2017-05-21 16:21:04

by Guido Trentalancia

[permalink] [raw]
Subject: [refpolicy] [PATCH] gpg: manage user runtime socket files and directories

Update the gpg module so that it can correctly manage socket files
and directories in the user runtime directories.

Some other minor fixes are also included in this patch.

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/gpg.te | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)

--- a/policy/modules/contrib/gpg.te 2017-04-26 17:47:20.555423022 +0200
+++ b/policy/modules/contrib/gpg.te 2017-05-21 18:13:36.728343506 +0200
@@ -124,6 +124,8 @@ miscfiles_read_localization(gpg_t)

userdom_use_user_terminals(gpg_t)

+userdom_manage_user_runtime_dirs(gpg_t)
+userdom_manage_user_tmp_dirs(gpg_t)
userdom_manage_user_tmp_files(gpg_t)
userdom_manage_user_home_content_files(gpg_t)
userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
@@ -247,10 +249,14 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)

miscfiles_read_localization(gpg_agent_t)

+userdom_manage_user_runtime_dirs(gpg_agent_t)
+userdom_manage_user_tmp_dirs(gpg_agent_t)
+userdom_manage_user_tmp_files(gpg_agent_t)
+
userdom_use_user_terminals(gpg_agent_t)
userdom_search_user_home_dirs(gpg_agent_t)
userdom_search_user_runtime(gpg_agent_t)
-userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
+userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir file sock_file })

ifdef(`hide_broken_symptoms',`
userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
@@ -310,6 +316,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p

can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)

+kernel_dontaudit_search_sysctl(gpg_pinentry_t)
kernel_read_system_state(gpg_pinentry_t)

corecmd_exec_shell(gpg_pinentry_t)
@@ -327,6 +334,7 @@ domain_use_interactive_fds(gpg_pinentry_

files_read_usr_files(gpg_pinentry_t)

+fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
fs_dontaudit_list_inotifyfs(gpg_pinentry_t)

auth_use_nsswitch(gpg_pinentry_t)


2017-05-22 23:24:59

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] gpg: manage user runtime socket files and directories

On 05/21/2017 12:21 PM, Guido Trentalancia via refpolicy wrote:
> Update the gpg module so that it can correctly manage socket files
> and directories in the user runtime directories.
>
> Some other minor fixes are also included in this patch.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/gpg.te | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> --- a/policy/modules/contrib/gpg.te 2017-04-26 17:47:20.555423022 +0200
> +++ b/policy/modules/contrib/gpg.te 2017-05-21 18:13:36.728343506 +0200
> @@ -124,6 +124,8 @@ miscfiles_read_localization(gpg_t)
>
> userdom_use_user_terminals(gpg_t)
>
> +userdom_manage_user_runtime_dirs(gpg_t)
> +userdom_manage_user_tmp_dirs(gpg_t)
> userdom_manage_user_tmp_files(gpg_t)
> userdom_manage_user_home_content_files(gpg_t)
> userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
> @@ -247,10 +249,14 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
>
> miscfiles_read_localization(gpg_agent_t)
>
> +userdom_manage_user_runtime_dirs(gpg_agent_t)
> +userdom_manage_user_tmp_dirs(gpg_agent_t)
> +userdom_manage_user_tmp_files(gpg_agent_t)

It's not clear whats going on here, but perhaps these make more sense as
a new gpg_runtime_t?


> userdom_use_user_terminals(gpg_agent_t)
> userdom_search_user_home_dirs(gpg_agent_t)
> userdom_search_user_runtime(gpg_agent_t)
> -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
> +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir file sock_file })
>
> ifdef(`hide_broken_symptoms',`
> userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
> @@ -310,6 +316,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p
>
> can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)
>
> +kernel_dontaudit_search_sysctl(gpg_pinentry_t)
> kernel_read_system_state(gpg_pinentry_t)
>
> corecmd_exec_shell(gpg_pinentry_t)
> @@ -327,6 +334,7 @@ domain_use_interactive_fds(gpg_pinentry_
>
> files_read_usr_files(gpg_pinentry_t)
>
> +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
> fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
>
> auth_use_nsswitch(gpg_pinentry_t)


--
Chris PeBenito

2017-05-23 01:04:52

by Guido Trentalancia

[permalink] [raw]
Subject: [refpolicy] [PATCH] gpg: manage user runtime socket files and directories

Hello and thanks for getting back...

On the 23rd of May 2017 01:24:59 CEST, Chris PeBenito <[email protected]> wrote:
>On 05/21/2017 12:21 PM, Guido Trentalancia via refpolicy wrote:
>> Update the gpg module so that it can correctly manage socket files
>> and directories in the user runtime directories.
>>
>> Some other minor fixes are also included in this patch.
>>
>> Signed-off-by: Guido Trentalancia <[email protected]>
>> ---
>> policy/modules/contrib/gpg.te | 10 +++++++++-
>> 1 file changed, 9 insertions(+), 1 deletion(-)
>>
>> --- a/policy/modules/contrib/gpg.te 2017-04-26 17:47:20.555423022
>+0200
>> +++ b/policy/modules/contrib/gpg.te 2017-05-21 18:13:36.728343506
>+0200
>> @@ -124,6 +124,8 @@ miscfiles_read_localization(gpg_t)
>>
>> userdom_use_user_terminals(gpg_t)
>>
>> +userdom_manage_user_runtime_dirs(gpg_t)
>> +userdom_manage_user_tmp_dirs(gpg_t)
>> userdom_manage_user_tmp_files(gpg_t)
>> userdom_manage_user_home_content_files(gpg_t)
>> userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
>> @@ -247,10 +249,14 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
>>
>> miscfiles_read_localization(gpg_agent_t)
>>
>> +userdom_manage_user_runtime_dirs(gpg_agent_t)
>> +userdom_manage_user_tmp_dirs(gpg_agent_t)
>> +userdom_manage_user_tmp_files(gpg_agent_t)
>
>It's not clear whats going on here, but perhaps these make more sense
>as
>a new gpg_runtime_t?

The agent should be able to create a gnupg directory in /var/run/user/USERID/ and manage socket files in that directory...

>> userdom_use_user_terminals(gpg_agent_t)
>> userdom_search_user_home_dirs(gpg_agent_t)
>> userdom_search_user_runtime(gpg_agent_t)
>> -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
>> +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir
>file sock_file })
>>
>> ifdef(`hide_broken_symptoms',`
>> userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
>> @@ -310,6 +316,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p
>>
>> can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)
>>
>> +kernel_dontaudit_search_sysctl(gpg_pinentry_t)
>> kernel_read_system_state(gpg_pinentry_t)
>>
>> corecmd_exec_shell(gpg_pinentry_t)
>> @@ -327,6 +334,7 @@ domain_use_interactive_fds(gpg_pinentry_
>>
>> files_read_usr_files(gpg_pinentry_t)
>>
>> +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
>> fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
>>
>> auth_use_nsswitch(gpg_pinentry_t)

2017-05-23 06:43:31

by Dac Override

[permalink] [raw]
Subject: [refpolicy] [PATCH] gpg: manage user runtime socket files and directories

On Tue, May 23, 2017 at 03:04:52AM +0200, Guido Trentalancia via refpolicy wrote:
> Hello and thanks for getting back...
>
> On the 23rd of May 2017 01:24:59 CEST, Chris PeBenito <[email protected]> wrote:
> >On 05/21/2017 12:21 PM, Guido Trentalancia via refpolicy wrote:
> >> Update the gpg module so that it can correctly manage socket files
> >> and directories in the user runtime directories.
> >>
> >> Some other minor fixes are also included in this patch.
> >>
> >> Signed-off-by: Guido Trentalancia <[email protected]>
> >> ---
> >> policy/modules/contrib/gpg.te | 10 +++++++++-
> >> 1 file changed, 9 insertions(+), 1 deletion(-)
> >>
> >> --- a/policy/modules/contrib/gpg.te 2017-04-26 17:47:20.555423022
> >+0200
> >> +++ b/policy/modules/contrib/gpg.te 2017-05-21 18:13:36.728343506
> >+0200
> >> @@ -124,6 +124,8 @@ miscfiles_read_localization(gpg_t)
> >>
> >> userdom_use_user_terminals(gpg_t)
> >>
> >> +userdom_manage_user_runtime_dirs(gpg_t)
> >> +userdom_manage_user_tmp_dirs(gpg_t)
> >> userdom_manage_user_tmp_files(gpg_t)
> >> userdom_manage_user_home_content_files(gpg_t)
> >> userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
> >> @@ -247,10 +249,14 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
> >>
> >> miscfiles_read_localization(gpg_agent_t)
> >>
> >> +userdom_manage_user_runtime_dirs(gpg_agent_t)
> >> +userdom_manage_user_tmp_dirs(gpg_agent_t)
> >> +userdom_manage_user_tmp_files(gpg_agent_t)
> >
> >It's not clear whats going on here, but perhaps these make more sense
> >as
> >a new gpg_runtime_t?
>
> The agent should be able to create a gnupg directory in /var/run/user/USERID/ and manage socket files in that directory...

the agent can't create USERID because its parent is owned by root and gpg-agent does not have permission to add directory entries to /var/run/user. systemd-logind , or some other privileged process, creates USERID generally on behalf of the user
also the sockets should not go to /var/run/user/USERID/ , but instead should go to /var/run/user/USERID/gnupg/ and gnupg can be creeted with an automatic type transition

>
> >> userdom_use_user_terminals(gpg_agent_t)
> >> userdom_search_user_home_dirs(gpg_agent_t)
> >> userdom_search_user_runtime(gpg_agent_t)
> >> -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
> >> +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir
> >file sock_file })
> >>
> >> ifdef(`hide_broken_symptoms',`
> >> userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
> >> @@ -310,6 +316,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p
> >>
> >> can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)
> >>
> >> +kernel_dontaudit_search_sysctl(gpg_pinentry_t)
> >> kernel_read_system_state(gpg_pinentry_t)
> >>
> >> corecmd_exec_shell(gpg_pinentry_t)
> >> @@ -327,6 +334,7 @@ domain_use_interactive_fds(gpg_pinentry_
> >>
> >> files_read_usr_files(gpg_pinentry_t)
> >>
> >> +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
> >> fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
> >>
> >> auth_use_nsswitch(gpg_pinentry_t)
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170523/17d871b0/attachment.bin

2017-05-23 07:06:00

by Dac Override

[permalink] [raw]
Subject: [refpolicy] [PATCH] gpg: manage user runtime socket files and directories

On Tue, May 23, 2017 at 03:04:52AM +0200, Guido Trentalancia via refpolicy wrote:
> Hello and thanks for getting back...
>
> On the 23rd of May 2017 01:24:59 CEST, Chris PeBenito <[email protected]> wrote:
> >On 05/21/2017 12:21 PM, Guido Trentalancia via refpolicy wrote:
> >> Update the gpg module so that it can correctly manage socket files
> >> and directories in the user runtime directories.
> >>
> >> Some other minor fixes are also included in this patch.
> >>
> >> Signed-off-by: Guido Trentalancia <[email protected]>
> >> ---
> >> policy/modules/contrib/gpg.te | 10 +++++++++-
> >> 1 file changed, 9 insertions(+), 1 deletion(-)
> >>
> >> --- a/policy/modules/contrib/gpg.te 2017-04-26 17:47:20.555423022
> >+0200
> >> +++ b/policy/modules/contrib/gpg.te 2017-05-21 18:13:36.728343506
> >+0200
> >> @@ -124,6 +124,8 @@ miscfiles_read_localization(gpg_t)
> >>
> >> userdom_use_user_terminals(gpg_t)
> >>
> >> +userdom_manage_user_runtime_dirs(gpg_t)

gpg_t cannot create user runtime dirs because that requires root access

> >> +userdom_manage_user_tmp_dirs(gpg_t)

gpg_t shouldnt have to create generic user tmp dirs.

> >> userdom_manage_user_tmp_files(gpg_t)
> >> userdom_manage_user_home_content_files(gpg_t)
> >> userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
> >> @@ -247,10 +249,14 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
> >>
> >> miscfiles_read_localization(gpg_agent_t)
> >>
> >> +userdom_manage_user_runtime_dirs(gpg_agent_t)

gpg_agent_t cannot create user_runtime dirs because that requires root access

> >> +userdom_manage_user_tmp_dirs(gpg_agent_t)
> >> +userdom_manage_user_tmp_files(gpg_agent_t)

gpg-agent shouldnt have to create generic user tmp dirs and files

> >
> >It's not clear whats going on here, but perhaps these make more sense
> >as
> >a new gpg_runtime_t?
>
> The agent should be able to create a gnupg directory in /var/run/user/USERID/ and manage socket files in that directory...

