GPG 2.1 has sockets in /run/user/UID/gnupg/ and
~/.gnupg/S.gpg-agent{,.ssh}.
also allow pinentry to dbus chat gkeyring
---
v2: escape . in fcontexts recommended by Nicolas Iooss
gpg.fc | 4 ++++
gpg.if | 4 ++++
gpg.te | 8 ++++++++
3 files changed, 16 insertions(+)
diff --git a/gpg.fc b/gpg.fc
index 888cd2c..3f1d1d2 100644
--- a/gpg.fc
+++ b/gpg.fc
@@ -1,5 +1,7 @@
HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg/S\.gpg-agent -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg/S\.gpg-agent\.ssh -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
@@ -8,3 +10,5 @@ HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
+
+/var/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
diff --git a/gpg.if b/gpg.if
index 0370dd1..5f4cefc 100644
--- a/gpg.if
+++ b/gpg.if
@@ -205,9 +205,13 @@ interface(`gpg_rw_agent_pipes',`
interface(`gpg_stream_connect_agent',`
gen_require(`
type gpg_agent_t, gpg_agent_tmp_t;
+ type gpg_secret_t;
')
stream_connect_pattern($1, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+ allow $1 gpg_secret_t:dir search_dir_perms;
+ userdom_search_user_runtime($1)
+ userdom_search_user_home_dirs($1)
')
########################################
diff --git a/gpg.te b/gpg.te
index 7b4ba9d..61da3a7 100644
--- a/gpg.te
+++ b/gpg.te
@@ -229,6 +229,8 @@ manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
+filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent")
+filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh")
domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
@@ -250,6 +252,8 @@ miscfiles_read_localization(gpg_agent_t)
userdom_use_user_terminals(gpg_agent_t)
userdom_search_user_home_dirs(gpg_agent_t)
+userdom_search_user_runtime(gpg_agent_t)
+userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
ifdef(`hide_broken_symptoms',`
userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
@@ -339,6 +343,10 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_all_session_bus_client(gpg_pinentry_t)
dbus_system_bus_client(gpg_pinentry_t)
+
+ optional_policy(`
+ gnome_dbus_chat_all_gkeyringd(gpg_pinentry_t)
+ ')
')
optional_policy(`
--
2.7.3
On 10/27/16 10:59, Jason Zaman wrote:
> GPG 2.1 has sockets in /run/user/UID/gnupg/ and
> ~/.gnupg/S.gpg-agent{,.ssh}.
>
> also allow pinentry to dbus chat gkeyring
> ---
> v2: escape . in fcontexts recommended by Nicolas Iooss
>
> gpg.fc | 4 ++++
> gpg.if | 4 ++++
> gpg.te | 8 ++++++++
> 3 files changed, 16 insertions(+)
>
> diff --git a/gpg.fc b/gpg.fc
> index 888cd2c..3f1d1d2 100644
> --- a/gpg.fc
> +++ b/gpg.fc
> @@ -1,5 +1,7 @@
> HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
> HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> +HOME_DIR/\.gnupg/S\.gpg-agent -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> +HOME_DIR/\.gnupg/S\.gpg-agent\.ssh -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
>
> /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
> /usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
> @@ -8,3 +10,5 @@ HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
>
> /usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
> /usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
> +
> +/var/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> diff --git a/gpg.if b/gpg.if
> index 0370dd1..5f4cefc 100644
> --- a/gpg.if
> +++ b/gpg.if
> @@ -205,9 +205,13 @@ interface(`gpg_rw_agent_pipes',`
> interface(`gpg_stream_connect_agent',`
> gen_require(`
> type gpg_agent_t, gpg_agent_tmp_t;
> + type gpg_secret_t;
> ')
>
> stream_connect_pattern($1, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
> + allow $1 gpg_secret_t:dir search_dir_perms;
> + userdom_search_user_runtime($1)
> + userdom_search_user_home_dirs($1)
> ')
>
> ########################################
> diff --git a/gpg.te b/gpg.te
> index 7b4ba9d..61da3a7 100644
> --- a/gpg.te
> +++ b/gpg.te
> @@ -229,6 +229,8 @@ manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
>
> filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
> +filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent")
> +filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh")
>
> domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
>
> @@ -250,6 +252,8 @@ miscfiles_read_localization(gpg_agent_t)
>
> userdom_use_user_terminals(gpg_agent_t)
> userdom_search_user_home_dirs(gpg_agent_t)
> +userdom_search_user_runtime(gpg_agent_t)
> +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
>
> ifdef(`hide_broken_symptoms',`
> userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
> @@ -339,6 +343,10 @@ tunable_policy(`use_samba_home_dirs',`
> optional_policy(`
> dbus_all_session_bus_client(gpg_pinentry_t)
> dbus_system_bus_client(gpg_pinentry_t)
> +
> + optional_policy(`
> + gnome_dbus_chat_all_gkeyringd(gpg_pinentry_t)
> + ')
> ')
>
> optional_policy(`
Merged.
--
Chris PeBenito