* [refpolicy] apps_gpg.patch
@ 2009-03-24 13:18 Daniel J Walsh
0 siblings, 0 replies; 15+ messages in thread
From: Daniel J Walsh @ 2009-03-24 13:18 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F11/apps_gpg.patch
Fix gpg file context for 64 bit platform
Apps send sigkill to gpg as well as signal
gpg gets execed by firefox and thunderbird which leak file descriptors
like crazy so need to cover this up
gpg needs getcap
Creates /tmp files
Reads kernel sysctl to check fips mode
lists inotify
cals getpw
gpg_helper needs get and setsched
calls getpw
Lists inotify
gpg_t needs to be able to rewrite /tmp files created by thunderbird and
files in the homedir, in order to sign/encrypt them
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] apps_gpg.patch
@ 2009-05-21 14:58 Daniel J Walsh
2009-07-21 14:11 ` Christopher J. PeBenito
0 siblings, 1 reply; 15+ messages in thread
From: Daniel J Walsh @ 2009-05-21 14:58 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F11/apps_gpg.patch
gpg sends signals
executed from firefox/thunderbird, which leak filedescripors like a sieve.
Needs getcap
Creates files in /tmp
uses getpw calls
Needs to manager users files in /tmp and the homedir. It signs, them,
encrypts them ...
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] apps_gpg.patch
2009-05-21 14:58 Daniel J Walsh
@ 2009-07-21 14:11 ` Christopher J. PeBenito
0 siblings, 0 replies; 15+ messages in thread
From: Christopher J. PeBenito @ 2009-07-21 14:11 UTC (permalink / raw)
To: refpolicy
On Thu, 2009-05-21 at 10:58 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F11/apps_gpg.patch
>
> gpg sends signals
>
> executed from firefox/thunderbird, which leak filedescripors like a
> sieve.
>
> Needs getcap
>
> Creates files in /tmp
>
> uses getpw calls
>
> Needs to manager users files in /tmp and the homedir. It signs, them,
> encrypts them ...
Merged.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] apps_gpg.patch
@ 2009-08-28 20:06 Daniel J Walsh
2009-09-03 12:23 ` Christopher J. PeBenito
0 siblings, 1 reply; 15+ messages in thread
From: Daniel J Walsh @ 2009-08-28 20:06 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F12/apps_gpg.patch
gpg sends sigstop and signull
Reads usb devices
Can encrypts users content in /tmp and the homedir, as well as on NFS and cifs
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] apps_gpg.patch
2009-08-28 20:06 Daniel J Walsh
@ 2009-09-03 12:23 ` Christopher J. PeBenito
0 siblings, 0 replies; 15+ messages in thread
From: Christopher J. PeBenito @ 2009-09-03 12:23 UTC (permalink / raw)
To: refpolicy
On Fri, 2009-08-28 at 16:06 -0400, Daniel J Walsh wrote:
> gpg sends sigstop and signull
>
> Reads usb devices
>
> Can encrypts users content in /tmp and the homedir, as well as on NFS
> and cifs
Merged.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] apps_gpg.patch
@ 2009-11-12 20:45 Daniel J Walsh
2009-12-01 15:32 ` Christopher J. PeBenito
0 siblings, 1 reply; 15+ messages in thread
From: Daniel J Walsh @ 2009-11-12 20:45 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F12/apps_gpg.patch
gpg sends syslog
can be run in cron jobs
gpg_helper needs to dontaudit leaked descriptors in nfs and cifs homedirs
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] apps_gpg.patch
2009-11-12 20:45 [refpolicy] apps_gpg.patch Daniel J Walsh
@ 2009-12-01 15:32 ` Christopher J. PeBenito
0 siblings, 0 replies; 15+ messages in thread
From: Christopher J. PeBenito @ 2009-12-01 15:32 UTC (permalink / raw)
To: refpolicy
On Thu, 2009-11-12 at 15:45 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/apps_gpg.patch
>
> gpg sends syslog
>
> can be run in cron jobs
>
> gpg_helper needs to dontaudit leaked descriptors in nfs and cifs
> homedirs
Merged.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] apps_gpg.patch
@ 2010-02-23 19:24 Daniel J Walsh
0 siblings, 0 replies; 15+ messages in thread
From: Daniel J Walsh @ 2010-02-23 19:24 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F13/apps_gpg.patch
Allow apache to run gpg_t as system_r
We dont allow cron to transition to gpg_t.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] apps_gpg.patch
@ 2010-06-02 20:05 Daniel J Walsh
2010-07-06 14:59 ` Christopher J. PeBenito
0 siblings, 1 reply; 15+ messages in thread
From: Daniel J Walsh @ 2010-06-02 20:05 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_gpg.patch
gpg dontaudit leaks.