Yes, so create a gpg_runtime_t type and allow gpg_t, gpg_agent_t, scdaemon, dirmngr to create XDG_RUNTIME_DIR/gnupg with a automatic type transtion from user_tmp_t(?) to gpg_runtime_t

>
> >> userdom_use_user_terminals(gpg_agent_t)
> >> userdom_search_user_home_dirs(gpg_agent_t)
> >> userdom_search_user_runtime(gpg_agent_t)
> >> -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
> >> +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir
> >file sock_file })

This would need to be revisited then because gpg_agent_t needs to be able to create XDG_RUNTIME_DIR/gnupg with type gpg_runtime_t (use a name-based automatic type transition for that because "gnupg" is predictable

here is my XDG_RUNTIME_DIR/gnupg to give an impression of some of the possibilities:

ls -alZ $XDG_RUNTIME_DIR/gnupg
total 0
drwx------. 2 kcinimod kcinimod wheel.id:wheel.role:gpg.tmpfs.user_tmpfs_file:s0 140 May 23 07:28 .
drwx------. 7 kcinimod kcinimod sys.id:sys.role:fs.tmpfs.fs:s0 240 May 22 21:50 ..
srwx------. 1 kcinimod kcinimod wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0 0 May 23 08:43 S.gpg-agent
srwx------. 1 kcinimod kcinimod wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0 0 May 23 07:28 S.gpg-agent.browser
srwx------. 1 kcinimod kcinimod wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0 0 May 23 07:28 S.gpg-agent.extra
srwx------. 1 kcinimod kcinimod wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0 0 May 23 07:28 S.gpg-agent.ssh
srwx------. 1 kcinimod kcinimod wheel.id:wheel.role:gpg.scdaemon.gpg_tmpfs.user_tmpfs_file:s0 0 May 23 07:28 S.scdaemon

here are some of the type transitions:

type_transition wheel_gpg.subj fs.tmpfs.fs:dir gpg.tmpfs.user_tmpfs_file "gnupg";
type_transition wheel_gpg.subj fs.tmpfs.fs:file users.generic_tmpfs.user_tmpfs_file;
type_transition wheel_gpg.subj gpg.home.home_file:dir gpg.dirmngr.gpg_home.home_file "crls.d";
type_transition wheel_gpg.subj gpg.home.home_file:dir gpg.dirmngr.gpg_home.home_file "dirmngr-cache.d";
type_transition wheel_gpg.subj gpg.home.home_file:file gpg.dirmngr.gpg_home.home_file "dirmngr.conf";
type_transition wheel_gpg.subj gpg.home.home_file:sock_file gpg.dirmngr.gpg_home.home_file "S.dirmngr";
type_transition wheel_gpg.subj users.home_dir.file:dir gpg.home.home_file ".gnupg";
type_transition wheel_gpg_agent.subj fs.tmpfs.fs:dir gpg.tmpfs.user_tmpfs_file "gnupg";
type_transition wheel_gpg_agent.subj gpg.home.home_file:dir gpg.agent.gpg_home.home_file "private-keys-v1.d";
type_transition wheel_gpg_agent.subj gpg.home.home_file:file gpg.agent.gpg_home.home_file "gpg-agent.conf";
type_transition wheel_gpg_agent.subj gpg.home.home_file:file gpg.agent.gpg_home.home_file "gpg-agent.log";
type_transition wheel_gpg_agent.subj gpg.home.home_file:file gpg.agent.gpg_home.home_file "sshcontrol";
type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file gpg.agent.gpg_home.home_file "S.gpg-agent";
type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file gpg.agent.gpg_home.home_file "S.gpg-agent.browser";
type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file gpg.agent.gpg_home.home_file "S.gpg-agent.extra";
type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file gpg.agent.gpg_home.home_file "S.gpg-agent.ssh";
type_transition wheel_gpg_agent.subj gpg.tmpfs.user_tmpfs_file:sock_file gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent";
type_transition wheel_gpg_agent.subj gpg.tmpfs.user_tmpfs_file:sock_file gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent.browser";
type_transition wheel_gpg_agent.subj gpg.tmpfs.user_tmpfs_file:sock_file gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent.extra";
type_transition wheel_gpg_agent.subj gpg.tmpfs.user_tmpfs_file:sock_file gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent.ssh";
type_transition wheel_gpg_agent.subj users.home_dir.file:dir gpg.home.home_file ".gnupg";

> >>
> >> ifdef(`hide_broken_symptoms',`
> >> userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
> >> @@ -310,6 +316,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p
> >>
> >> can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)
> >>
> >> +kernel_dontaudit_search_sysctl(gpg_pinentry_t)
> >> kernel_read_system_state(gpg_pinentry_t)
> >>
> >> corecmd_exec_shell(gpg_pinentry_t)
> >> @@ -327,6 +334,7 @@ domain_use_interactive_fds(gpg_pinentry_
> >>
> >> files_read_usr_files(gpg_pinentry_t)
> >>
> >> +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
> >> fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
> >>
> >> auth_use_nsswitch(gpg_pinentry_t)
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170523/a3ac592d/attachment.bin

2017-05-23 14:59:10

by Guido Trentalancia

[permalink] [raw]
Subject: [refpolicy] [PATCH] gpg: manage user runtime socket files and directories

On Thu, 23/05/2017 at 08.43 +0200, Dominick Grift via
refpolicy wrote:
> On Tue, May 23, 2017 at 03:04:52AM +0200, Guido Trentalancia via
> refpolicy wrote:
> > Hello and thanks for getting back...?
> >
> > On the 23rd of May 2017 01:24:59 CEST, Chris PeBenito <pebenito@iee
> > e.org> wrote:
> > > On 05/21/2017 12:21 PM, Guido Trentalancia via refpolicy wrote:
> > > > Update the gpg module so that it can correctly manage socket
> > > > files
> > > > and directories in the user runtime directories.
> > > >
> > > > Some other minor fixes are also included in this patch.
> > > >
> > > > Signed-off-by: Guido Trentalancia <[email protected]>
> > > > ---
> > > > ?policy/modules/contrib/gpg.te |???10 +++++++++-
> > > > ?1 file changed, 9 insertions(+), 1 deletion(-)
> > > >
> > > > --- a/policy/modules/contrib/gpg.te 2017-04-26
> > > > 17:47:20.555423022
> > >
> > > +0200
> > > > +++ b/policy/modules/contrib/gpg.te 2017-05-21
> > > > 18:13:36.728343506
> > >
> > > +0200
> > > > @@ -124,6 +124,8 @@ miscfiles_read_localization(gpg_t)
> > > >
> > > > ?userdom_use_user_terminals(gpg_t)
> > > >
> > > > +userdom_manage_user_runtime_dirs(gpg_t)
> > > > +userdom_manage_user_tmp_dirs(gpg_t)
> > > > ?userdom_manage_user_tmp_files(gpg_t)
> > > > ?userdom_manage_user_home_content_files(gpg_t)
> > > > ?userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
> > > > @@ -247,10 +249,14 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
> > > >
> > > > ?miscfiles_read_localization(gpg_agent_t)
> > > >
> > > > +userdom_manage_user_runtime_dirs(gpg_agent_t)
> > > > +userdom_manage_user_tmp_dirs(gpg_agent_t)
> > > > +userdom_manage_user_tmp_files(gpg_agent_t)
> > >
> > > It's not clear whats going on here, but perhaps these make more
> > > sense
> > > as?
> > > a new gpg_runtime_t?
> >
> > The agent should be able to create a gnupg directory in
> > /var/run/user/USERID/ and manage socket files in that directory...?
>
> the agent can't create USERID because its parent is owned by root and
> gpg-agent does not have permission to add directory entries to
> /var/run/user. systemd-logind , or some other privileged process,
> creates USERID generally on behalf of the user

Yes, of course. I said it should be able to create a "gnupg" directory
there, not the /var/run/user/USERID directory itself.

> also the sockets should not go to /var/run/user/USERID/ , but instead
> should go to /var/run/user/USERID/gnupg/ and gnupg can be creeted
> with an automatic type transition

Once again, of course, this is exactly what the patch does and what I
meant. See below for the file transition interface...

> >
> > > > ?userdom_use_user_terminals(gpg_agent_t)
> > > > ?userdom_search_user_home_dirs(gpg_agent_t)
> > > > ?userdom_search_user_runtime(gpg_agent_t)
> > > > -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t,
> > > > dir)
> > > > +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, {
> > > > dir
> > >
> > > file sock_file })
> > > >
> > > > ?ifdef(`hide_broken_symptoms',`
> > > > ? userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
> > > > @@ -310,6 +316,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p
> > > >
> > > > ?can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)
> > > >
> > > > +kernel_dontaudit_search_sysctl(gpg_pinentry_t)
> > > > ?kernel_read_system_state(gpg_pinentry_t)
> > > >
> > > > ?corecmd_exec_shell(gpg_pinentry_t)
> > > > @@ -327,6 +334,7 @@ domain_use_interactive_fds(gpg_pinentry_
> > > >
> > > > ?files_read_usr_files(gpg_pinentry_t)
> > > >
> > > > +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
> > > > ?fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
> > > >
> > > > ?auth_use_nsswitch(gpg_pinentry_t)

2017-05-23 15:12:09

by Guido Trentalancia

[permalink] [raw]
Subject: [refpolicy] [PATCH] gpg: manage user runtime socket files and directories

On Tue, 23/05/2017 at 09.06 +0200, Dominick Grift via
refpolicy wrote:
> On Tue, May 23, 2017 at 03:04:52AM +0200, Guido Trentalancia via
> refpolicy wrote:
> > Hello and thanks for getting back...?
> >
> > On the 23rd of May 2017 01:24:59 CEST, Chris PeBenito <pebenito@iee
> > e.org> wrote:
> > > On 05/21/2017 12:21 PM, Guido Trentalancia via refpolicy wrote:
> > > > Update the gpg module so that it can correctly manage socket
> > > > files
> > > > and directories in the user runtime directories.
> > > >
> > > > Some other minor fixes are also included in this patch.
> > > >
> > > > Signed-off-by: Guido Trentalancia <[email protected]>
> > > > ---
> > > > ?policy/modules/contrib/gpg.te |???10 +++++++++-
> > > > ?1 file changed, 9 insertions(+), 1 deletion(-)
> > > >
> > > > --- a/policy/modules/contrib/gpg.te 2017-04-26
> > > > 17:47:20.555423022
> > >
> > > +0200
> > > > +++ b/policy/modules/contrib/gpg.te 2017-05-21
> > > > 18:13:36.728343506
> > >
> > > +0200
> > > > @@ -124,6 +124,8 @@ miscfiles_read_localization(gpg_t)
> > > >
> > > > ?userdom_use_user_terminals(gpg_t)
> > > >
> > > > +userdom_manage_user_runtime_dirs(gpg_t)
>
> gpg_t cannot create user runtime dirs because that requires root
> access

This is not necessarily true. Perhaps you are referring to your system
or some specific distribution, but it is not true in general.

There is nothing that dictates that a user runtime directory can only
be created by root.

> > > > +userdom_manage_user_tmp_dirs(gpg_t)
>
> gpg_t shouldnt have to create generic user tmp dirs.

Usually temporary files are created within a temporary directory.

I cannot see a risk with allowing gpg_t to create temporary directories
in addition to temporary files.

> > > > ?userdom_manage_user_tmp_files(gpg_t)
> > > > ?userdom_manage_user_home_content_files(gpg_t)
> > > > ?userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
> > > > @@ -247,10 +249,14 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
> > > >
> > > > ?miscfiles_read_localization(gpg_agent_t)
> > > >
> > > > +userdom_manage_user_runtime_dirs(gpg_agent_t)
>
> gpg_agent_t cannot create user_runtime dirs because that requires
> root access

This is not necessarily true (see above).

> > > > +userdom_manage_user_tmp_dirs(gpg_agent_t)
> > > > +userdom_manage_user_tmp_files(gpg_agent_t)
>
> gpg-agent shouldnt have to create generic user tmp dirs and files

At the moment this might be true, however there is no specific risk
associated with those two permissions, that are very general and widely
used, so I would prefer to leave them there.

> > >
> > > It's not clear whats going on here, but perhaps these make more
> > > sense
> > > as?
> > > a new gpg_runtime_t?
> >
> > The agent should be able to create a gnupg directory in
> > /var/run/user/USERID/ and manage socket files in that directory...?
>
> Yes, so create a gpg_runtime_t type and allow gpg_t, gpg_agent_t,
> scdaemon, dirmngr to create XDG_RUNTIME_DIR/gnupg with a automatic
> type transtion from user_tmp_t(?) to gpg_runtime_t

At the moment, I see no benefit in distinguishing between a temporary
file and a "runtime" file, so I would prefer to leave the transition to
gpg_agent_tmp_t and avoid creating a new file type.

> > > > ?userdom_use_user_terminals(gpg_agent_t)
> > > > ?userdom_search_user_home_dirs(gpg_agent_t)
> > > > ?userdom_search_user_runtime(gpg_agent_t)
> > > > -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t,
> > > > dir)
> > > > +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, {
> > > > dir
> > >
> > > file sock_file })
>
> This would need to be revisited then because gpg_agent_t needs to be
> able to create XDG_RUNTIME_DIR/gnupg with type gpg_runtime_t (use a
> name-based automatic type transition for that because "gnupg" is
> predictable
>
> here is my XDG_RUNTIME_DIR/gnupg to give an impression of some of the
> possibilities:
>
> ls -alZ $XDG_RUNTIME_DIR/gnupg
> total 0
> drwx------. 2 kcinimod kcinimod
> wheel.id:wheel.role:gpg.tmpfs.user_tmpfs_file:s0??????????????140 May
> 23 07:28 .
> drwx------. 7 kcinimod kcinimod
> sys.id:sys.role:fs.tmpfs.fs:s0????????????????????????????????240 May
> 22 21:50 ..
> srwx------. 1 kcinimod kcinimod
> wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0??????0 May
> 23 08:43 S.gpg-agent
> srwx------. 1 kcinimod kcinimod
> wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0??????0 May
> 23 07:28 S.gpg-agent.browser
> srwx------. 1 kcinimod kcinimod
> wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0??????0 May
> 23 07:28 S.gpg-agent.extra
> srwx------. 1 kcinimod kcinimod
> wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0??????0 May
> 23 07:28 S.gpg-agent.ssh
> srwx------. 1 kcinimod kcinimod
> wheel.id:wheel.role:gpg.scdaemon.gpg_tmpfs.user_tmpfs_file:s0???0 May
> 23 07:28 S.scdaemon
>
> here are some of the type transitions:
>
> type_transition wheel_gpg.subj fs.tmpfs.fs:dir
> gpg.tmpfs.user_tmpfs_file "gnupg";
> type_transition wheel_gpg.subj fs.tmpfs.fs:file
> users.generic_tmpfs.user_tmpfs_file;
> type_transition wheel_gpg.subj gpg.home.home_file:dir
> gpg.dirmngr.gpg_home.home_file "crls.d";
> type_transition wheel_gpg.subj gpg.home.home_file:dir
> gpg.dirmngr.gpg_home.home_file "dirmngr-cache.d";
> type_transition wheel_gpg.subj gpg.home.home_file:file
> gpg.dirmngr.gpg_home.home_file "dirmngr.conf";
> type_transition wheel_gpg.subj gpg.home.home_file:sock_file
> gpg.dirmngr.gpg_home.home_file "S.dirmngr";
> type_transition wheel_gpg.subj users.home_dir.file:dir
> gpg.home.home_file ".gnupg";
> type_transition wheel_gpg_agent.subj fs.tmpfs.fs:dir
> gpg.tmpfs.user_tmpfs_file "gnupg";
> type_transition wheel_gpg_agent.subj gpg.home.home_file:dir
> gpg.agent.gpg_home.home_file "private-keys-v1.d";
> type_transition wheel_gpg_agent.subj gpg.home.home_file:file
> gpg.agent.gpg_home.home_file "gpg-agent.conf";
> type_transition wheel_gpg_agent.subj gpg.home.home_file:file
> gpg.agent.gpg_home.home_file "gpg-agent.log";
> type_transition wheel_gpg_agent.subj gpg.home.home_file:file
> gpg.agent.gpg_home.home_file "sshcontrol";
> type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file
> gpg.agent.gpg_home.home_file "S.gpg-agent";
> type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file
> gpg.agent.gpg_home.home_file "S.gpg-agent.browser";
> type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file
> gpg.agent.gpg_home.home_file "S.gpg-agent.extra";
> type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file
> gpg.agent.gpg_home.home_file "S.gpg-agent.ssh";
> type_transition wheel_gpg_agent.subj
> gpg.tmpfs.user_tmpfs_file:sock_file
> gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent";
> type_transition wheel_gpg_agent.subj
> gpg.tmpfs.user_tmpfs_file:sock_file
> gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent.browser";
> type_transition wheel_gpg_agent.subj
> gpg.tmpfs.user_tmpfs_file:sock_file
> gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent.extra";
> type_transition wheel_gpg_agent.subj
> gpg.tmpfs.user_tmpfs_file:sock_file
> gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent.ssh";
> type_transition wheel_gpg_agent.subj users.home_dir.file:dir
> gpg.home.home_file ".gnupg";
>
> > > >
> > > > ?ifdef(`hide_broken_symptoms',`
> > > > ? userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
> > > > @@ -310,6 +316,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p
> > > >
> > > > ?can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)
> > > >
> > > > +kernel_dontaudit_search_sysctl(gpg_pinentry_t)
> > > > ?kernel_read_system_state(gpg_pinentry_t)
> > > >
> > > > ?corecmd_exec_shell(gpg_pinentry_t)
> > > > @@ -327,6 +334,7 @@ domain_use_interactive_fds(gpg_pinentry_
> > > >
> > > > ?files_read_usr_files(gpg_pinentry_t)
> > > >
> > > > +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
> > > > ?fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
> > > >
> > > > ?auth_use_nsswitch(gpg_pinentry_t)

