s0)
 /var/run/user/[^/]*/orcexec\..*	--	gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
 /var/run/user/%{USERID}/orcexec\..*	--	gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
diff --git a/gnome.if b/gnome.if
index 838be50..640aeea 100644
--- a/gnome.if
+++ b/gnome.if
@@ -772,6 +772,7 @@ interface(`gnome_stream_connect_gkeyringd',`
 	')
 
 	files_search_tmp($2)
+	userdom_search_user_runtime($2)
 	stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
 ')
 
@@ -793,6 +794,7 @@ interface(`gnome_stream_connect_all_gkeyringd',`
 	')
 
 	files_search_tmp($1)
+	userdom_search_user_runtime($1)
 	stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
 ')
 
diff --git a/gnome.te b/gnome.te
index bf48475..9c792fd 100644
--- a/gnome.te
+++ b/gnome.te
@@ -123,9 +123,11 @@ gnome_home_filetrans(gkeyringd_domain, gnome_keyring_home_t, dir, "keyrings")
 manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
 manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
 files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
+userdom_user_runtime_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
 
-kernel_read_system_state(gkeyringd_domain)
 kernel_read_crypto_sysctls(gkeyringd_domain)
+kernel_read_kernel_sysctls(gkeyringd_domain)
+kernel_read_system_state(gkeyringd_domain)
 
 dev_read_rand(gkeyringd_domain)
 dev_read_sysfs(gkeyringd_domain)
-- 
2.7.3

[refpolicy] [PATCH 4/4] gnome: add gkeyring rules and fcontext

[Guido Trentalancia]

Hello!

I am using the latest version of Gnome and it works fine without the changes that you are proposing, therefore I suspect that they are distribution-specific... 

Can you please confirm? 

If so, they should be included within appropriate "ifdef" statements so that they only get compiled on that specific distribution.

Otherwise, how can I reproduce it?

Regards, 

Guido 

On the 26th of October 2016 19:19:21 CEST, Jason Zaman via refpolicy <refpolicy@oss.tresys.com> wrote:
>---
> gnome.fc | 1 +
> gnome.if | 2 ++
> gnome.te | 4 +++-
> 3 files changed, 6 insertions(+), 1 deletion(-)
>
>diff --git a/gnome.fc b/gnome.fc
>index 230ee6c..43c0ed2 100644
>--- a/gnome.fc
>+++ b/gnome.fc
>@@ -17,5 +17,6 @@
>HOME_DIR/orcexec\..*	gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
>/usr/lib/[^/]*/gconf/gconfd-2	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
>/usr/libexec/gconfd-2	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
> 
>+/var/run/user/%{USERID}/keyring(/.*)?		gen_context(system_u:object_r:gnome_keyring_tmp_t,s0)
>/var/run/user/[^/]*/orcexec\..*	--	gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
>/var/run/user/%{USERID}/orcexec\..*	--	gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
>diff --git a/gnome.if b/gnome.if
>index 838be50..640aeea 100644
>--- a/gnome.if
>+++ b/gnome.if
>@@ -772,6 +772,7 @@ interface(`gnome_stream_connect_gkeyringd',`
> 	')
> 
> 	files_search_tmp($2)
>+	userdom_search_user_runtime($2)
>	stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t,
>$1_gkeyringd_t)
> ')
> 
>@@ -793,6 +794,7 @@ interface(`gnome_stream_connect_all_gkeyringd',`
> 	')
> 
> 	files_search_tmp($1)
>+	userdom_search_user_runtime($1)
>	stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t,
>gkeyringd_domain)
> ')
> 
>diff --git a/gnome.te b/gnome.te
>index bf48475..9c792fd 100644
>--- a/gnome.te
>+++ b/gnome.te
>@@ -123,9 +123,11 @@ gnome_home_filetrans(gkeyringd_domain,
>gnome_keyring_home_t, dir, "keyrings")
>manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t,
>gnome_keyring_tmp_t)
>manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t,
>gnome_keyring_tmp_t)
> files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
>+userdom_user_runtime_filetrans(gkeyringd_domain, gnome_keyring_tmp_t,
>dir)
> 
>-kernel_read_system_state(gkeyringd_domain)
> kernel_read_crypto_sysctls(gkeyringd_domain)
>+kernel_read_kernel_sysctls(gkeyringd_domain)
>+kernel_read_system_state(gkeyringd_domain)
> 
> dev_read_rand(gkeyringd_domain)
> dev_read_sysfs(gkeyringd_domain)

[refpolicy] [PATCH 4/4] gnome: add gkeyring rules and fcontext

[Jason Zaman]

On Thu, Oct 27, 2016 at 12:53:36AM +0200, Guido Trentalancia wrote:
> Hello!
> 
> I am using the latest version of Gnome and it works fine without the changes that you are proposing, therefore I suspect that they are distribution-specific... 
> 
> Can you please confirm? 
It is definitely not distro-specific. It's been in the code for years already.
https://git.gnome.org/browse/gnome-keyring/tree/daemon/gkd-util.c?h=3.20.0#n121
gnome-keyring will use $XDG_RUNTIME_DIR if your env specifies it. Maybe
you need to setup your login stuff differently?