Added policy so apache can execute gpg
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] apps_gpg.patch
2010-06-02 20:05 Daniel J Walsh
@ 2010-07-06 14:59 ` Christopher J. PeBenito
2010-07-13 12:15 ` Daniel J Walsh
0 siblings, 1 reply; 15+ messages in thread
From: Christopher J. PeBenito @ 2010-07-06 14:59 UTC (permalink / raw)
To: refpolicy
On 06/02/10 16:05, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_gpg.patch
>
> gpg dontaudit leaks.
Merged.
> Added policy so apache can execute gpg
I don't understand this part. It seems more like it should be a domain
in the apache module instead.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] apps_gpg.patch
2010-07-06 14:59 ` Christopher J. PeBenito
@ 2010-07-13 12:15 ` Daniel J Walsh
2010-07-19 17:45 ` Christopher J. PeBenito
0 siblings, 1 reply; 15+ messages in thread
From: Daniel J Walsh @ 2010-07-13 12:15 UTC (permalink / raw)
To: refpolicy
On 07/06/2010 10:59 AM, Christopher J. PeBenito wrote:
> On 06/02/10 16:05, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_gpg.patch
>>
>> gpg dontaudit leaks.
>
> Merged.
>
>> Added policy so apache can execute gpg
>
> I don't understand this part. It seems more like it should be a domain
> in the apache module instead.
>
I guess we could go that way, but you need interfaces including gpg_exec_t.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] apps_gpg.patch
2010-07-13 12:15 ` Daniel J Walsh
@ 2010-07-19 17:45 ` Christopher J. PeBenito
2010-07-19 18:01 ` Daniel J Walsh
0 siblings, 1 reply; 15+ messages in thread
From: Christopher J. PeBenito @ 2010-07-19 17:45 UTC (permalink / raw)
To: refpolicy
On 07/13/10 08:15, Daniel J Walsh wrote:
> On 07/06/2010 10:59 AM, Christopher J. PeBenito wrote:
>> On 06/02/10 16:05, Daniel J Walsh wrote:
>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_gpg.patch
>>>
>>> gpg dontaudit leaks.
>>
>> Merged.
>>
>>> Added policy so apache can execute gpg
>>
>> I don't understand this part. It seems more like it should be a domain
>> in the apache module instead.
>>
> I guess we could go that way, but you need interfaces including gpg_exec_t.
How is this used? Is it run from a CGI script to check the signature or
(en|de)crypt a file?
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] apps_gpg.patch
2010-07-19 17:45 ` Christopher J. PeBenito
@ 2010-07-19 18:01 ` Daniel J Walsh
2010-07-20 6:49 ` Miroslav Grepl
0 siblings, 1 reply; 15+ messages in thread
From: Daniel J Walsh @ 2010-07-19 18:01 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/19/2010 01:45 PM, Christopher J. PeBenito wrote:
> On 07/13/10 08:15, Daniel J Walsh wrote:
>> On 07/06/2010 10:59 AM, Christopher J. PeBenito wrote:
>>> On 06/02/10 16:05, Daniel J Walsh wrote:
>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_gpg.patch
>>>>
>>>> gpg dontaudit leaks.