Regards,

Guido

2017-05-23 15:59:26

by Dac Override

[permalink] [raw]
Subject: [refpolicy] [PATCH] gpg: manage user runtime socket files and directories

On Tue, May 23, 2017 at 05:12:09PM +0200, Guido Trentalancia via refpolicy wrote:
> On Tue, 23/05/2017 at 09.06 +0200, Dominick Grift via
> refpolicy wrote:
> > On Tue, May 23, 2017 at 03:04:52AM +0200, Guido Trentalancia via
> > refpolicy wrote:
> > > Hello and thanks for getting back...?
> > >
> > > On the 23rd of May 2017 01:24:59 CEST, Chris PeBenito <pebenito@iee
> > > e.org> wrote:
> > > > On 05/21/2017 12:21 PM, Guido Trentalancia via refpolicy wrote:
> > > > > Update the gpg module so that it can correctly manage socket
> > > > > files
> > > > > and directories in the user runtime directories.
> > > > >
> > > > > Some other minor fixes are also included in this patch.
> > > > >
> > > > > Signed-off-by: Guido Trentalancia <[email protected]>
> > > > > ---
> > > > > ?policy/modules/contrib/gpg.te |???10 +++++++++-
> > > > > ?1 file changed, 9 insertions(+), 1 deletion(-)
> > > > >
> > > > > --- a/policy/modules/contrib/gpg.te 2017-04-26
> > > > > 17:47:20.555423022
> > > >
> > > > +0200
> > > > > +++ b/policy/modules/contrib/gpg.te 2017-05-21
> > > > > 18:13:36.728343506
> > > >
> > > > +0200
> > > > > @@ -124,6 +124,8 @@ miscfiles_read_localization(gpg_t)
> > > > >
> > > > > ?userdom_use_user_terminals(gpg_t)
> > > > >
> > > > > +userdom_manage_user_runtime_dirs(gpg_t)
> >
> > gpg_t cannot create user runtime dirs because that requires root
> > access
>
> This is not necessarily true. Perhaps you are referring to your system
> or some specific distribution, but it is not true in general.
>
> There is nothing that dictates that a user runtime directory can only
> be created by root.
>
> > > > > +userdom_manage_user_tmp_dirs(gpg_t)
> >
> > gpg_t shouldnt have to create generic user tmp dirs.
>
> Usually temporary files are created within a temporary directory.
>
> I cannot see a risk with allowing gpg_t to create temporary directories
> in addition to temporary files.
>
> > > > > ?userdom_manage_user_tmp_files(gpg_t)
> > > > > ?userdom_manage_user_home_content_files(gpg_t)
> > > > > ?userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
> > > > > @@ -247,10 +249,14 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
> > > > >
> > > > > ?miscfiles_read_localization(gpg_agent_t)
> > > > >
> > > > > +userdom_manage_user_runtime_dirs(gpg_agent_t)
> >
> > gpg_agent_t cannot create user_runtime dirs because that requires
> > root access
>
> This is not necessarily true (see above).
>

I think we should probably make a distinction between what the root of the user runtime dirs is and what the content is. currently, i believe, user_runtime_t is used for the runtime root i suspect (/run/user/USERID)

This is because I still believe that for mls systems we might need to support poly-instantiated user runtime

> > > > > +userdom_manage_user_tmp_dirs(gpg_agent_t)
> > > > > +userdom_manage_user_tmp_files(gpg_agent_t)
> >
> > gpg-agent shouldnt have to create generic user tmp dirs and files
>
> At the moment this might be true, however there is no specific risk
> associated with those two permissions, that are very general and widely
> used, so I would prefer to leave them there.

Yes sorry i agree. gpg_tmp_t then...

>
> > > >
> > > > It's not clear whats going on here, but perhaps these make more
> > > > sense
> > > > as?
> > > > a new gpg_runtime_t?
> > >
> > > The agent should be able to create a gnupg directory in
> > > /var/run/user/USERID/ and manage socket files in that directory...?
> >
> > Yes, so create a gpg_runtime_t type and allow gpg_t, gpg_agent_t,
> > scdaemon, dirmngr to create XDG_RUNTIME_DIR/gnupg with a automatic
> > type transtion from user_tmp_t(?) to gpg_runtime_t
>
> At the moment, I see no benefit in distinguishing between a temporary
> file and a "runtime" file, so I would prefer to leave the transition to
> gpg_agent_tmp_t and avoid creating a new file type.
>
> > > > > ?userdom_use_user_terminals(gpg_agent_t)
> > > > > ?userdom_search_user_home_dirs(gpg_agent_t)
> > > > > ?userdom_search_user_runtime(gpg_agent_t)
> > > > > -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t,
> > > > > dir)
> > > > > +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, {
> > > > > dir
> > > >
> > > > file sock_file })
> >
> > This would need to be revisited then because gpg_agent_t needs to be
> > able to create XDG_RUNTIME_DIR/gnupg with type gpg_runtime_t (use a
> > name-based automatic type transition for that because "gnupg" is
> > predictable
> >
> > here is my XDG_RUNTIME_DIR/gnupg to give an impression of some of the
> > possibilities:
> >
> > ls -alZ $XDG_RUNTIME_DIR/gnupg
> > total 0
> > drwx------. 2 kcinimod kcinimod
> > wheel.id:wheel.role:gpg.tmpfs.user_tmpfs_file:s0??????????????140 May
> > 23 07:28 .
> > drwx------. 7 kcinimod kcinimod
> > sys.id:sys.role:fs.tmpfs.fs:s0????????????????????????????????240 May
> > 22 21:50 ..
> > srwx------. 1 kcinimod kcinimod
> > wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0??????0 May
> > 23 08:43 S.gpg-agent
> > srwx------. 1 kcinimod kcinimod
> > wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0??????0 May
> > 23 07:28 S.gpg-agent.browser
> > srwx------. 1 kcinimod kcinimod
> > wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0??????0 May
> > 23 07:28 S.gpg-agent.extra
> > srwx------. 1 kcinimod kcinimod
> > wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0??????0 May
> > 23 07:28 S.gpg-agent.ssh
> > srwx------. 1 kcinimod kcinimod
> > wheel.id:wheel.role:gpg.scdaemon.gpg_tmpfs.user_tmpfs_file:s0???0 May
> > 23 07:28 S.scdaemon
> >
> > here are some of the type transitions:
> >
> > type_transition wheel_gpg.subj fs.tmpfs.fs:dir
> > gpg.tmpfs.user_tmpfs_file "gnupg";
> > type_transition wheel_gpg.subj fs.tmpfs.fs:file
> > users.generic_tmpfs.user_tmpfs_file;
> > type_transition wheel_gpg.subj gpg.home.home_file:dir
> > gpg.dirmngr.gpg_home.home_file "crls.d";
> > type_transition wheel_gpg.subj gpg.home.home_file:dir
> > gpg.dirmngr.gpg_home.home_file "dirmngr-cache.d";
> > type_transition wheel_gpg.subj gpg.home.home_file:file
> > gpg.dirmngr.gpg_home.home_file "dirmngr.conf";
> > type_transition wheel_gpg.subj gpg.home.home_file:sock_file
> > gpg.dirmngr.gpg_home.home_file "S.dirmngr";
> > type_transition wheel_gpg.subj users.home_dir.file:dir
> > gpg.home.home_file ".gnupg";
> > type_transition wheel_gpg_agent.subj fs.tmpfs.fs:dir
> > gpg.tmpfs.user_tmpfs_file "gnupg";
> > type_transition wheel_gpg_agent.subj gpg.home.home_file:dir
> > gpg.agent.gpg_home.home_file "private-keys-v1.d";
> > type_transition wheel_gpg_agent.subj gpg.home.home_file:file
> > gpg.agent.gpg_home.home_file "gpg-agent.conf";
> > type_transition wheel_gpg_agent.subj gpg.home.home_file:file
> > gpg.agent.gpg_home.home_file "gpg-agent.log";
> > type_transition wheel_gpg_agent.subj gpg.home.home_file:file
> > gpg.agent.gpg_home.home_file "sshcontrol";
> > type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file
> > gpg.agent.gpg_home.home_file "S.gpg-agent";
> > type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file
> > gpg.agent.gpg_home.home_file "S.gpg-agent.browser";
> > type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file
> > gpg.agent.gpg_home.home_file "S.gpg-agent.extra";
> > type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file
> > gpg.agent.gpg_home.home_file "S.gpg-agent.ssh";
> > type_transition wheel_gpg_agent.subj
> > gpg.tmpfs.user_tmpfs_file:sock_file
> > gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent";
> > type_transition wheel_gpg_agent.subj
> > gpg.tmpfs.user_tmpfs_file:sock_file
> > gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent.browser";
> > type_transition wheel_gpg_agent.subj
> > gpg.tmpfs.user_tmpfs_file:sock_file
> > gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent.extra";
> > type_transition wheel_gpg_agent.subj
> > gpg.tmpfs.user_tmpfs_file:sock_file
> > gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent.ssh";
> > type_transition wheel_gpg_agent.subj users.home_dir.file:dir
> > gpg.home.home_file ".gnupg";
> >
> > > > >
> > > > > ?ifdef(`hide_broken_symptoms',`
> > > > > ? userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
> > > > > @@ -310,6 +316,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p
> > > > >
> > > > > ?can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)
> > > > >
> > > > > +kernel_dontaudit_search_sysctl(gpg_pinentry_t)
> > > > > ?kernel_read_system_state(gpg_pinentry_t)
> > > > >
> > > > > ?corecmd_exec_shell(gpg_pinentry_t)
> > > > > @@ -327,6 +334,7 @@ domain_use_interactive_fds(gpg_pinentry_
> > > > >
> > > > > ?files_read_usr_files(gpg_pinentry_t)
> > > > >
> > > > > +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
> > > > > ?fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
> > > > >
> > > > > ?auth_use_nsswitch(gpg_pinentry_t)
>
> Regards,
>
> Guido
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170523/b6486ca5/attachment.bin

2017-05-23 17:14:54

by Christian Göttsche

[permalink] [raw]
Subject: [refpolicy] [PATCH] gpg: manage user runtime socket files and directories

Currently, I am using the following interface, which is used by the
systemd --user domain:

########################################
## <summary>
## Initialize gpg user runtime environment.
## Used by systemd --user .
## </summary>
## <param name="domain">
## <summary>
@@ -225,19 +193,20 @@ interface(`gpg_stream_connect_agent',`
## </summary>
## </param>
#
interface(`gpg_initialize_user_runtime',`
gen_require(`
type gpg_agent_tmp_t;
')
userdom_user_runtime_filetrans($1, gpg_agent_tmp_t, dir, "gnupg")
allow $1 gpg_agent_tmp_t:dir { add_entry_dir_perms create_dir_perms };
allow $1 gpg_agent_tmp_t:sock_file create_sock_file_perms;
')

