commit: 91bc9686ff5065f7cdcce4ec14ac9d6dd89b769d
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun May 7 13:42:53 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 17:03:59 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=91bc9686
dirmngr: fcontext for ~/.gnupg/crls.d/
policy/modules/contrib/dirmngr.fc | 2 ++
policy/modules/contrib/dirmngr.te | 7 +++++++
policy/modules/contrib/gpg.if | 20 ++++++++++++++++++++
3 files changed, 29 insertions(+)
diff --git a/policy/modules/contrib/dirmngr.fc
b/policy/modules/contrib/dirmngr.fc
index a9cf15a8..60f19f47 100644
--- a/policy/modules/contrib/dirmngr.fc
+++ b/policy/modules/contrib/dirmngr.fc
@@ -1,3 +1,5 @@
+HOME_DIR/\.gnupg/crls\.d(/.+)?
gen_context(system_u:object_r:dirmngr_home_t,s0)
+
/etc/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_conf_t,s0)
/etc/rc\.d/init\.d/dirmngr --
gen_context(system_u:object_r:dirmngr_initrc_exec_t,s0)
diff --git a/policy/modules/contrib/dirmngr.te
b/policy/modules/contrib/dirmngr.te
index 8e4a1a89..17cce56a 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -27,6 +27,9 @@ files_type(dirmngr_var_lib_t)
type dirmngr_var_run_t;
files_pid_file(dirmngr_var_run_t)
+type dirmngr_home_t;
+userdom_user_home_content(dirmngr_home_t)
+
########################################
#
# Local policy
@@ -37,6 +40,8 @@ allow dirmngr_t self:fifo_file rw_file_perms;
allow dirmngr_t dirmngr_conf_t:dir list_dir_perms;
allow dirmngr_t dirmngr_conf_t:file read_file_perms;
allow dirmngr_t dirmngr_conf_t:lnk_file read_lnk_file_perms;
+allow dirmngr_t dirmngr_home_t:dir list_dir_perms;
+allow dirmngr_t dirmngr_home_t:file read_file_perms;
manage_dirs_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t)
append_files_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t)
@@ -61,6 +66,7 @@ kernel_read_crypto_sysctls(dirmngr_t)
files_read_etc_files(dirmngr_t)
miscfiles_read_localization(dirmngr_t)
+miscfiles_read_generic_certs(dirmngr_t)
userdom_search_user_home_dirs(dirmngr_t)
userdom_search_user_runtime(dirmngr_t)
@@ -68,4 +74,5 @@ userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
optional_policy(`
gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
+ gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
')
diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index 4480f9c6..e5a12750 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -254,6 +254,26 @@ interface(`gpg_agent_tmp_filetrans',`
########################################
## <summary>
+## filetrans in gpg_secret_t dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_secret_filetrans',`
+ gen_require(`
+ type gpg_secret_t;
+ ')
+
+ filetrans_pattern($1, gpg_secret_t, $2, $3, $4)
+ allow $1 gpg_secret_t:dir search_dir_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
## Send messages to and from gpg
## pinentry over DBUS.
## </summary>
