gpg patch from dan.

gpg sends sigstop and signull

Reads usb devices

Can encrypts users content in /tmp and the homedir, as well as on NFS and cifs

2 files changed, 10 insertions, 4 deletions

diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if
index f264608d..260bd9d4 100644
--- a/policy/modules/apps/gpg.if
+++ b/policy/modules/apps/gpg.if
@@ -30,7 +30,7 @@ interface(`gpg_role',`
 
 	# allow ps to show gpg
 	ps_process_pattern($2, gpg_t)
-	allow $2 gpg_t:process { signal sigkill };
+	allow $2 gpg_t:process { signull sigstop signal sigkill };
 
 	# communicate with the user 
 	allow gpg_helper_t $2:fd use;
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
index ff18fc77..9d162a8e 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -1,5 +1,5 @@
 
-policy_module(gpg, 2.1.0)
+policy_module(gpg, 2.1.1)
 
 ########################################
 #
@@ -92,6 +92,7 @@ corenet_sendrecv_all_client_packets(gpg_t)
 
 dev_read_rand(gpg_t)
 dev_read_urand(gpg_t)
+dev_read_generic_usb_dev(gpg_t)
 
 fs_getattr_xattr_fs(gpg_t)
 
@@ -145,13 +146,18 @@ files_read_etc_files(gpg_helper_t)
 auth_use_nsswitch(gpg_helper_t)
 
 userdom_use_user_terminals(gpg_helper_t)
+# sign/encrypt user files
+userdom_manage_user_tmp_files(gpg_t)
+userdom_manage_user_home_content_files(gpg_t)
 
 tunable_policy(`use_nfs_home_dirs',`
-	fs_dontaudit_rw_nfs_files(gpg_helper_t)
+	fs_manage_nfs_dirs(gpg_t)
+	fs_manage_nfs_files(gpg_t)
 ')
 
 tunable_policy(`use_samba_home_dirs',`
-	fs_dontaudit_rw_cifs_files(gpg_helper_t)
+	fs_manage_cifs_dirs(gpg_t)
+	fs_manage_cifs_files(gpg_t)
 ')
 
 optional_policy(`