2017-05-23 17:59 GMT+02:00 Dominick Grift via refpolicy
<[email protected]>:
> On Tue, May 23, 2017 at 05:12:09PM +0200, Guido Trentalancia via refpolicy wrote:
>> On Tue, 23/05/2017 at 09.06 +0200, Dominick Grift via
>> refpolicy wrote:
>> > On Tue, May 23, 2017 at 03:04:52AM +0200, Guido Trentalancia via
>> > refpolicy wrote:
>> > > Hello and thanks for getting back...
>> > >
>> > > On the 23rd of May 2017 01:24:59 CEST, Chris PeBenito <pebenito@iee
>> > > e.org> wrote:
>> > > > On 05/21/2017 12:21 PM, Guido Trentalancia via refpolicy wrote:
>> > > > > Update the gpg module so that it can correctly manage socket
>> > > > > files
>> > > > > and directories in the user runtime directories.
>> > > > >
>> > > > > Some other minor fixes are also included in this patch.
>> > > > >
>> > > > > Signed-off-by: Guido Trentalancia <[email protected]>
>> > > > > ---
>> > > > > policy/modules/contrib/gpg.te | 10 +++++++++-
>> > > > > 1 file changed, 9 insertions(+), 1 deletion(-)
>> > > > >
>> > > > > --- a/policy/modules/contrib/gpg.te 2017-04-26
>> > > > > 17:47:20.555423022
>> > > >
>> > > > +0200
>> > > > > +++ b/policy/modules/contrib/gpg.te 2017-05-21
>> > > > > 18:13:36.728343506
>> > > >
>> > > > +0200
>> > > > > @@ -124,6 +124,8 @@ miscfiles_read_localization(gpg_t)
>> > > > >
>> > > > > userdom_use_user_terminals(gpg_t)
>> > > > >
>> > > > > +userdom_manage_user_runtime_dirs(gpg_t)
>> >
>> > gpg_t cannot create user runtime dirs because that requires root
>> > access
>>
>> This is not necessarily true. Perhaps you are referring to your system
>> or some specific distribution, but it is not true in general.
>>
>> There is nothing that dictates that a user runtime directory can only
>> be created by root.
>>
>> > > > > +userdom_manage_user_tmp_dirs(gpg_t)
>> >
>> > gpg_t shouldnt have to create generic user tmp dirs.
>>
>> Usually temporary files are created within a temporary directory.
>>
>> I cannot see a risk with allowing gpg_t to create temporary directories
>> in addition to temporary files.
>>
>> > > > > userdom_manage_user_tmp_files(gpg_t)
>> > > > > userdom_manage_user_home_content_files(gpg_t)
>> > > > > userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
>> > > > > @@ -247,10 +249,14 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
>> > > > >
>> > > > > miscfiles_read_localization(gpg_agent_t)
>> > > > >
>> > > > > +userdom_manage_user_runtime_dirs(gpg_agent_t)
>> >
>> > gpg_agent_t cannot create user_runtime dirs because that requires
>> > root access
>>
>> This is not necessarily true (see above).
>>
>
> I think we should probably make a distinction between what the root of the user runtime dirs is and what the content is. currently, i believe, user_runtime_t is used for the runtime root i suspect (/run/user/USERID)
>
> This is because I still believe that for mls systems we might need to support poly-instantiated user runtime
>
>> > > > > +userdom_manage_user_tmp_dirs(gpg_agent_t)
>> > > > > +userdom_manage_user_tmp_files(gpg_agent_t)
>> >
>> > gpg-agent shouldnt have to create generic user tmp dirs and files
>>
>> At the moment this might be true, however there is no specific risk
>> associated with those two permissions, that are very general and widely
>> used, so I would prefer to leave them there.
>
> Yes sorry i agree. gpg_tmp_t then...
>
>>
>> > > >
>> > > > It's not clear whats going on here, but perhaps these make more
>> > > > sense
>> > > > as
>> > > > a new gpg_runtime_t?
>> > >
>> > > The agent should be able to create a gnupg directory in
>> > > /var/run/user/USERID/ and manage socket files in that directory...
>> >
>> > Yes, so create a gpg_runtime_t type and allow gpg_t, gpg_agent_t,
>> > scdaemon, dirmngr to create XDG_RUNTIME_DIR/gnupg with a automatic
>> > type transtion from user_tmp_t(?) to gpg_runtime_t
>>
>> At the moment, I see no benefit in distinguishing between a temporary
>> file and a "runtime" file, so I would prefer to leave the transition to
>> gpg_agent_tmp_t and avoid creating a new file type.
>>
>> > > > > userdom_use_user_terminals(gpg_agent_t)
>> > > > > userdom_search_user_home_dirs(gpg_agent_t)
>> > > > > userdom_search_user_runtime(gpg_agent_t)
>> > > > > -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t,
>> > > > > dir)
>> > > > > +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, {
>> > > > > dir
>> > > >
>> > > > file sock_file })
>> >
>> > This would need to be revisited then because gpg_agent_t needs to be
>> > able to create XDG_RUNTIME_DIR/gnupg with type gpg_runtime_t (use a
>> > name-based automatic type transition for that because "gnupg" is
>> > predictable
>> >
>> > here is my XDG_RUNTIME_DIR/gnupg to give an impression of some of the
>> > possibilities:
>> >
>> > ls -alZ $XDG_RUNTIME_DIR/gnupg
>> > total 0
>> > drwx------. 2 kcinimod kcinimod
>> > wheel.id:wheel.role:gpg.tmpfs.user_tmpfs_file:s0 140 May
>> > 23 07:28 .
>> > drwx------. 7 kcinimod kcinimod
>> > sys.id:sys.role:fs.tmpfs.fs:s0 240 May
>> > 22 21:50 ..
>> > srwx------. 1 kcinimod kcinimod
>> > wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0 0 May
>> > 23 08:43 S.gpg-agent
>> > srwx------. 1 kcinimod kcinimod
>> > wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0 0 May
>> > 23 07:28 S.gpg-agent.browser
>> > srwx------. 1 kcinimod kcinimod
>> > wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0 0 May
>> > 23 07:28 S.gpg-agent.extra
>> > srwx------. 1 kcinimod kcinimod
>> > wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0 0 May
>> > 23 07:28 S.gpg-agent.ssh
>> > srwx------. 1 kcinimod kcinimod
>> > wheel.id:wheel.role:gpg.scdaemon.gpg_tmpfs.user_tmpfs_file:s0 0 May
>> > 23 07:28 S.scdaemon
>> >
>> > here are some of the type transitions:
>> >
>> > type_transition wheel_gpg.subj fs.tmpfs.fs:dir
>> > gpg.tmpfs.user_tmpfs_file "gnupg";
>> > type_transition wheel_gpg.subj fs.tmpfs.fs:file
>> > users.generic_tmpfs.user_tmpfs_file;
>> > type_transition wheel_gpg.subj gpg.home.home_file:dir
>> > gpg.dirmngr.gpg_home.home_file "crls.d";
>> > type_transition wheel_gpg.subj gpg.home.home_file:dir
>> > gpg.dirmngr.gpg_home.home_file "dirmngr-cache.d";
>> > type_transition wheel_gpg.subj gpg.home.home_file:file
>> > gpg.dirmngr.gpg_home.home_file "dirmngr.conf";
>> > type_transition wheel_gpg.subj gpg.home.home_file:sock_file
>> > gpg.dirmngr.gpg_home.home_file "S.dirmngr";
>> > type_transition wheel_gpg.subj users.home_dir.file:dir
>> > gpg.home.home_file ".gnupg";
>> > type_transition wheel_gpg_agent.subj fs.tmpfs.fs:dir
>> > gpg.tmpfs.user_tmpfs_file "gnupg";
>> > type_transition wheel_gpg_agent.subj gpg.home.home_file:dir
>> > gpg.agent.gpg_home.home_file "private-keys-v1.d";
>> > type_transition wheel_gpg_agent.subj gpg.home.home_file:file
>> > gpg.agent.gpg_home.home_file "gpg-agent.conf";
>> > type_transition wheel_gpg_agent.subj gpg.home.home_file:file
>> > gpg.agent.gpg_home.home_file "gpg-agent.log";
>> > type_transition wheel_gpg_agent.subj gpg.home.home_file:file
>> > gpg.agent.gpg_home.home_file "sshcontrol";
>> > type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file
>> > gpg.agent.gpg_home.home_file "S.gpg-agent";
>> > type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file
>> > gpg.agent.gpg_home.home_file "S.gpg-agent.browser";
>> > type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file
>> > gpg.agent.gpg_home.home_file "S.gpg-agent.extra";
>> > type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file
>> > gpg.agent.gpg_home.home_file "S.gpg-agent.ssh";
>> > type_transition wheel_gpg_agent.subj
>> > gpg.tmpfs.user_tmpfs_file:sock_file
>> > gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent";
>> > type_transition wheel_gpg_agent.subj
>> > gpg.tmpfs.user_tmpfs_file:sock_file
>> > gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent.browser";
>> > type_transition wheel_gpg_agent.subj
>> > gpg.tmpfs.user_tmpfs_file:sock_file
>> > gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent.extra";
>> > type_transition wheel_gpg_agent.subj
>> > gpg.tmpfs.user_tmpfs_file:sock_file
>> > gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent.ssh";
>> > type_transition wheel_gpg_agent.subj users.home_dir.file:dir
>> > gpg.home.home_file ".gnupg";
>> >
>> > > > >
>> > > > > ifdef(`hide_broken_symptoms',`
>> > > > > userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
>> > > > > @@ -310,6 +316,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p
>> > > > >
>> > > > > can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)
>> > > > >
>> > > > > +kernel_dontaudit_search_sysctl(gpg_pinentry_t)
>> > > > > kernel_read_system_state(gpg_pinentry_t)
>> > > > >
>> > > > > corecmd_exec_shell(gpg_pinentry_t)
>> > > > > @@ -327,6 +334,7 @@ domain_use_interactive_fds(gpg_pinentry_
>> > > > >
>> > > > > files_read_usr_files(gpg_pinentry_t)
>> > > > >
>> > > > > +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
>> > > > > fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
>> > > > >
>> > > > > auth_use_nsswitch(gpg_pinentry_t)
>>
>> Regards,
>>
>> Guido
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>

2017-05-23 17:19:37

by Dac Override

[permalink] [raw]
Subject: [refpolicy] [PATCH] gpg: manage user runtime socket files and directories

On Tue, May 23, 2017 at 07:14:54PM +0200, Christian G?ttsche wrote:
> Currently, I am using the following interface, which is used by the
> systemd --user domain:
>
> ########################################
> ## <summary>
> ## Initialize gpg user runtime environment.
> ## Used by systemd --user .
> ## </summary>
> ## <param name="domain">
> ## <summary>
> @@ -225,19 +193,20 @@ interface(`gpg_stream_connect_agent',`
> ## </summary>
> ## </param>
> #
> interface(`gpg_initialize_user_runtime',`
> gen_require(`
> type gpg_agent_tmp_t;
> ')
> userdom_user_runtime_filetrans($1, gpg_agent_tmp_t, dir, "gnupg")

Yes but the /run/user/USERID/gnupg should probably be gpg_tmp_t instead. only the gpg-agent specific files in there should be gpg_agent_tmp_t

This is because in theory gpg-agent is optional and becuase other (optional) gpg entities maintain files in there as well (dirmngr, scdaemon)