-- Jason

> If so, they should be included within appropriate "ifdef" statements so that they only get compiled on that specific distribution.
> 
> Otherwise, how can I reproduce it?
> 
> Regards, 
> 
> Guido 
> 
> On the 26th of October 2016 19:19:21 CEST, Jason Zaman via refpolicy <refpolicy@oss.tresys.com> wrote:
> >---
> > gnome.fc | 1 +
> > gnome.if | 2 ++
> > gnome.te | 4 +++-
> > 3 files changed, 6 insertions(+), 1 deletion(-)
> >
> >diff --git a/gnome.fc b/gnome.fc
> >index 230ee6c..43c0ed2 100644
> >--- a/gnome.fc
> >+++ b/gnome.fc
> >@@ -17,5 +17,6 @@
> >HOME_DIR/orcexec\..*	gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
> >/usr/lib/[^/]*/gconf/gconfd-2	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
> >/usr/libexec/gconfd-2	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
> > 
> >+/var/run/user/%{USERID}/keyring(/.*)?		gen_context(system_u:object_r:gnome_keyring_tmp_t,s0)
> >/var/run/user/[^/]*/orcexec\..*	--	gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
> >/var/run/user/%{USERID}/orcexec\..*	--	gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
> >diff --git a/gnome.if b/gnome.if
> >index 838be50..640aeea 100644
> >--- a/gnome.if
> >+++ b/gnome.if
> >@@ -772,6 +772,7 @@ interface(`gnome_stream_connect_gkeyringd',`
> > 	')
> > 
> > 	files_search_tmp($2)
> >+	userdom_search_user_runtime($2)
> >	stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t,
> >$1_gkeyringd_t)
> > ')
> > 
> >@@ -793,6 +794,7 @@ interface(`gnome_stream_connect_all_gkeyringd',`
> > 	')
> > 
> > 	files_search_tmp($1)
> >+	userdom_search_user_runtime($1)
> >	stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t,
> >gkeyringd_domain)
> > ')
> > 
> >diff --git a/gnome.te b/gnome.te
> >index bf48475..9c792fd 100644
> >--- a/gnome.te
> >+++ b/gnome.te
> >@@ -123,9 +123,11 @@ gnome_home_filetrans(gkeyringd_domain,
> >gnome_keyring_home_t, dir, "keyrings")
> >manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t,
> >gnome_keyring_tmp_t)
> >manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t,
> >gnome_keyring_tmp_t)
> > files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
> >+userdom_user_runtime_filetrans(gkeyringd_domain, gnome_keyring_tmp_t,
> >dir)
> > 
> >-kernel_read_system_state(gkeyringd_domain)
> > kernel_read_crypto_sysctls(gkeyringd_domain)
> >+kernel_read_kernel_sysctls(gkeyringd_domain)
> >+kernel_read_system_state(gkeyringd_domain)
> > 
> > dev_read_rand(gkeyringd_domain)
> > dev_read_sysfs(gkeyringd_domain)
> 

[refpolicy] [PATCH 2/4] gpg: add new socket paths

[Nicolas Iooss]

On Wed, Oct 26, 2016 at 7:19 PM, Jason Zaman via refpolicy <
refpolicy@oss.tresys.com> wrote:

> GPG 2.1 has sockets in /run/user/UID/gnupg/ and
> ~/.gnupg/S.gpg-agent{,.ssh}.
>
> also allow pinentry to dbus chat gkeyring
> ---
>  gpg.fc | 4 ++++
>  gpg.if | 4 ++++
>  gpg.te | 8 ++++++++
>  3 files changed, 16 insertions(+)
>
> diff --git a/gpg.fc b/gpg.fc
> index 888cd2c..dcd6a16 100644
> --- a/gpg.fc
> +++ b/gpg.fc
> @@ -1,5 +1,7 @@
>  HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
>  HOME_DIR/\.gnupg/log-socket    -s      gen_context(system_u:object_r:
> gpg_agent_tmp_t,s0)
> +HOME_DIR/\.gnupg/S.gpg-agent   -s      gen_context(system_u:object_r:
> gpg_agent_tmp_t,s0)
> +HOME_DIR/\.gnupg/S.gpg-agent.ssh -s    gen_context(system_u:object_r:
> gpg_agent_tmp_t,s0)
>

Hi,
In these file patterns you might want to escape the dots with backslashes
so that they only match S.gpg-agent{,.ssh} and not files which have any
character where the dots are in the pattern.

