commit: 96ac8920f55e5a652c20aba99a599ce23a4d3c0d
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Mon Jun 5 14:42:24 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun 13 08:02:53 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=96ac8920
gpg: manage user runtime socket files and directories
Update the gpg module so that it can correctly manage socket files
and directories in the user runtime directories.
Some other minor gpg fixes are also included in this patch.
This is the fifth version (v5) of this patch and it features some
improvements thanks to feedback received from Christopher PeBenito.
The dirmngr policy introduced in version 3 has now been removed
because dirmngr is handled in a separate module (although this
approach is probably wrong, it should be part of the gpg module).
Signed-off-by: Guido Trentalancia <guido at trentalancia.com>
policy/modules/contrib/gpg.fc | 2 +-
policy/modules/contrib/gpg.te | 23 ++++++++++++++++-------
2 files changed, 17 insertions(+), 8 deletions(-)
diff --git a/policy/modules/contrib/gpg.fc b/policy/modules/contrib/gpg.fc
index c428eb5c..c2c1236d 100644
--- a/policy/modules/contrib/gpg.fc
+++ b/policy/modules/contrib/gpg.fc
@@ -11,4 +11,4 @@ HOME_DIR/\.gnupg/S\.scdaemon -s
gen_context(system_u:object_r:gpg_agent_tmp_t,s
/usr/lib/gnupg/.* --
gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/lib/gnupg/gpgkeys.* --
gen_context(system_u:object_r:gpg_helper_exec_t,s0)
-/run/user/%{USERID}/gnupg(/.*)?
gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+/run/user/%{USERID}/gnupg(/.*)?
gen_context(system_u:object_r:gpg_runtime_t,s0)
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index bd8e0c96..60b701cf 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -29,6 +29,9 @@ type gpg_exec_t;
userdom_user_application_domain(gpg_t, gpg_exec_t)
role gpg_roles types gpg_t;
+type gpg_runtime_t;
+files_pid_file(gpg_runtime_t)
+
type gpg_agent_t;
type gpg_agent_exec_t;
userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t)
@@ -72,8 +75,12 @@ dontaudit gpg_t self:netlink_audit_socket
r_netlink_socket_perms;
allow gpg_t self:fifo_file rw_fifo_file_perms;
allow gpg_t self:tcp_socket { accept listen };
+manage_dirs_pattern(gpg_t, gpg_runtime_t, gpg_runtime_t)
+userdom_user_runtime_filetrans(gpg_t, gpg_runtime_t, dir, "gnupg")
+
manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_sock_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
@@ -124,6 +131,7 @@ miscfiles_read_localization(gpg_t)
userdom_use_user_terminals(gpg_t)
+userdom_manage_user_tmp_dirs(gpg_t)
userdom_manage_user_tmp_files(gpg_t)
userdom_manage_user_home_content_files(gpg_t)
userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
@@ -220,17 +228,16 @@ manage_sock_files_pattern(gpg_agent_t, gpg_secret_t,
gpg_secret_t)
manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+manage_dirs_pattern(gpg_agent_t, gpg_runtime_t, gpg_runtime_t)
+userdom_user_runtime_filetrans(gpg_agent_t, gpg_runtime_t, dir, "gnupg")
+
manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file,
"log-socket")
-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file,
"S.gpg-agent")
-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file,
"S.gpg-agent.browser")
-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file,
"S.gpg-agent.extra")
-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file,
"S.gpg-agent.ssh")
-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file,
"S.scdaemon")
+filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file)
+filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file)
domtrans_pattern(gpg_agent_t, gpg_pinentry_exec_t, gpg_pinentry_t)
@@ -255,7 +262,7 @@ miscfiles_read_localization(gpg_agent_t)
userdom_use_user_terminals(gpg_agent_t)
userdom_search_user_home_dirs(gpg_agent_t)
userdom_search_user_runtime(gpg_agent_t)
-userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
+userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir file
sock_file })
ifdef(`hide_broken_symptoms',`
userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
@@ -315,6 +322,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, {
file dir })
can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)
+kernel_dontaudit_search_sysctl(gpg_pinentry_t)
kernel_read_system_state(gpg_pinentry_t)
corecmd_exec_shell(gpg_pinentry_t)
@@ -332,6 +340,7 @@ domain_use_interactive_fds(gpg_pinentry_t)
files_read_usr_files(gpg_pinentry_t)
+fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
auth_use_nsswitch(gpg_pinentry_t)
