Introduce gpg_exec interface
Some applications might want to execute gpg without requiring a transition. A possible use case is to allow applications to validate signatures (made by GnuPG). As long as the application doesn't need to generate signatures itself and its trustdb is not marked as gpg_secret_t, it suffices to grant it gpg_exec(). Note that it does require the application to have read/write rights in the directory where the trustdb is stored (as gpg tries to generate lock files where the trustdb file is located). Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
This commit is contained in:
parent
356c704f4d
commit
3274da931e
@ -85,6 +85,24 @@ interface(`gpg_domtrans',`
|
||||
domtrans_pattern($1, gpg_exec_t, gpg_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute the gpg application without transitioning
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to execute gpg
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`gpg_exec',`
|
||||
gen_require(`
|
||||
type gpg_exec_t;
|
||||
')
|
||||
|
||||
can_exec($1, gpg_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send generic signals to user gpg processes.
|
||||
|
Loading…
Reference in New Issue
Block a user