Otherwise the patches look good to me.
Nicolas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20161027/4b546832/attachment.html 

[refpolicy] [PATCH 1/4] pcscd: dbus and domain lookup

[Chris PeBenito]

On 10/26/16 13:19, Jason Zaman wrote:
> Allow dbus chat to policykit.
> pcscd needs to lookup the domain that connects to the socket.
>
> type=AVC msg=audit(1477409841.224:12512): avc:  denied  { open } for  pid=16611 comm="pcscd" path="/proc/10610/stat" dev="proc" ino=29254 scontext=system_u:system_r:pcscd_t:s0 tcontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tclass=file permissive=1
> type=AVC msg=audit(1477409841.224:12513): avc:  denied  { getattr } for  pid=16611 comm="pcscd" path="/proc/10610/stat" dev="proc" ino=29254 scontext=system_u:system_r:pcscd_t:s0 tcontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tclass=file permissive=1
> ---
>  pcscd.if | 3 +++
>  pcscd.te | 4 ++++
>  2 files changed, 7 insertions(+)
>
> diff --git a/pcscd.if b/pcscd.if
> index ac7e60c..b5c522d 100644
> --- a/pcscd.if
> +++ b/pcscd.if
> @@ -101,6 +101,9 @@ interface(`pcscd_stream_connect',`
>
>  	files_search_pids($1)
>  	stream_connect_pattern($1, pcscd_var_run_t, pcscd_var_run_t, pcscd_t)
> +
> +	allow pcscd_t $1:dir list_dir_perms;
> +	allow pcscd_t $1:file read_file_perms;
>  ')
>
>  ########################################
> diff --git a/pcscd.te b/pcscd.te
> index 1828900..bcc863c 100644
> --- a/pcscd.te
> +++ b/pcscd.te
> @@ -73,6 +73,10 @@ optional_policy(`
>  	optional_policy(`
>  		hal_dbus_chat(pcscd_t)
>  	')
> +
> +	optional_policy(`
> +		policykit_dbus_chat(pcscd_t)
> +	')
>  ')
>
>  optional_policy(`

Merged.

-- 
Chris PeBenito

[refpolicy] [PATCH 3/4] devicekit: fcontext for udisks2

[Chris PeBenito]

On 10/26/16 13:19, Jason Zaman wrote:
> ---
>  devicekit.fc | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/devicekit.fc b/devicekit.fc
> index ae49c9d..8908ab6 100644
> --- a/devicekit.fc
> +++ b/devicekit.fc
> @@ -10,6 +10,7 @@
>  /usr/libexec/devkit-disks-daemon	--	gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
>  /usr/libexec/devkit-power-daemon	--	gen_context(system_u:object_r:devicekit_power_exec_t,s0)
>  /usr/libexec/udisks-daemon	--	gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
> +/usr/libexec/udisks2/udisksd	--	gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
>  /usr/libexec/upowerd	--	gen_context(system_u:object_r:devicekit_power_exec_t,s0)
>
>  /var/lib/DeviceKit-.*	gen_context(system_u:object_r:devicekit_var_lib_t,s0)

Merged.

-- 
Chris PeBenito

[refpolicy] [PATCH 4/4] gnome: add gkeyring rules and fcontext

[Chris PeBenito]

On 10/26/16 13:19, Jason Zaman wrote:
> ---
>  gnome.fc | 1 +
>  gnome.if | 2 ++
>  gnome.te | 4 +++-
>  3 files changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/gnome.fc b/gnome.fc
> index 230ee6c..43c0ed2 100644
> --- a/gnome.fc
> +++ b/gnome.fc
> @@ -17,5 +17,6 @@ HOME_DIR/orcexec\..*	gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
>  /usr/lib/[^/]*/gconf/gconfd-2	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
>  /usr/libexec/gconfd-2	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
>
> +/var/run/user/%{USERID}/keyring(/.*)?		gen_context(system_u:object_r:gnome_keyring_tmp_t,s0)
>  /var/run/user/[^/]*/orcexec\..*	--	gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
>  /var/run/user/%{USERID}/orcexec\..*	--	gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
> diff --git a/gnome.if b/gnome.if
> index 838be50..640aeea 100644
> --- a/gnome.if
> +++ b/gnome.if
> @@ -772,6 +772,7 @@ interface(`gnome_stream_connect_gkeyringd',`
>  	')
>
>  	files_search_tmp($2)
> +	userdom_search_user_runtime($2)
>  	stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
>  ')
>
> @@ -793,6 +794,7 @@ interface(`gnome_stream_connect_all_gkeyringd',`
>  	')
>
>  	files_search_tmp($1)
> +	userdom_search_user_runtime($1)
>  	stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
>  ')
>
> diff --git a/gnome.te b/gnome.te
> index bf48475..9c792fd 100644
> --- a/gnome.te
> +++ b/gnome.te
> @@ -123,9 +123,11 @@ gnome_home_filetrans(gkeyringd_domain, gnome_keyring_home_t, dir, "keyrings")
>  manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
>  manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
>  files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
> +userdom_user_runtime_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
>
> -kernel_read_system_state(gkeyringd_domain)
>  kernel_read_crypto_sysctls(gkeyringd_domain)
> +kernel_read_kernel_sysctls(gkeyringd_domain)
> +kernel_read_system_state(gkeyringd_domain)
>
>  dev_read_rand(gkeyringd_domain)
>  dev_read_sysfs(gkeyringd_domain)

Merged.

-- 
Chris PeBenito