+ ##
+@@ -14,12 +15,13 @@
+ ##
+ gen_tunable(gpg_agent_env_file, false)
+
+-type gpg_t;
++type gpg_t, gpgdomain;
+ type gpg_exec_t;
+ typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
application_domain(gpg_t, gpg_exec_t)
ubac_constrained(gpg_t)
@@ -3457,7 +3472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
type gpg_agent_t;
type gpg_agent_exec_t;
-@@ -45,6 +46,7 @@
+@@ -45,6 +47,7 @@
typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t };
application_domain(gpg_helper_t, gpg_helper_exec_t)
ubac_constrained(gpg_helper_t)
@@ -3465,7 +3480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
type gpg_pinentry_t;
type pinentry_exec_t;
-@@ -53,14 +55,23 @@
+@@ -53,22 +56,33 @@
application_domain(gpg_pinentry_t, pinentry_exec_t)
ubac_constrained(gpg_pinentry_t)
@@ -3482,16 +3497,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
# GPG local policy
#
- allow gpg_t self:capability { ipc_lock setuid };
+-allow gpg_t self:capability { ipc_lock setuid };
-# setrlimit is for ulimit -c 0
-allow gpg_t self:process { signal setrlimit getcap setcap setpgid };
-+allow gpg_t self:process { getsched setsched };
++allow gpgdomain self:capability { ipc_lock setuid };
++allow gpgdomain self:process { getsched setsched };
+#at setrlimit is for ulimit -c 0
-+allow gpg_t self:process { signal signull setrlimit getcap setcap setpgid };
++allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid };
+
+-allow gpg_t self:fifo_file rw_fifo_file_perms;
+-allow gpg_t self:tcp_socket create_stream_socket_perms;
++allow gpgdomain self:fifo_file rw_fifo_file_perms;
++allow gpgdomain self:tcp_socket create_stream_socket_perms;
- allow gpg_t self:fifo_file rw_fifo_file_perms;
- allow gpg_t self:tcp_socket create_stream_socket_perms;
-@@ -69,6 +80,8 @@
+ manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
@@ -3500,7 +3519,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
# transition from the gpg domain to the helper domain
domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
-@@ -79,6 +92,9 @@
+@@ -79,6 +93,9 @@
kernel_read_sysctl(gpg_t)
@@ -3510,7 +3529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
corenet_all_recvfrom_unlabeled(gpg_t)
corenet_all_recvfrom_netlabel(gpg_t)
corenet_tcp_sendrecv_generic_if(gpg_t)
-@@ -95,6 +111,7 @@
+@@ -95,6 +112,7 @@
dev_read_generic_usb_dev(gpg_t)
fs_getattr_xattr_fs(gpg_t)
@@ -3518,7 +3537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
domain_use_interactive_fds(gpg_t)
-@@ -112,6 +129,8 @@
+@@ -112,6 +130,8 @@
# sign/encrypt user files
userdom_manage_user_tmp_files(gpg_t)
userdom_manage_user_home_content_files(gpg_t)
@@ -3527,7 +3546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
mta_write_config(gpg_t)
-@@ -126,15 +145,20 @@
+@@ -126,15 +146,20 @@
')
optional_policy(`
@@ -3552,7 +3571,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
########################################
#
# GPG helper local policy
-@@ -184,6 +208,7 @@
+@@ -184,6 +209,7 @@
#
# GPG agent local policy
#
@@ -3560,7 +3579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
# rlimit: gpg-agent wants to prevent coredumps
allow gpg_agent_t self:process setrlimit;
-@@ -202,10 +227,16 @@
+@@ -202,10 +228,16 @@
manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
@@ -3577,7 +3596,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
domain_use_interactive_fds(gpg_agent_t)
-@@ -215,6 +246,10 @@
+@@ -215,6 +247,10 @@
userdom_use_user_terminals(gpg_agent_t)
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
userdom_search_user_home_dirs(gpg_agent_t)
@@ -3588,7 +3607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
tunable_policy(`gpg_agent_env_file',`
# write ~/.gpg-agent-info or a similar to the users home dir
-@@ -237,31 +272,74 @@
+@@ -237,31 +273,74 @@
fs_manage_cifs_symlinks(gpg_agent_t)
')
@@ -3664,7 +3683,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(gpg_pinentry_t)
')
-@@ -271,5 +349,25 @@
+@@ -271,5 +350,25 @@
')
optional_policy(`
@@ -5460,8 +5479,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.19/policy/modules/apps/pulseaudio.if
--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2010-03-29 15:04:22.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.if 2010-04-29 10:59:16.000000000 -0400
-@@ -186,6 +186,25 @@
++++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.if 2010-05-13 11:25:28.000000000 -0400
+@@ -104,6 +104,24 @@
+ can_exec($1, pulseaudio_exec_t)
+ ')
+
++########################################
++##