Written by: Martin Orr

Allow gpg dac_read_search and dac_override
Allow gpg to manage files in /etc/apt
For use by apt postinst

Index: policy/modules/apps/gpg.te
===================================================================
--- policy/modules/apps/gpg.te.orig
+++ policy/modules/apps/gpg.te
@@ -68,7 +68,7 @@
 # GPG local policy
 #
 
-allow gpg_t self:capability { ipc_lock setuid };
+allow gpg_t self:capability { ipc_lock setuid dac_read_search dac_override };
 # setrlimit is for ulimit -c 0
 allow gpg_t self:process { signal signull setrlimit getcap setcap setpgid };
 
@@ -109,6 +109,8 @@
 dev_read_urand(gpg_t)
 dev_read_generic_usb_dev(gpg_t)
 
+files_manage_etc_files(gpg_t)
+
 fs_getattr_xattr_fs(gpg_t)
 fs_list_inotifyfs(gpg_t)