> allow $1 gpg_agent_tmp_t:dir { add_entry_dir_perms create_dir_perms };
> allow $1 gpg_agent_tmp_t:sock_file create_sock_file_perms;
> ')
>
> 2017-05-23 17:59 GMT+02:00 Dominick Grift via refpolicy
> <[email protected]>:
> > On Tue, May 23, 2017 at 05:12:09PM +0200, Guido Trentalancia via refpolicy wrote:
> >> On Tue, 23/05/2017 at 09.06 +0200, Dominick Grift via
> >> refpolicy wrote:
> >> > On Tue, May 23, 2017 at 03:04:52AM +0200, Guido Trentalancia via
> >> > refpolicy wrote:
> >> > > Hello and thanks for getting back...
> >> > >
> >> > > On the 23rd of May 2017 01:24:59 CEST, Chris PeBenito <pebenito@iee
> >> > > e.org> wrote:
> >> > > > On 05/21/2017 12:21 PM, Guido Trentalancia via refpolicy wrote:
> >> > > > > Update the gpg module so that it can correctly manage socket
> >> > > > > files
> >> > > > > and directories in the user runtime directories.
> >> > > > >
> >> > > > > Some other minor fixes are also included in this patch.
> >> > > > >
> >> > > > > Signed-off-by: Guido Trentalancia <[email protected]>
> >> > > > > ---
> >> > > > > policy/modules/contrib/gpg.te | 10 +++++++++-
> >> > > > > 1 file changed, 9 insertions(+), 1 deletion(-)
> >> > > > >
> >> > > > > --- a/policy/modules/contrib/gpg.te 2017-04-26
> >> > > > > 17:47:20.555423022
> >> > > >
> >> > > > +0200
> >> > > > > +++ b/policy/modules/contrib/gpg.te 2017-05-21
> >> > > > > 18:13:36.728343506
> >> > > >
> >> > > > +0200
> >> > > > > @@ -124,6 +124,8 @@ miscfiles_read_localization(gpg_t)
> >> > > > >
> >> > > > > userdom_use_user_terminals(gpg_t)
> >> > > > >
> >> > > > > +userdom_manage_user_runtime_dirs(gpg_t)
> >> >
> >> > gpg_t cannot create user runtime dirs because that requires root
> >> > access
> >>
> >> This is not necessarily true. Perhaps you are referring to your system
> >> or some specific distribution, but it is not true in general.
> >>
> >> There is nothing that dictates that a user runtime directory can only
> >> be created by root.
> >>
> >> > > > > +userdom_manage_user_tmp_dirs(gpg_t)
> >> >
> >> > gpg_t shouldnt have to create generic user tmp dirs.
> >>
> >> Usually temporary files are created within a temporary directory.
> >>
> >> I cannot see a risk with allowing gpg_t to create temporary directories
> >> in addition to temporary files.
> >>
> >> > > > > userdom_manage_user_tmp_files(gpg_t)
> >> > > > > userdom_manage_user_home_content_files(gpg_t)
> >> > > > > userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
> >> > > > > @@ -247,10 +249,14 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
> >> > > > >
> >> > > > > miscfiles_read_localization(gpg_agent_t)
> >> > > > >
> >> > > > > +userdom_manage_user_runtime_dirs(gpg_agent_t)
> >> >
> >> > gpg_agent_t cannot create user_runtime dirs because that requires
> >> > root access
> >>
> >> This is not necessarily true (see above).
> >>
> >
> > I think we should probably make a distinction between what the root of the user runtime dirs is and what the content is. currently, i believe, user_runtime_t is used for the runtime root i suspect (/run/user/USERID)
> >
> > This is because I still believe that for mls systems we might need to support poly-instantiated user runtime
> >
> >> > > > > +userdom_manage_user_tmp_dirs(gpg_agent_t)
> >> > > > > +userdom_manage_user_tmp_files(gpg_agent_t)
> >> >
> >> > gpg-agent shouldnt have to create generic user tmp dirs and files
> >>
> >> At the moment this might be true, however there is no specific risk
> >> associated with those two permissions, that are very general and widely
> >> used, so I would prefer to leave them there.
> >
> > Yes sorry i agree. gpg_tmp_t then...
> >
> >>
> >> > > >
> >> > > > It's not clear whats going on here, but perhaps these make more
> >> > > > sense
> >> > > > as
> >> > > > a new gpg_runtime_t?
> >> > >
> >> > > The agent should be able to create a gnupg directory in
> >> > > /var/run/user/USERID/ and manage socket files in that directory...
> >> >
> >> > Yes, so create a gpg_runtime_t type and allow gpg_t, gpg_agent_t,
> >> > scdaemon, dirmngr to create XDG_RUNTIME_DIR/gnupg with a automatic
> >> > type transtion from user_tmp_t(?) to gpg_runtime_t
> >>
> >> At the moment, I see no benefit in distinguishing between a temporary
> >> file and a "runtime" file, so I would prefer to leave the transition to
> >> gpg_agent_tmp_t and avoid creating a new file type.
> >>
> >> > > > > userdom_use_user_terminals(gpg_agent_t)
> >> > > > > userdom_search_user_home_dirs(gpg_agent_t)
> >> > > > > userdom_search_user_runtime(gpg_agent_t)
> >> > > > > -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t,
> >> > > > > dir)
> >> > > > > +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, {
> >> > > > > dir
> >> > > >
> >> > > > file sock_file })
> >> >
> >> > This would need to be revisited then because gpg_agent_t needs to be
> >> > able to create XDG_RUNTIME_DIR/gnupg with type gpg_runtime_t (use a
> >> > name-based automatic type transition for that because "gnupg" is
> >> > predictable
> >> >
> >> > here is my XDG_RUNTIME_DIR/gnupg to give an impression of some of the
> >> > possibilities:
> >> >
> >> > ls -alZ $XDG_RUNTIME_DIR/gnupg
> >> > total 0
> >> > drwx------. 2 kcinimod kcinimod
> >> > wheel.id:wheel.role:gpg.tmpfs.user_tmpfs_file:s0 140 May
> >> > 23 07:28 .
> >> > drwx------. 7 kcinimod kcinimod
> >> > sys.id:sys.role:fs.tmpfs.fs:s0 240 May
> >> > 22 21:50 ..
> >> > srwx------. 1 kcinimod kcinimod
> >> > wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0 0 May
> >> > 23 08:43 S.gpg-agent
> >> > srwx------. 1 kcinimod kcinimod
> >> > wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0 0 May
> >> > 23 07:28 S.gpg-agent.browser
> >> > srwx------. 1 kcinimod kcinimod
> >> > wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0 0 May
> >> > 23 07:28 S.gpg-agent.extra
> >> > srwx------. 1 kcinimod kcinimod
> >> > wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0 0 May
> >> > 23 07:28 S.gpg-agent.ssh
> >> > srwx------. 1 kcinimod kcinimod
> >> > wheel.id:wheel.role:gpg.scdaemon.gpg_tmpfs.user_tmpfs_file:s0 0 May
> >> > 23 07:28 S.scdaemon
> >> >
> >> > here are some of the type transitions:
> >> >
> >> > type_transition wheel_gpg.subj fs.tmpfs.fs:dir
> >> > gpg.tmpfs.user_tmpfs_file "gnupg";
> >> > type_transition wheel_gpg.subj fs.tmpfs.fs:file
> >> > users.generic_tmpfs.user_tmpfs_file;
> >> > type_transition wheel_gpg.subj gpg.home.home_file:dir
> >> > gpg.dirmngr.gpg_home.home_file "crls.d";
> >> > type_transition wheel_gpg.subj gpg.home.home_file:dir
> >> > gpg.dirmngr.gpg_home.home_file "dirmngr-cache.d";
> >> > type_transition wheel_gpg.subj gpg.home.home_file:file
> >> > gpg.dirmngr.gpg_home.home_file "dirmngr.conf";
> >> > type_transition wheel_gpg.subj gpg.home.home_file:sock_file
> >> > gpg.dirmngr.gpg_home.home_file "S.dirmngr";
> >> > type_transition wheel_gpg.subj users.home_dir.file:dir
> >> > gpg.home.home_file ".gnupg";
> >> > type_transition wheel_gpg_agent.subj fs.tmpfs.fs:dir
> >> > gpg.tmpfs.user_tmpfs_file "gnupg";
> >> > type_transition wheel_gpg_agent.subj gpg.home.home_file:dir
> >> > gpg.agent.gpg_home.home_file "private-keys-v1.d";
> >> > type_transition wheel_gpg_agent.subj gpg.home.home_file:file
> >> > gpg.agent.gpg_home.home_file "gpg-agent.conf";
> >> > type_transition wheel_gpg_agent.subj gpg.home.home_file:file
> >> > gpg.agent.gpg_home.home_file "gpg-agent.log";
> >> > type_transition wheel_gpg_agent.subj gpg.home.home_file:file
> >> > gpg.agent.gpg_home.home_file "sshcontrol";
> >> > type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file
> >> > gpg.agent.gpg_home.home_file "S.gpg-agent";
> >> > type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file
> >> > gpg.agent.gpg_home.home_file "S.gpg-agent.browser";
> >> > type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file
> >> > gpg.agent.gpg_home.home_file "S.gpg-agent.extra";
> >> > type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file
> >> > gpg.agent.gpg_home.home_file "S.gpg-agent.ssh";
> >> > type_transition wheel_gpg_agent.subj
> >> > gpg.tmpfs.user_tmpfs_file:sock_file
> >> > gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent";
> >> > type_transition wheel_gpg_agent.subj
> >> > gpg.tmpfs.user_tmpfs_file:sock_file
> >> > gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent.browser";
> >> > type_transition wheel_gpg_agent.subj
> >> > gpg.tmpfs.user_tmpfs_file:sock_file
> >> > gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent.extra";
> >> > type_transition wheel_gpg_agent.subj
> >> > gpg.tmpfs.user_tmpfs_file:sock_file
> >> > gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent.ssh";
> >> > type_transition wheel_gpg_agent.subj users.home_dir.file:dir
> >> > gpg.home.home_file ".gnupg";
> >> >
> >> > > > >
> >> > > > > ifdef(`hide_broken_symptoms',`
> >> > > > > userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
> >> > > > > @@ -310,6 +316,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p
> >> > > > >
> >> > > > > can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)
> >> > > > >
> >> > > > > +kernel_dontaudit_search_sysctl(gpg_pinentry_t)
> >> > > > > kernel_read_system_state(gpg_pinentry_t)
> >> > > > >
> >> > > > > corecmd_exec_shell(gpg_pinentry_t)
> >> > > > > @@ -327,6 +334,7 @@ domain_use_interactive_fds(gpg_pinentry_
> >> > > > >
> >> > > > > files_read_usr_files(gpg_pinentry_t)
> >> > > > >
> >> > > > > +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
> >> > > > > fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
> >> > > > >
> >> > > > > auth_use_nsswitch(gpg_pinentry_t)
> >>
> >> Regards,
> >>
> >> Guido
> >> _______________________________________________
> >> refpolicy mailing list
> >> refpolicy at oss.tresys.com
> >> http://oss.tresys.com/mailman/listinfo/refpolicy
> >
> > --
> > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> > Dominick Grift
> >
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> >

--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170523/5aef9568/attachment-0001.bin

2017-05-23 21:20:37

by Guido Trentalancia

[permalink] [raw]
Subject: [refpolicy] [PATCH] gpg: manage user runtime socket files and directories

Hello Christopher.

On Mon, 22/05/2017 at 19.24 -0400, Chris PeBenito wrote:
> On 05/21/2017 12:21 PM, Guido Trentalancia via refpolicy wrote:
> > Update the gpg module so that it can correctly manage socket files
> > and directories in the user runtime directories.
> >
> > Some other minor fixes are also included in this patch.
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > ?policy/modules/contrib/gpg.te |???10 +++++++++-
> > ?1 file changed, 9 insertions(+), 1 deletion(-)
> >
> > --- a/policy/modules/contrib/gpg.te 2017-04-26
> > 17:47:20.555423022 +0200
> > +++ b/policy/modules/contrib/gpg.te 2017-05-21
> > 18:13:36.728343506 +0200
> > @@ -124,6 +124,8 @@ miscfiles_read_localization(gpg_t)
> >
> > ?userdom_use_user_terminals(gpg_t)
> >
> > +userdom_manage_user_runtime_dirs(gpg_t)
> > +userdom_manage_user_tmp_dirs(gpg_t)
> > ?userdom_manage_user_tmp_files(gpg_t)
> > ?userdom_manage_user_home_content_files(gpg_t)
> > ?userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
> > @@ -247,10 +249,14 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
> >
> > ?miscfiles_read_localization(gpg_agent_t)
> >
> > +userdom_manage_user_runtime_dirs(gpg_agent_t)
> > +userdom_manage_user_tmp_dirs(gpg_agent_t)
> > +userdom_manage_user_tmp_files(gpg_agent_t)
>
> It's not clear whats going on here, but perhaps these make more sense
> as?
> a new gpg_runtime_t?

The directory, as already explained is /var/run/user/USERID/gnupg.

I think there is very little gain in defining a new gpg_runtime_t file
type, because "runtime" here is equivalent to "temporary", in the sense
that the files refer to a specific instance of a gpg_agent process and
they do not survive after process termination.

As for the extra userdom_manage_user_tmp_{dirs,files}() interfaces, I
have removed them in a new version. They are not really needed, I did
previously add them just in case or for future use and because they are
currently used by gpg_t.

I hope you can now merge the new version (v2) which will follow
shortly.

> > ?userdom_use_user_terminals(gpg_agent_t)
> > ?userdom_search_user_home_dirs(gpg_agent_t)
> > ?userdom_search_user_runtime(gpg_agent_t)
> > -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
> > +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir
> > file sock_file })
> >
> > ?ifdef(`hide_broken_symptoms',`
> > ? userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
> > @@ -310,6 +316,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p
> >
> > ?can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)
> >
> > +kernel_dontaudit_search_sysctl(gpg_pinentry_t)
> > ?kernel_read_system_state(gpg_pinentry_t)
> >
> > ?corecmd_exec_shell(gpg_pinentry_t)
> > @@ -327,6 +334,7 @@ domain_use_interactive_fds(gpg_pinentry_
> >
> > ?files_read_usr_files(gpg_pinentry_t)
> >
> > +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
> > ?fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
> >
> > ?auth_use_nsswitch(gpg_pinentry_t)
>
>

Regards,

Guido

2017-05-23 21:21:53

by Guido Trentalancia

[permalink] [raw]
Subject: [refpolicy] [PATCH v2] gpg: manage user runtime socket files and directories

Update the gpg module so that it can correctly manage socket files
and directories in the user runtime directories.

Some other minor fixes are also included in this patch.

This is the second version (v2) of this patch and it features some
improvements thanks to feedback received from Christopher PeBenito.

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/gpg.te | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)

--- a/policy/modules/contrib/gpg.te 2017-04-26 17:47:20.555423022 +0200
+++ b/policy/modules/contrib/gpg.te 2017-05-21 18:13:36.728343506 +0200
@@ -124,6 +124,8 @@ miscfiles_read_localization(gpg_t)

userdom_use_user_terminals(gpg_t)

+userdom_manage_user_runtime_dirs(gpg_t)
+userdom_manage_user_tmp_dirs(gpg_t)
userdom_manage_user_tmp_files(gpg_t)
userdom_manage_user_home_content_files(gpg_t)
userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
@@ -247,10 +249,12 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)

miscfiles_read_localization(gpg_agent_t)

+userdom_manage_user_runtime_dirs(gpg_agent_t)
+
userdom_use_user_terminals(gpg_agent_t)
userdom_search_user_home_dirs(gpg_agent_t)
userdom_search_user_runtime(gpg_agent_t)
-userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
+userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir file sock_file })

ifdef(`hide_broken_symptoms',`
userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
@@ -310,6 +316,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p

can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)

+kernel_dontaudit_search_sysctl(gpg_pinentry_t)
kernel_read_system_state(gpg_pinentry_t)

corecmd_exec_shell(gpg_pinentry_t)
@@ -327,6 +334,7 @@ domain_use_interactive_fds(gpg_pinentry_

files_read_usr_files(gpg_pinentry_t)

+fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
fs_dontaudit_list_inotifyfs(gpg_pinentry_t)

auth_use_nsswitch(gpg_pinentry_t)

2017-05-24 00:18:03

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] gpg: manage user runtime socket files and directories

On 05/23/2017 11:59 AM, Dominick Grift via refpolicy wrote:
> On Tue, May 23, 2017 at 05:12:09PM +0200, Guido Trentalancia via refpolicy wrote:
>> On Tue, 23/05/2017 at 09.06 +0200, Dominick Grift via
>> refpolicy wrote:
>>> On Tue, May 23, 2017 at 03:04:52AM +0200, Guido Trentalancia via
>>> refpolicy wrote:
>>>> Hello and thanks for getting back...
>>>>
>>>> On the 23rd of May 2017 01:24:59 CEST, Chris PeBenito <pebenito@iee
>>>> e.org> wrote:
>>>>> On 05/21/2017 12:21 PM, Guido Trentalancia via refpolicy wrote:
>>>>>> Update the gpg module so that it can correctly manage socket
>>>>>> files
>>>>>> and directories in the user runtime directories.
>>>>>>
>>>>>> Some other minor fixes are also included in this patch.
>>>>>>
>>>>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>>>>> ---
>>>>>> policy/modules/contrib/gpg.te | 10 +++++++++-
>>>>>> 1 file changed, 9 insertions(+), 1 deletion(-)
>>>>>>
>>>>>> --- a/policy/modules/contrib/gpg.te 2017-04-26
>>>>>> 17:47:20.555423022
>>>>>
>>>>> +0200
>>>>>> +++ b/policy/modules/contrib/gpg.te 2017-05-21
>>>>>> 18:13:36.728343506
>>>>>
>>>>> +0200
>>>>>> @@ -124,6 +124,8 @@ miscfiles_read_localization(gpg_t)
>>>>>>
>>>>>> userdom_use_user_terminals(gpg_t)
>>>>>>
>>>>>> +userdom_manage_user_runtime_dirs(gpg_t)
>>>
>>> gpg_t cannot create user runtime dirs because that requires root
>>> access
>>
>> This is not necessarily true. Perhaps you are referring to your system
>> or some specific distribution, but it is not true in general.
>>
>> There is nothing that dictates that a user runtime directory can only
>> be created by root.
>>
>>>>>> +userdom_manage_user_tmp_dirs(gpg_t)
>>>
>>> gpg_t shouldnt have to create generic user tmp dirs.
>>
>> Usually temporary files are created within a temporary directory.
>>
>> I cannot see a risk with allowing gpg_t to create temporary directories
>> in addition to temporary files.
>>
>>>>>> userdom_manage_user_tmp_files(gpg_t)
>>>>>> userdom_manage_user_home_content_files(gpg_t)
>>>>>> userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
>>>>>> @@ -247,10 +249,14 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
>>>>>>
>>>>>> miscfiles_read_localization(gpg_agent_t)
>>>>>>
>>>>>> +userdom_manage_user_runtime_dirs(gpg_agent_t)
>>>
>>> gpg_agent_t cannot create user_runtime dirs because that requires
>>> root access
>>
>> This is not necessarily true (see above).
>>
>
> I think we should probably make a distinction between what the root of the user runtime dirs is and what the content is. currently, i believe, user_runtime_t is used for the runtime root i suspect (/run/user/USERID)

Yes, there is a user_runtime_root_t.

