From Debian package 0.2.20100524-8

  * Allow gpg_agent_t to read etc_t files and sysctl_crypto_t

From Debian package 0.2.20100524-9

  * Label ~/.gnupg/gpg.conf as user_home_t and allow user_t to list directories
    of type gpg_secret_t so gpg-agent can start.
  * Allow gpg_agent_t to launch a user session and send sigchld to xdm_t
  * Allow user_ssh_agent_t to send sigchld to xdm_t and allow it to run the
    gpg agent.

From Debian package 0.2.20100524-10

  * Label gpgsm as gpg_exec_t

From Debian package 0.2.20100524-11

  * Allow gpg_agent_t to create sock_files under ~/.gnupg
    Allow gpg_pinentry_t to read var_lib_t files for fonts.conf

Index: policy/modules/apps/gpg.te
===================================================================
--- policy/modules/apps/gpg.te.orig
+++ policy/modules/apps/gpg.te
@@ -53,6 +53,7 @@
 typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t };
 application_domain(gpg_pinentry_t, pinentry_exec_t)
 ubac_constrained(gpg_pinentry_t)
+files_read_var_lib_files(gpg_pinentry_t)
 
 type gpg_pinentry_tmp_t;
 files_tmp_file(gpg_pinentry_tmp_t)
@@ -222,6 +223,9 @@
 manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
+filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file)
+files_read_etc_files(gpg_agent_t)
+kernel_read_crypto_sysctls(gpg_agent_t)
 
 # allow gpg to connect to the gpg agent
 stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
@@ -272,6 +276,10 @@
 	mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
 ')
 
+optional_policy(`
+	xdm_sigchld(gpg_agent_t)
+')
+
 ##############################
 #
 # Pinentry local policy
Index: policy/modules/apps/gpg.fc
===================================================================
--- policy/modules/apps/gpg.fc.orig
+++ policy/modules/apps/gpg.fc
@@ -1,6 +1,9 @@
 HOME_DIR/\.gnupg(/.+)?		gen_context(system_u:object_r:gpg_secret_t,s0)
+HOME_DIR/\.gnupg/gpg.conf	gen_context(system_u:object_r:user_home_t,s0)
+HOME_DIR/\.gnupg/log-socket	gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
 
 /usr/bin/gpg(2)?	--	gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/bin/gpgsm		--	gen_context(system_u:object_r:gpg_agent_exec_t,s0)
 /usr/bin/gpg-agent	--	gen_context(system_u:object_r:gpg_agent_exec_t,s0)
 /usr/bin/kgpg		--	gen_context(system_u:object_r:gpg_exec_t,s0)
 /usr/bin/pinentry.*	--	gen_context(system_u:object_r:pinentry_exec_t,s0)
Index: policy/modules/apps/gpg.if
===================================================================
--- policy/modules/apps/gpg.if.orig
+++ policy/modules/apps/gpg.if
@@ -22,6 +22,7 @@
 		type gpg_agent_tmp_t;
 		type gpg_helper_t, gpg_pinentry_t;
 		type gpg_pinentry_tmp_t;
+		type gpg_secret_t;
 	')
 
 	role $1 types { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t };
@@ -54,6 +55,8 @@
 	manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
 	relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
 
+	allow $2 gpg_secret_t:dir list_dir_perms;
+
 	optional_policy(`
 		gpg_pinentry_dbus_chat($2)
 	')
@@ -67,6 +70,49 @@
 	')
 ')
 
+############################################################
+## <summary>
+##	Transition to gpg_agent_t from another domain
+##	Used for ssh_agent_t to launch the gpg agent for X logins
+## </summary>
+## <param name="domain">
+##	<summary>
+##	domain to run the gpg agent
+##	</summary>
+## </param>
+#
+interface(`run_gpg_agent',`
+	gen_require(`
+		type gpg_agent_t, gpg_agent_exec_t;
+	')
+	domtrans_pattern($1, gpg_agent_exec_t, gpg_agent_t)
+')
+
+########################################
+## <summary>
+##	Transition to a user domain from gpg_agent_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to transition to
+##	</summary>
+## </param>
+## <param name="file_type">
+##	<summary>
+##	Type of file for log data - usually a home type
+##	</summary>
+## </param>
+#
+interface(`gpg_agent_domtrans_user',`
+	gen_require(`
+		type gpg_agent_t, shell_exec_t, bin_t;
+	')
+	allow $1 gpg_agent_t:fd use;
+	allow gpg_agent_t $1:process signull;
+	allow gpg_agent_t $2:file { getattr append };
+	domain_auto_trans(gpg_agent_t, { shell_exec_t bin_t }, $1)
+')
+
 ########################################
 ## <summary>
 ##	Transition to a user gpg domain.
Index: policy/modules/roles/unprivuser.te
===================================================================
--- policy/modules/roles/unprivuser.te.orig
+++ policy/modules/roles/unprivuser.te
@@ -67,6 +67,7 @@
 
 	optional_policy(`
 		gpg_role(user_r, user_t)
+		gpg_agent_domtrans_user(user_t, user_home_t)
 	')
 
 	optional_policy(`
Index: policy/modules/services/ssh.if
===================================================================
--- policy/modules/services/ssh.if.orig
+++ policy/modules/services/ssh.if
@@ -421,6 +421,11 @@
 	')
 
 	optional_policy(`
+		run_gpg_agent($1_ssh_agent_t)
+	')
+
+	optional_policy(`
+		xdm_sigchld($1_ssh_agent_t)
 		xserver_use_xdm_fds($1_ssh_agent_t)
 		xserver_rw_xdm_pipes($1_ssh_agent_t)
 	')
Index: policy/modules/services/xserver.if
===================================================================
--- policy/modules/services/xserver.if.orig
+++ policy/modules/services/xserver.if
@@ -116,6 +116,24 @@
 
 ########################################
 ## <summary>
+##	Allow domain to send sigchld to xdm_t
+##	and environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdm_sigchld',`
+	gen_require(`
+		type xdm_t;
+	')
+	allow $1 xdm_t:process sigchld;
+')
+
+########################################
+## <summary>
 ##	Rules required for using the X Windows server
 ##	and environment.
 ## </summary>