From: dac.override@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 1/2] Policy for gpg's dirmngr
Date: Tue, 11 Aug 2015 08:30:58 +0200 [thread overview]
Message-ID: <20150811063057.GA1884@x250> (raw)
In-Reply-To: <55C95E8E.1020406@m4x.org>
On Tue, Aug 11, 2015 at 10:31:42AM +0800, Nicolas Iooss wrote:
> Hello,
>
> On 08/10/2015 10:05 PM, Dominick Grift wrote:
> > On Mon, Aug 10, 2015 at 03:42:34PM +0200, Luis Ressel wrote:
> <snip>
> >>
> >> On my system, dirmngr fails to start without those.
> >>
> >> avc: denied { read } for pid=2126 comm=636F6E6E2066643D30
> >> name="random" dev="devtmpfs" ino=1032
> >> scontext=staff_u:staff_r:gpg_dirmngr_t
> >> tcontext=system_u:object_r:random_device_t tclass=chr_file permissive=0
> >>
> >
> > Assuming 636F6E6E2066643D30 translates to "dirmngr", then i guess it is needed. I havent encountered this on my implementation.
>
> To decode this string, several ways exist [1], for example in Python:
>
> python -c 'import binascii;
> print(binascii.unhexlify("636F6E6E2066643D30"))'
Thanks, yes. reading the avc denial with ausearch -i will also interpret it.
>
> This gives "conn fd=0", which is not directly "dirmngr". But in fact
> dirmngr seems to spawn a thread with this name [2] so this process is
> really dirmngr. Moreover in dirmngr/ks-engine-hkp.c in gnupg code,
> function select_random_host seems to need a random number generator to
> choose an host, which could explain the access to /dev/random (I have
> not checked deeply the code to understand how this function gets called).
>
> --
> Nicolas Iooss
>
> [1]
> http://blog.siphos.be/2014/03/decoding-the-hex-coded-path-information-in-avc-denials/
> [2]
> https://github.com/unofficial-mirrors/gnupg/blob/gnupg-2.1.3/dirmngr/dirmngr.c#L2048-L2059
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150811/4023282c/attachment.bin
prev parent reply other threads:[~2015-08-11 6:30 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-09 21:10 [refpolicy] [PATCH 1/2] Policy for gpg's dirmngr Luis Ressel
2015-08-09 21:10 ` [refpolicy] [PATCH 2/2] gpg 2.1 places gpg-agent sockets in ~/.gnupg/ Luis Ressel
2015-08-10 7:27 ` Dominick Grift
2015-08-10 13:15 ` Luis Ressel
2015-08-10 13:33 ` Dominick Grift
2015-08-10 13:49 ` Luis Ressel
2015-08-10 7:25 ` [refpolicy] [PATCH 1/2] Policy for gpg's dirmngr Dominick Grift
2015-08-10 13:42 ` Luis Ressel
2015-08-10 14:05 ` Dominick Grift
2015-08-11 2:31 ` Nicolas Iooss
2015-08-11 6:30 ` Dominick Grift [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150811063057.GA1884@x250 \
--to=dac.override@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.