[PATCH 10/10] gpg: add watch perms for agent

From: Jason Zaman <jason@perfinion.com>
To: selinux-refpolicy@vger.kernel.org
Cc: Jason Zaman <perfinion@gentoo.org>
Subject: [PATCH 10/10] gpg: add watch perms for agent
Date: Sun, 16 Feb 2020 16:54:22 +0800	[thread overview]
Message-ID: <20200216085422.36530-10-jason@perfinion.com> (raw)
In-Reply-To: <20200216085422.36530-1-jason@perfinion.com>

From: Jason Zaman <perfinion@gentoo.org>

avc:  denied  { watch } for  pid=10668 comm="gpg-agent" path="/run/user/1000/gnupg" dev="tmpfs" ino=21988 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:gpg_runtime_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=10668 comm="gpg-agent" path="/home/jason/.gnupg" dev="zfs" ino=34432 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:gpg_secret_t:s0 tclass=dir permissive=0
---
 policy/modules/apps/gpg.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
index 90508415..d007b6ac 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -229,9 +229,11 @@ manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
 manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
 manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
 manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+allow gpg_agent_t gpg_secret_t:dir watch;
 
 manage_dirs_pattern(gpg_agent_t, gpg_runtime_t, gpg_runtime_t)
 userdom_user_runtime_filetrans(gpg_agent_t, gpg_runtime_t, dir, "gnupg")
+allow gpg_agent_t gpg_runtime_t:dir watch;
 
 manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
-- 
2.24.1