>>>
>>> Merged.
>>>
>>>> Added policy so apache can execute gpg
>>>
>>> I don't understand this part. It seems more like it should be a domain
>>> in the apache module instead.
>>>
>> I guess we could go that way, but you need interfaces including
>> gpg_exec_t.
>
> How is this used? Is it run from a CGI script to check the signature or
> (en|de)crypt a file?
>
Yes and Yes, I think.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkxEkw0ACgkQrlYvE4MpobP5PQCghfRZmBU9jAJKqInOupTCscKj
QbkAoNE0YRTo7HSdry4fyyIG+JGlg+3r
=ObBx
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] apps_gpg.patch
2010-07-19 18:01 ` Daniel J Walsh
@ 2010-07-20 6:49 ` Miroslav Grepl
0 siblings, 0 replies; 15+ messages in thread
From: Miroslav Grepl @ 2010-07-20 6:49 UTC (permalink / raw)
To: refpolicy
On 07/19/2010 08:01 PM, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 07/19/2010 01:45 PM, Christopher J. PeBenito wrote:
>
>> On 07/13/10 08:15, Daniel J Walsh wrote:
>>
>>> On 07/06/2010 10:59 AM, Christopher J. PeBenito wrote:
>>>
>>>> On 06/02/10 16:05, Daniel J Walsh wrote:
>>>>
>>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_gpg.patch
>>>>>
>>>>> gpg dontaudit leaks.
>>>>>
>>>> Merged.
>>>>
>>>>
>>>>> Added policy so apache can execute gpg
>>>>>
>>>> I don't understand this part. It seems more like it should be a domain
>>>> in the apache module instead.
>>>>
>>>>
>>> I guess we could go that way, but you need interfaces including
>>> gpg_exec_t.
>>>
>> How is this used? Is it run from a CGI script to check the signature or
>> (en|de)crypt a file?
>>
>>
Yes, it is run from a CGI script to check the signature or (en|de)crypt
a file. Related bug #562083.
We also added the following change
optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
- gpg_domtrans(httpd_t)
+ gpg_domtrans_web(httpd_t)
')
')
Regards,
Miroslav
> Yes and Yes, I think.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkxEkw0ACgkQrlYvE4MpobP5PQCghfRZmBU9jAJKqInOupTCscKj
> QbkAoNE0YRTo7HSdry4fyyIG+JGlg+3r
> =ObBx
> -----END PGP SIGNATURE-----
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] apps_gpg.patch
@ 2010-08-26 22:37 Daniel J Walsh
0 siblings, 0 replies; 15+ messages in thread
From: Daniel J Walsh @ 2010-08-26 22:37 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F14/apps_gpg.patch
gpg for the web
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkx27I0ACgkQrlYvE4MpobNo+gCg3TGs5r8mOI3+ZtkbyctGTtVy
WicAnRUYSG+DDeRSDzy3Hoh+fnX19WAz
=fO31
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2010-08-26 22:37 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-11-12 20:45 [refpolicy] apps_gpg.patch Daniel J Walsh
2009-12-01 15:32 ` Christopher J. PeBenito
-- strict thread matches above, loose matches on Subject: below --
2010-08-26 22:37 Daniel J Walsh
2010-06-02 20:05 Daniel J Walsh
2010-07-06 14:59 ` Christopher J. PeBenito
2010-07-13 12:15 ` Daniel J Walsh
2010-07-19 17:45 ` Christopher J. PeBenito
2010-07-19 18:01 ` Daniel J Walsh
2010-07-20 6:49 ` Miroslav Grepl
2010-02-23 19:24 Daniel J Walsh
2009-08-28 20:06 Daniel J Walsh
2009-09-03 12:23 ` Christopher J. PeBenito
2009-05-21 14:58 Daniel J Walsh
2009-07-21 14:11 ` Christopher J. PeBenito
2009-03-24 13:18 Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.