--
Chris PeBenito

2017-05-24 00:41:22

by Guido Trentalancia

[permalink] [raw]
Subject: [refpolicy] [PATCH] gpg: manage user runtime socket files and directories

Hello again.

On the 24th of May 2017 02:18:03 CEST, Chris PeBenito via refpolicy <[email protected]> wrote:
>On 05/23/2017 11:59 AM, Dominick Grift via refpolicy wrote:
>> On Tue, May 23, 2017 at 05:12:09PM +0200, Guido Trentalancia via
>refpolicy wrote:
>>> On Tue, 23/05/2017 at 09.06 +0200, Dominick Grift via
>>> refpolicy wrote:
>>>> On Tue, May 23, 2017 at 03:04:52AM +0200, Guido Trentalancia via
>>>> refpolicy wrote:
>>>>> Hello and thanks for getting back...
>>>>>
>>>>> On the 23rd of May 2017 01:24:59 CEST, Chris PeBenito
><pebenito@iee
>>>>> e.org> wrote:
>>>>>> On 05/21/2017 12:21 PM, Guido Trentalancia via refpolicy wrote:
>>>>>>> Update the gpg module so that it can correctly manage socket
>>>>>>> files
>>>>>>> and directories in the user runtime directories.
>>>>>>>
>>>>>>> Some other minor fixes are also included in this patch.
>>>>>>>
>>>>>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>>>>>> ---
>>>>>>> policy/modules/contrib/gpg.te | 10 +++++++++-
>>>>>>> 1 file changed, 9 insertions(+), 1 deletion(-)
>>>>>>>

[...]

>>>>>>> @@ -247,10 +249,14 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
>>>>>>>
>>>>>>> miscfiles_read_localization(gpg_agent_t)
>>>>>>>
>>>>>>> +userdom_manage_user_runtime_dirs(gpg_agent_t)
>>>>
>>>> gpg_agent_t cannot create user_runtime dirs because that requires
>>>> root access
>>>
>>> This is not necessarily true (see above).
>>>
>>
>> I think we should probably make a distinction between what the root
>of the user runtime dirs is and what the content is. currently, i
>believe, user_runtime_t is used for the runtime root i suspect
>(/run/user/USERID)
>
>Yes, there is a user_runtime_root_t.

I do not clearly understand the point.
However the patch has been tested and it works fine!

It only needs to manage user_runtime_t directories, not the user_runtime_root_t if this is what you mean...

A new version (v2) of this patch has been posted.

I hope it helps!

Regards,

Guido

2017-05-24 05:36:26

by Dac Override

[permalink] [raw]
Subject: [refpolicy] [PATCH] gpg: manage user runtime socket files and directories

On Wed, May 24, 2017 at 02:41:22AM +0200, Guido Trentalancia via refpolicy wrote:
> Hello again.
>
> On the 24th of May 2017 02:18:03 CEST, Chris PeBenito via refpolicy <[email protected]> wrote:
> >On 05/23/2017 11:59 AM, Dominick Grift via refpolicy wrote:
> >> On Tue, May 23, 2017 at 05:12:09PM +0200, Guido Trentalancia via
> >refpolicy wrote:
> >>> On Tue, 23/05/2017 at 09.06 +0200, Dominick Grift via
> >>> refpolicy wrote:
> >>>> On Tue, May 23, 2017 at 03:04:52AM +0200, Guido Trentalancia via
> >>>> refpolicy wrote:
> >>>>> Hello and thanks for getting back...
> >>>>>
> >>>>> On the 23rd of May 2017 01:24:59 CEST, Chris PeBenito
> ><pebenito@iee
> >>>>> e.org> wrote:
> >>>>>> On 05/21/2017 12:21 PM, Guido Trentalancia via refpolicy wrote:
> >>>>>>> Update the gpg module so that it can correctly manage socket
> >>>>>>> files
> >>>>>>> and directories in the user runtime directories.
> >>>>>>>
> >>>>>>> Some other minor fixes are also included in this patch.
> >>>>>>>
> >>>>>>> Signed-off-by: Guido Trentalancia <[email protected]>
> >>>>>>> ---
> >>>>>>> policy/modules/contrib/gpg.te | 10 +++++++++-
> >>>>>>> 1 file changed, 9 insertions(+), 1 deletion(-)
> >>>>>>>
>
> [...]
>
> >>>>>>> @@ -247,10 +249,14 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
> >>>>>>>
> >>>>>>> miscfiles_read_localization(gpg_agent_t)
> >>>>>>>
> >>>>>>> +userdom_manage_user_runtime_dirs(gpg_agent_t)
> >>>>
> >>>> gpg_agent_t cannot create user_runtime dirs because that requires
> >>>> root access
> >>>
> >>> This is not necessarily true (see above).
> >>>
> >>
> >> I think we should probably make a distinction between what the root
> >of the user runtime dirs is and what the content is. currently, i
> >believe, user_runtime_t is used for the runtime root i suspect
> >(/run/user/USERID)
> >
> >Yes, there is a user_runtime_root_t.
>
> I do not clearly understand the point.

Well the runtime root its owned by root, is used as a mountpoint, and is potentially a poly-instantiation parent

> However the patch has been tested and it works fine!
>
> It only needs to manage user_runtime_t directories, not the user_runtime_root_t if this is what you mean...
>
> A new version (v2) of this patch has been posted.
>
> I hope it helps!
>
> Regards,
>
> Guido
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170524/6cae7206/attachment.bin

2017-05-24 16:32:07

by Guido Trentalancia

[permalink] [raw]
Subject: [refpolicy] [PATCH v3] gpg: manage user runtime socket files and directories

Update the gpg module so that it can correctly manage socket files
and directories in the user runtime directories.

Update the gpg module in order to support dirmngr (gpg version 2).

Some other minor gpg fixes are also included in this patch.

This is the third version (v3) of this patch. Since version 2, it
features some improvements thanks to feedback received from
Christopher PeBenito.

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/gpg.fc | 4 +-
policy/modules/contrib/gpg.if | 22 ++++++++++++
policy/modules/contrib/gpg.te | 76 +++++++++++++++++++++++++++++++++++++++++-
3 files changed, 100 insertions(+), 2 deletions(-)

--- a/policy/modules/contrib/gpg.fc 2017-03-29 17:58:00.281386397 +0200
+++ b/policy/modules/contrib/gpg.fc 2017-05-24 18:18:33.792680617 +0200
@@ -1,8 +1,10 @@
HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg/S\.dirmngr -s gen_context(system_u:object_r:gpg_dirmngr_tmp_t,s0)
HOME_DIR/\.gnupg/S\.gpg-agent.* -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
HOME_DIR/\.gnupg/S\.scdaemon -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)

+/usr/bin/dirmngr.* -- gen_context(system_u:object_r:gpg_dirmngr_exec_t,s0)
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
@@ -11,4 +13,4 @@ HOME_DIR/\.gnupg/S\.scdaemon -s gen_con
/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)

-/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_runtime_t,s0)
--- a/policy/modules/contrib/gpg.if 2017-03-29 17:58:00.282386397 +0200
+++ b/policy/modules/contrib/gpg.if 2017-05-24 16:57:35.837700478 +0200
@@ -214,6 +214,28 @@ interface(`gpg_stream_connect_agent',`
userdom_search_user_home_dirs($1)
')

+######################################
+## <summary>
+## Connect to gpg dirmngr socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_stream_connect_dirmngr',`
+ gen_require(`
+ type gpg_dirmngr_t, gpg_dirmngr_tmp_t;
+ type gpg_secret_t;
+ ')
+
+ stream_connect_pattern($1, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t, gpg_dirmngr_t)
+ allow $1 gpg_secret_t:dir search_dir_perms;
+ userdom_search_user_runtime($1)
+ userdom_search_user_home_dirs($1)
+')
+
########################################
## <summary>
## Send messages to and from gpg
--- a/policy/modules/contrib/gpg.te 2017-04-26 17:47:20.555423022 +0200
+++ b/policy/modules/contrib/gpg.te 2017-05-24 18:21:19.538679939 +0200
@@ -19,6 +19,8 @@ roleattribute system_r gpg_roles;

attribute_role gpg_agent_roles;

+attribute_role gpg_dirmngr_roles;
+
attribute_role gpg_helper_roles;
roleattribute system_r gpg_helper_roles;

@@ -29,6 +31,9 @@ type gpg_exec_t;
userdom_user_application_domain(gpg_t, gpg_exec_t)
role gpg_roles types gpg_t;

+type gpg_runtime_t;
+files_pid_file(gpg_runtime_t)
+
type gpg_agent_t;
type gpg_agent_exec_t;
userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t)
@@ -37,6 +42,14 @@ role gpg_agent_roles types gpg_agent_t;
type gpg_agent_tmp_t;
userdom_user_tmp_file(gpg_agent_tmp_t)

+type gpg_dirmngr_t;
+type gpg_dirmngr_exec_t;
+userdom_user_application_domain(gpg_dirmngr_t, gpg_dirmngr_exec_t)
+role gpg_dirmngr_roles types gpg_dirmngr_t;
+
+type gpg_dirmngr_tmp_t;
+userdom_user_tmp_file(gpg_dirmngr_tmp_t)
+
type gpg_secret_t;
userdom_user_home_content(gpg_secret_t)

@@ -72,10 +85,19 @@ dontaudit gpg_t self:netlink_audit_socke
allow gpg_t self:fifo_file rw_fifo_file_perms;
allow gpg_t self:tcp_socket { accept listen };

+manage_dirs_pattern(gpg_t, gpg_runtime_t, gpg_runtime_t)
+userdom_user_runtime_filetrans(gpg_t, gpg_runtime_t, dir, "gnupg")
+
manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_sock_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })

+manage_dirs_pattern(gpg_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t)
+manage_files_pattern(gpg_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t)
+manage_sock_files_pattern(gpg_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t)
+manage_sock_files_pattern(gpg_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t)
+
manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
@@ -83,8 +105,10 @@ manage_lnk_files_pattern(gpg_t, gpg_secr
userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)

gpg_stream_connect_agent(gpg_t)
+gpg_stream_connect_dirmngr(gpg_t)

domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+domtrans_pattern(gpg_t, gpg_dirmngr_exec_t, gpg_dirmngr_t)
domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)

kernel_read_crypto_sysctls(gpg_t)
@@ -124,6 +148,7 @@ miscfiles_read_localization(gpg_t)

userdom_use_user_terminals(gpg_t)

+userdom_manage_user_tmp_dirs(gpg_t)
userdom_manage_user_tmp_files(gpg_t)
userdom_manage_user_home_content_files(gpg_t)
userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
@@ -215,6 +240,9 @@ manage_sock_files_pattern(gpg_agent_t, g
manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)

+manage_dirs_pattern(gpg_agent_t, gpg_runtime_t, gpg_runtime_t)
+userdom_user_runtime_filetrans(gpg_agent_t, gpg_runtime_t, dir, "gnupg")
+
manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
@@ -226,6 +254,12 @@ filetrans_pattern(gpg_agent_t, gpg_secre
filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.extra")
filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh")
filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.scdaemon")
+filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "log-socket")
+filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent")
+filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.browser")
+filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.extra")
+filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh")
+filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.scdaemon")

domtrans_pattern(gpg_agent_t, gpg_pinentry_exec_t, gpg_pinentry_t)

@@ -250,7 +284,7 @@ miscfiles_read_localization(gpg_agent_t)
userdom_use_user_terminals(gpg_agent_t)
userdom_search_user_home_dirs(gpg_agent_t)
userdom_search_user_runtime(gpg_agent_t)
-userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
+userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir file sock_file })

ifdef(`hide_broken_symptoms',`
userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
@@ -291,6 +325,44 @@ optional_policy(`
xserver_read_user_xauth(gpg_agent_t)
')

+#######################################
+#
+# Dirmngr local policy
+#
+
+allow gpg_dirmngr_t gpg_secret_t:file read_file_perms;
+
+manage_dirs_pattern(gpg_dirmngr_t, gpg_runtime_t, gpg_runtime_t)
+userdom_user_runtime_filetrans(gpg_dirmngr_t, gpg_runtime_t, dir, "gnupg")
+
+manage_dirs_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t)
+manage_files_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t)
+manage_sock_files_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t)
+filetrans_pattern(gpg_dirmngr_t, gpg_runtime_t, gpg_dirmngr_tmp_t, sock_file, "S.dirmngr")
+
+corenet_sendrecv_pgpkeyserver_client_packets(gpg_dirmngr_t)
+corenet_tcp_connect_pgpkeyserver_port(gpg_dirmngr_t)
+corenet_tcp_sendrecv_pgpkeyserver_port(gpg_dirmngr_t)
+
+corenet_udp_bind_all_unreserved_ports(gpg_dirmngr_t)
+corenet_udp_bind_generic_node(gpg_dirmngr_t)
+
+dev_read_rand(gpg_dirmngr_t)
+dev_read_urand(gpg_dirmngr_t)
+
+files_read_etc_files(gpg_dirmngr_t)
+files_read_usr_files(gpg_dirmngr_t)
+
+miscfiles_read_all_certs(gpg_dirmngr_t)
+miscfiles_read_localization(gpg_dirmngr_t)
+
+sysnet_dns_name_resolve(gpg_dirmngr_t)
+
+userdom_search_user_home_dirs(gpg_dirmngr_t)
+
+userdom_search_user_runtime(gpg_dirmngr_t)
+userdom_user_runtime_filetrans(gpg_dirmngr_t, gpg_dirmngr_tmp_t, { dir file sock_file })
+
##############################
#
# Pinentry local policy
@@ -310,6 +382,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p

can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)

