From: Jason Zaman <jason@perfinion.com>
To: selinux-refpolicy@vger.kernel.org
Cc: Jason Zaman <perfinion@gentoo.org>
Subject: [PATCH 10/10] gpg: add watch perms for agent
Date: Sun, 16 Feb 2020 16:54:22 +0800
Message-ID: <20200216085422.36530-10-jason@perfinion.com> (raw)
In-Reply-To: <20200216085422.36530-1-jason@perfinion.com>
From: Jason Zaman <perfinion@gentoo.org>
avc: denied { watch } for pid=10668 comm="gpg-agent" path="/run/user/1000/gnupg" dev="tmpfs" ino=21988 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:gpg_runtime_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=10668 comm="gpg-agent" path="/home/jason/.gnupg" dev="zfs" ino=34432 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:gpg_secret_t:s0 tclass=dir permissive=0
---
policy/modules/apps/gpg.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
index 90508415..d007b6ac 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -229,9 +229,11 @@ manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+allow gpg_agent_t gpg_secret_t:dir watch;
manage_dirs_pattern(gpg_agent_t, gpg_runtime_t, gpg_runtime_t)
userdom_user_runtime_filetrans(gpg_agent_t, gpg_runtime_t, dir, "gnupg")
+allow gpg_agent_t gpg_runtime_t:dir watch;
manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
--
2.24.1
next prev parent reply index
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-16 8:54 [PATCH 01/10] fstools: add zfs-auto-snapshot Jason Zaman
2020-02-16 8:54 ` [PATCH 02/10] udev: Add watch perms Jason Zaman
2020-02-16 8:54 ` [PATCH 03/10] accountsd: " Jason Zaman
2020-02-16 8:54 ` [PATCH 04/10] cron: watch cron spool Jason Zaman
2020-02-16 8:54 ` [PATCH 05/10] colord: add watch perms Jason Zaman
2020-02-16 8:54 ` [PATCH 06/10] policykit devicekit: Add " Jason Zaman
2020-02-16 8:54 ` [PATCH 07/10] userdomain: Add watch on home dirs Jason Zaman
2020-02-16 15:48 ` Chris PeBenito
2020-02-16 8:54 ` [PATCH 08/10] dbus: add watch perms Jason Zaman
2020-02-16 8:54 ` [PATCH 09/10] chromium: watch etc dirs Jason Zaman
2020-02-16 8:54 ` Jason Zaman [this message]
2020-02-16 20:03 [PATCH 01/10] fstools: add zfs-auto-snapshot Jason Zaman
2020-02-16 20:03 ` [PATCH 10/10] gpg: add watch perms for agent Jason Zaman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200216085422.36530-10-jason@perfinion.com \
--to=jason@perfinion.com \
--cc=perfinion@gentoo.org \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
SELinux-Refpolicy Archive on lore.kernel.org
Archives are clonable:
git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
selinux-refpolicy@vger.kernel.org
public-inbox-index selinux-refpolicy
Example config snippet for mirrors
Newsgroup available over NNTP:
nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git