+kernel_dontaudit_search_sysctl(gpg_pinentry_t)
kernel_read_system_state(gpg_pinentry_t)

corecmd_exec_shell(gpg_pinentry_t)
@@ -327,6 +400,7 @@ domain_use_interactive_fds(gpg_pinentry_

files_read_usr_files(gpg_pinentry_t)

+fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
fs_dontaudit_list_inotifyfs(gpg_pinentry_t)

auth_use_nsswitch(gpg_pinentry_t)

2017-05-24 17:37:13

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH v3] gpg: manage user runtime socket files and directories

NACK to this whole thing. Why are you just redoing what I already did like
a week ago? Dirmngr already has a policy separate from gpg and what you're
doing will just conflict with it.
I've been too busy to fix and resend my patch. If you really want this in
at least take that version and fix what the comments were instead of doing
it again badly :P

-- Jason

On May 25, 2017 00:32, "Guido Trentalancia via refpolicy" <
[email protected]> wrote:

> Update the gpg module so that it can correctly manage socket files
> and directories in the user runtime directories.
>
> Update the gpg module in order to support dirmngr (gpg version 2).
>
> Some other minor gpg fixes are also included in this patch.
>
> This is the third version (v3) of this patch. Since version 2, it
> features some improvements thanks to feedback received from
> Christopher PeBenito.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/gpg.fc | 4 +-
> policy/modules/contrib/gpg.if | 22 ++++++++++++
> policy/modules/contrib/gpg.te | 76 ++++++++++++++++++++++++++++++
> +++++++++++-
> 3 files changed, 100 insertions(+), 2 deletions(-)
>
> --- a/policy/modules/contrib/gpg.fc 2017-03-29 17:58:00.281386397
> +0200
> +++ b/policy/modules/contrib/gpg.fc 2017-05-24 18:18:33.792680617
> +0200
> @@ -1,8 +1,10 @@
> HOME_DIR/\.gnupg(/.+)?
> gen_context(system_u:object_r:gpg_secret_t,s0)
> HOME_DIR/\.gnupg/log-socket -s
> gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> +HOME_DIR/\.gnupg/S\.dirmngr -s
> gen_context(system_u:object_r:gpg_dirmngr_tmp_t,s0)
> HOME_DIR/\.gnupg/S\.gpg-agent.* -s
> gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> HOME_DIR/\.gnupg/S\.scdaemon -s
> gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
>
> +/usr/bin/dirmngr.* --
> gen_context(system_u:object_r:gpg_dirmngr_exec_t,s0)
> /usr/bin/gpg(2)? --
> gen_context(system_u:object_r:gpg_exec_t,s0)
> /usr/bin/gpgsm --
> gen_context(system_u:object_r:gpg_exec_t,s0)
> /usr/bin/gpg-agent --
> gen_context(system_u:object_r:gpg_agent_exec_t,s0)
> @@ -11,4 +13,4 @@ HOME_DIR/\.gnupg/S\.scdaemon -s gen_con
> /usr/lib/gnupg/.* --
> gen_context(system_u:object_r:gpg_exec_t,s0)
> /usr/lib/gnupg/gpgkeys.* --
> gen_context(system_u:object_r:gpg_helper_exec_t,s0)
>
> -/run/user/%{USERID}/gnupg(/.*)?
> gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> +/run/user/%{USERID}/gnupg(/.*)?
> gen_context(system_u:object_r:gpg_runtime_t,s0)
> --- a/policy/modules/contrib/gpg.if 2017-03-29 17:58:00.282386397
> +0200
> +++ b/policy/modules/contrib/gpg.if 2017-05-24 16:57:35.837700478
> +0200
> @@ -214,6 +214,28 @@ interface(`gpg_stream_connect_agent',`
> userdom_search_user_home_dirs($1)
> ')
>
> +######################################
> +## <summary>
> +## Connect to gpg dirmngr socket
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gpg_stream_connect_dirmngr',`
> + gen_require(`
> + type gpg_dirmngr_t, gpg_dirmngr_tmp_t;
> + type gpg_secret_t;
> + ')
> +
> + stream_connect_pattern($1, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t,
> gpg_dirmngr_t)
> + allow $1 gpg_secret_t:dir search_dir_perms;
> + userdom_search_user_runtime($1)
> + userdom_search_user_home_dirs($1)
> +')
> +
> ########################################
> ## <summary>
> ## Send messages to and from gpg
> --- a/policy/modules/contrib/gpg.te 2017-04-26 17:47:20.555423022
> +0200
> +++ b/policy/modules/contrib/gpg.te 2017-05-24 18:21:19.538679939
> +0200
> @@ -19,6 +19,8 @@ roleattribute system_r gpg_roles;
>
> attribute_role gpg_agent_roles;
>
> +attribute_role gpg_dirmngr_roles;
> +
> attribute_role gpg_helper_roles;
> roleattribute system_r gpg_helper_roles;
>
> @@ -29,6 +31,9 @@ type gpg_exec_t;
> userdom_user_application_domain(gpg_t, gpg_exec_t)
> role gpg_roles types gpg_t;
>
> +type gpg_runtime_t;
> +files_pid_file(gpg_runtime_t)
> +
> type gpg_agent_t;
> type gpg_agent_exec_t;
> userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t)
> @@ -37,6 +42,14 @@ role gpg_agent_roles types gpg_agent_t;
> type gpg_agent_tmp_t;
> userdom_user_tmp_file(gpg_agent_tmp_t)
>
> +type gpg_dirmngr_t;
> +type gpg_dirmngr_exec_t;
> +userdom_user_application_domain(gpg_dirmngr_t, gpg_dirmngr_exec_t)
> +role gpg_dirmngr_roles types gpg_dirmngr_t;
> +
> +type gpg_dirmngr_tmp_t;
> +userdom_user_tmp_file(gpg_dirmngr_tmp_t)
> +
> type gpg_secret_t;
> userdom_user_home_content(gpg_secret_t)
>
> @@ -72,10 +85,19 @@ dontaudit gpg_t self:netlink_audit_socke
> allow gpg_t self:fifo_file rw_fifo_file_perms;
> allow gpg_t self:tcp_socket { accept listen };
>
> +manage_dirs_pattern(gpg_t, gpg_runtime_t, gpg_runtime_t)
> +userdom_user_runtime_filetrans(gpg_t, gpg_runtime_t, dir, "gnupg")
> +
> manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> +manage_sock_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
>
> +manage_dirs_pattern(gpg_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t)
> +manage_files_pattern(gpg_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t)
> +manage_sock_files_pattern(gpg_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t)
> +manage_sock_files_pattern(gpg_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t)
> +
> manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
> manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
> manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
> @@ -83,8 +105,10 @@ manage_lnk_files_pattern(gpg_t, gpg_secr
> userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
>
> gpg_stream_connect_agent(gpg_t)
> +gpg_stream_connect_dirmngr(gpg_t)
>
> domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
> +domtrans_pattern(gpg_t, gpg_dirmngr_exec_t, gpg_dirmngr_t)
> domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
>
> kernel_read_crypto_sysctls(gpg_t)
> @@ -124,6 +148,7 @@ miscfiles_read_localization(gpg_t)
>
> userdom_use_user_terminals(gpg_t)
>
> +userdom_manage_user_tmp_dirs(gpg_t)
> userdom_manage_user_tmp_files(gpg_t)
> userdom_manage_user_home_content_files(gpg_t)
> userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
> @@ -215,6 +240,9 @@ manage_sock_files_pattern(gpg_agent_t, g
> manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
> manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
>
> +manage_dirs_pattern(gpg_agent_t, gpg_runtime_t, gpg_runtime_t)
> +userdom_user_runtime_filetrans(gpg_agent_t, gpg_runtime_t, dir, "gnupg")
> +
> manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> @@ -226,6 +254,12 @@ filetrans_pattern(gpg_agent_t, gpg_secre
> filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file,
> "S.gpg-agent.extra")
> filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file,
> "S.gpg-agent.ssh")
> filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file,
> "S.scdaemon")
> +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t,
> sock_file, "log-socket")
> +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t,
> sock_file, "S.gpg-agent")
> +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t,
> sock_file, "S.gpg-agent.browser")
> +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t,
> sock_file, "S.gpg-agent.extra")
> +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t,
> sock_file, "S.gpg-agent.ssh")
> +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t,
> sock_file, "S.scdaemon")
>
> domtrans_pattern(gpg_agent_t, gpg_pinentry_exec_t, gpg_pinentry_t)
>
> @@ -250,7 +284,7 @@ miscfiles_read_localization(gpg_agent_t)
> userdom_use_user_terminals(gpg_agent_t)
> userdom_search_user_home_dirs(gpg_agent_t)
> userdom_search_user_runtime(gpg_agent_t)
> -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
> +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir file
> sock_file })
>
> ifdef(`hide_broken_symptoms',`
> userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
> @@ -291,6 +325,44 @@ optional_policy(`
> xserver_read_user_xauth(gpg_agent_t)
> ')
>
> +#######################################
> +#
> +# Dirmngr local policy
> +#
> +
> +allow gpg_dirmngr_t gpg_secret_t:file read_file_perms;
> +
> +manage_dirs_pattern(gpg_dirmngr_t, gpg_runtime_t, gpg_runtime_t)
> +userdom_user_runtime_filetrans(gpg_dirmngr_t, gpg_runtime_t, dir,
> "gnupg")
> +
> +manage_dirs_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t)
> +manage_files_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t)
> +manage_sock_files_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t,
> gpg_dirmngr_tmp_t)
> +filetrans_pattern(gpg_dirmngr_t, gpg_runtime_t, gpg_dirmngr_tmp_t,
> sock_file, "S.dirmngr")
> +
> +corenet_sendrecv_pgpkeyserver_client_packets(gpg_dirmngr_t)
> +corenet_tcp_connect_pgpkeyserver_port(gpg_dirmngr_t)
> +corenet_tcp_sendrecv_pgpkeyserver_port(gpg_dirmngr_t)
> +
> +corenet_udp_bind_all_unreserved_ports(gpg_dirmngr_t)
> +corenet_udp_bind_generic_node(gpg_dirmngr_t)
> +
> +dev_read_rand(gpg_dirmngr_t)
> +dev_read_urand(gpg_dirmngr_t)
> +
> +files_read_etc_files(gpg_dirmngr_t)
> +files_read_usr_files(gpg_dirmngr_t)
> +
> +miscfiles_read_all_certs(gpg_dirmngr_t)
> +miscfiles_read_localization(gpg_dirmngr_t)
> +
> +sysnet_dns_name_resolve(gpg_dirmngr_t)
> +
> +userdom_search_user_home_dirs(gpg_dirmngr_t)
> +
> +userdom_search_user_runtime(gpg_dirmngr_t)
> +userdom_user_runtime_filetrans(gpg_dirmngr_t, gpg_dirmngr_tmp_t, { dir
> file sock_file })
> +
> ##############################
> #
> # Pinentry local policy
> @@ -310,6 +382,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p
>
> can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)
>
> +kernel_dontaudit_search_sysctl(gpg_pinentry_t)
> kernel_read_system_state(gpg_pinentry_t)
>
> corecmd_exec_shell(gpg_pinentry_t)
> @@ -327,6 +400,7 @@ domain_use_interactive_fds(gpg_pinentry_
>
> files_read_usr_files(gpg_pinentry_t)
>
> +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
> fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
>
> auth_use_nsswitch(gpg_pinentry_t)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20170525/927c4d35/attachment-0001.html

2017-05-24 17:41:51

by Guido Trentalancia

[permalink] [raw]
Subject: [refpolicy] [PATCH v3] gpg: manage user runtime socket files and directories

Hello.

I didn't know you were working on this. I missed the whole thread, I
suppose !

Please do not consider this new (v3) version then.

If necessary, I will post a new v4 version, otherwise the patch to
consider is the previous one (v2) which does not tackle dirmngr.

Regards,

Guido

On Thu, 25/05/2017 at 01.37 +0800, Jason Zaman wrote:
> NACK to this whole thing. Why are you just redoing what I already did
> like a week ago? Dirmngr already has a policy separate from gpg and
> what you're doing will just conflict with it.?
> I've been too busy to fix and resend my patch. If you really want
> this in at least take that version and fix what the comments were
> instead of doing it again badly :P
>
> -- Jason
>
> On May 25, 2017 00:32, "Guido Trentalancia via refpolicy" <refpolicy@
> oss.tresys.com> wrote:
> > Update the gpg module so that it can correctly manage socket files
> > and directories in the user runtime directories.
> >
> > Update the gpg module in order to support dirmngr (gpg version 2).
> >
> > Some other minor gpg fixes are also included in this patch.
> >
> > This is the third version (v3) of this patch. Since version 2, it
> > features some improvements thanks to feedback received from
> > Christopher PeBenito.
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > ?policy/modules/contrib/gpg.fc |? ? 4 +-
> > ?policy/modules/contrib/gpg.if |? ?22 ++++++++++++
> > ?policy/modules/contrib/gpg.te |? ?76
> > +++++++++++++++++++++++++++++++++++++++++-
> > ?3 files changed, 100 insertions(+), 2 deletions(-)
> >
> > --- a/policy/modules/contrib/gpg.fc? ? ?2017-03-29
> > 17:58:00.281386397 +0200
> > +++ b/policy/modules/contrib/gpg.fc? ? ?2017-05-24
> > 18:18:33.792680617 +0200
> > @@ -1,8 +1,10 @@
> > ?HOME_DIR/\.gnupg(/.+)?? ? ? ? ? ? ? ? ? ? ? ?
> > ?gen_context(system_u:object_r:gpg_secret_t,s0)
> > ?HOME_DIR/\.gnupg/log-socket? ? ? ? ? ? -s? ? ?
> > gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> > +HOME_DIR/\.gnupg/S\.dirmngr? ? ? ? ? ? -s? ? ?
> > gen_context(system_u:object_r:gpg_dirmngr_tmp_t,s0)
> > ?HOME_DIR/\.gnupg/S\.gpg-agent.*? ? ? ? ? ? ? ? -s? ? ?
> > gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> > ?HOME_DIR/\.gnupg/S\.scdaemon? ? ? ? ? ?-s? ? ?
> > gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> >
> > +/usr/bin/dirmngr.*? ? ? ? ? ? ? ? ? ? ?--? ? ?
> > gen_context(system_u:object_r:gpg_dirmngr_exec_t,s0)
> > ?/usr/bin/gpg(2)?? ? ? ? ? ? ? ? ? ? ? ?--? ? ?
> > gen_context(system_u:object_r:gpg_exec_t,s0)
> > ?/usr/bin/gpgsm? ? ? ? ? ? ? ? ? ? ? ? ?--? ? ?
> > gen_context(system_u:object_r:gpg_exec_t,s0)
> > ?/usr/bin/gpg-agent? ? ? ? ? ? ? ? ? ? ?--? ? ?
> > gen_context(system_u:object_r:gpg_agent_exec_t,s0)
> > @@ -11,4 +13,4 @@ HOME_DIR/\.gnupg/S\.scdaemon? ? ? ? ? -s? ? ?
> > gen_con
> > ?/usr/lib/gnupg/.*? ? ? ? ? ? ? ? ? ? ? --? ? ?
> > gen_context(system_u:object_r:gpg_exec_t,s0)
> > ?/usr/lib/gnupg/gpgkeys.*? ? ? ? ? ? ? ?--? ? ?
> > gen_context(system_u:object_r:gpg_helper_exec_t,s0)
> >
> > -/run/user/%{USERID}/gnupg(/.*)?? ? ? ? ? ? ? ? ? ? ? ?
> > gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> > +/run/user/%{USERID}/gnupg(/.*)?? ? ? ? ? ? ? ? ? ? ? ?
> > gen_context(system_u:object_r:gpg_runtime_t,s0)
> > --- a/policy/modules/contrib/gpg.if? ? ?2017-03-29
> > 17:58:00.282386397 +0200
> > +++ b/policy/modules/contrib/gpg.if? ? ?2017-05-24
> > 16:57:35.837700478 +0200
> > @@ -214,6 +214,28 @@ interface(`gpg_stream_connect_agent',`
> > ? ? ? ? userdom_search_user_home_dirs($1)
> > ?')
> >
> > +######################################
> > +## <summary>
> > +##? ? ?Connect to gpg dirmngr socket
> > +## </summary>
> > +## <param name="domain">
> > +##? ? ?<summary>
> > +##? ? ?Domain allowed access.
> > +##? ? ?</summary>
> > +## </param>
> > +#
> > +interface(`gpg_stream_connect_dirmngr',`
> > +? ? ? ?gen_require(`
> > +? ? ? ? ? ? ? ?type gpg_dirmngr_t, gpg_dirmngr_tmp_t;
> > +? ? ? ? ? ? ? ?type gpg_secret_t;
> > +? ? ? ?')
> > +
> > +? ? ? ?stream_connect_pattern($1, gpg_dirmngr_tmp_t,
> > gpg_dirmngr_tmp_t, gpg_dirmngr_t)
> > +? ? ? ?allow $1 gpg_secret_t:dir search_dir_perms;
> > +? ? ? ?userdom_search_user_runtime($1)
> > +? ? ? ?userdom_search_user_home_dirs($1)
> > +')
> > +
> > ?########################################
> > ?## <summary>
> > ?##? ? ?Send messages to and from gpg
> > --- a/policy/modules/contrib/gpg.te? ? ?2017-04-26
> > 17:47:20.555423022 +0200
> > +++ b/policy/modules/contrib/gpg.te? ? ?2017-05-24
> > 18:21:19.538679939 +0200
> > @@ -19,6 +19,8 @@ roleattribute system_r gpg_roles;
> >
> > ?attribute_role gpg_agent_roles;
> >
> > +attribute_role gpg_dirmngr_roles;
> > +
> > ?attribute_role gpg_helper_roles;
> > ?roleattribute system_r gpg_helper_roles;
> >
> > @@ -29,6 +31,9 @@ type gpg_exec_t;
> > ?userdom_user_application_domain(gpg_t, gpg_exec_t)
> > ?role gpg_roles types gpg_t;
> >
> > +type gpg_runtime_t;
> > +files_pid_file(gpg_runtime_t)
> > +
> > ?type gpg_agent_t;
> > ?type gpg_agent_exec_t;
> > ?userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t)
> > @@ -37,6 +42,14 @@ role gpg_agent_roles types gpg_agent_t;
> > ?type gpg_agent_tmp_t;
> > ?userdom_user_tmp_file(gpg_agent_tmp_t)
> >
> > +type gpg_dirmngr_t;
> > +type gpg_dirmngr_exec_t;
> > +userdom_user_application_domain(gpg_dirmngr_t, gpg_dirmngr_exec_t)
> > +role gpg_dirmngr_roles types gpg_dirmngr_t;
> > +
> > +type gpg_dirmngr_tmp_t;
> > +userdom_user_tmp_file(gpg_dirmngr_tmp_t)
> > +
> > ?type gpg_secret_t;
> > ?userdom_user_home_content(gpg_secret_t)
> >
> > @@ -72,10 +85,19 @@ dontaudit gpg_t self:netlink_audit_socke
> > ?allow gpg_t self:fifo_file rw_fifo_file_perms;
> > ?allow gpg_t self:tcp_socket { accept listen };
> >
> > +manage_dirs_pattern(gpg_t, gpg_runtime_t, gpg_runtime_t)
> > +userdom_user_runtime_filetrans(gpg_t, gpg_runtime_t, dir, "gnupg")
> > +
> > ?manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> > ?manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> > +manage_sock_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> > ?files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
> >
> > +manage_dirs_pattern(gpg_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t)
> > +manage_files_pattern(gpg_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t)
> > +manage_sock_files_pattern(gpg_t, gpg_dirmngr_tmp_t,
> > gpg_dirmngr_tmp_t)
> > +manage_sock_files_pattern(gpg_t, gpg_dirmngr_tmp_t,
> > gpg_dirmngr_tmp_t)
> > +
> > ?manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
> > ?manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
> > ?manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
> > @@ -83,8 +105,10 @@ manage_lnk_files_pattern(gpg_t, gpg_secr
> > ?userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
> >
> > ?gpg_stream_connect_agent(gpg_t)
> > +gpg_stream_connect_dirmngr(gpg_t)
> >
> > ?domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
> > +domtrans_pattern(gpg_t, gpg_dirmngr_exec_t, gpg_dirmngr_t)
> > ?domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
> >
> > ?kernel_read_crypto_sysctls(gpg_t)
> > @@ -124,6 +148,7 @@ miscfiles_read_localization(gpg_t)
> >
> > ?userdom_use_user_terminals(gpg_t)
> >
> > +userdom_manage_user_tmp_dirs(gpg_t)
> > ?userdom_manage_user_tmp_files(gpg_t)
> > ?userdom_manage_user_home_content_files(gpg_t)
> > ?userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
> > @@ -215,6 +240,9 @@ manage_sock_files_pattern(gpg_agent_t, g
> > ?manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
> > ?manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
> >
> > +manage_dirs_pattern(gpg_agent_t, gpg_runtime_t, gpg_runtime_t)
> > +userdom_user_runtime_filetrans(gpg_agent_t, gpg_runtime_t, dir,
> > "gnupg")
> > +
> > ?manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> > ?manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t,
> > gpg_agent_tmp_t)
> > ?manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t,
> > gpg_agent_tmp_t)
> > @@ -226,6 +254,12 @@ filetrans_pattern(gpg_agent_t, gpg_secre
> > ?filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t,
> > sock_file, "S.gpg-agent.extra")
> > ?filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t,
> > sock_file, "S.gpg-agent.ssh")
> > ?filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t,
> > sock_file, "S.scdaemon")
> > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t,
> > sock_file, "log-socket")
> > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t,
> > sock_file, "S.gpg-agent")
> > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t,
> > sock_file, "S.gpg-agent.browser")
> > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t,
> > sock_file, "S.gpg-agent.extra")
> > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t,
> > sock_file, "S.gpg-agent.ssh")
> > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t,
> > sock_file, "S.scdaemon")
> >
> > ?domtrans_pattern(gpg_agent_t, gpg_pinentry_exec_t, gpg_pinentry_t)
> >
> > @@ -250,7 +284,7 @@ miscfiles_read_localization(gpg_agent_t)
> > ?userdom_use_user_terminals(gpg_agent_t)
> > ?userdom_search_user_home_dirs(gpg_agent_t)
> > ?userdom_search_user_runtime(gpg_agent_t)
> > -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
> > +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir
> > file sock_file })
> >
> > ?ifdef(`hide_broken_symptoms',`
> > ? ? ? ? userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
> > @@ -291,6 +325,44 @@ optional_policy(`
> > ? ? ? ? xserver_read_user_xauth(gpg_agent_t)
> > ?')
> >
> > +#######################################
> > +#
> > +# Dirmngr local policy
> > +#
> > +
> > +allow gpg_dirmngr_t gpg_secret_t:file read_file_perms;
> > +
> > +manage_dirs_pattern(gpg_dirmngr_t, gpg_runtime_t, gpg_runtime_t)
> > +userdom_user_runtime_filetrans(gpg_dirmngr_t, gpg_runtime_t, dir,
> > "gnupg")
> > +
> > +manage_dirs_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t,
> > gpg_dirmngr_tmp_t)
> > +manage_files_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t,
> > gpg_dirmngr_tmp_t)
> > +manage_sock_files_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t,
> > gpg_dirmngr_tmp_t)
> > +filetrans_pattern(gpg_dirmngr_t, gpg_runtime_t, gpg_dirmngr_tmp_t,
> > sock_file, "S.dirmngr")
> > +
> > +corenet_sendrecv_pgpkeyserver_client_packets(gpg_dirmngr_t)
> > +corenet_tcp_connect_pgpkeyserver_port(gpg_dirmngr_t)
> > +corenet_tcp_sendrecv_pgpkeyserver_port(gpg_dirmngr_t)
> > +
> > +corenet_udp_bind_all_unreserved_ports(gpg_dirmngr_t)
> > +corenet_udp_bind_generic_node(gpg_dirmngr_t)
> > +
> > +dev_read_rand(gpg_dirmngr_t)
> > +dev_read_urand(gpg_dirmngr_t)
> > +
> > +files_read_etc_files(gpg_dirmngr_t)
> > +files_read_usr_files(gpg_dirmngr_t)
> > +
> > +miscfiles_read_all_certs(gpg_dirmngr_t)
> > +miscfiles_read_localization(gpg_dirmngr_t)
> > +
> > +sysnet_dns_name_resolve(gpg_dirmngr_t)
> > +
> > +userdom_search_user_home_dirs(gpg_dirmngr_t)
> > +
> > +userdom_search_user_runtime(gpg_dirmngr_t)
> > +userdom_user_runtime_filetrans(gpg_dirmngr_t, gpg_dirmngr_tmp_t, {
> > dir file sock_file })
> > +
> > ?##############################
> > ?#
> > ?# Pinentry local policy
> > @@ -310,6 +382,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p
> >
> > ?can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)
> >
> > +kernel_dontaudit_search_sysctl(gpg_pinentry_t)
> > ?kernel_read_system_state(gpg_pinentry_t)
> >
> > ?corecmd_exec_shell(gpg_pinentry_t)
> > @@ -327,6 +400,7 @@ domain_use_interactive_fds(gpg_pinentry_
> >
> > ?files_read_usr_files(gpg_pinentry_t)
> >
> > +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
> > ?fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
> >
> > ?auth_use_nsswitch(gpg_pinentry_t)
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> >

2017-05-24 17:46:39

by Guido Trentalancia

[permalink] [raw]
Subject: [refpolicy] [PATCH v3] gpg: manage user runtime socket files and directories

However, I must say that I think the dirmngr policy should be in the
gpg module !

Having the dirmngr policy in a separate module is wrong.

I hope this helps...

Guido

On Thu, 25/05/2017 at 01.37 +0800, Jason Zaman wrote:
> NACK to this whole thing. Why are you just redoing what I already did
> like a week ago? Dirmngr already has a policy separate from gpg and
> what you're doing will just conflict with it.?
> I've been too busy to fix and resend my patch. If you really want
> this in at least take that version and fix what the comments were
> instead of doing it again badly :P
>
> -- Jason
>
> On May 25, 2017 00:32, "Guido Trentalancia via refpolicy" <refpolicy@
> oss.tresys.com> wrote:
> > Update the gpg module so that it can correctly manage socket files
> > and directories in the user runtime directories.
> >
> > Update the gpg module in order to support dirmngr (gpg version 2).
> >
> > Some other minor gpg fixes are also included in this patch.
> >
> > This is the third version (v3) of this patch. Since version 2, it
> > features some improvements thanks to feedback received from
> > Christopher PeBenito.
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > ?policy/modules/contrib/gpg.fc |? ? 4 +-
> > ?policy/modules/contrib/gpg.if |? ?22 ++++++++++++
> > ?policy/modules/contrib/gpg.te |? ?76
> > +++++++++++++++++++++++++++++++++++++++++-
> > ?3 files changed, 100 insertions(+), 2 deletions(-)
> >
> > --- a/policy/modules/contrib/gpg.fc? ? ?2017-03-29
> > 17:58:00.281386397 +0200
> > +++ b/policy/modules/contrib/gpg.fc? ? ?2017-05-24
> > 18:18:33.792680617 +0200
> > @@ -1,8 +1,10 @@
> > ?HOME_DIR/\.gnupg(/.+)?? ? ? ? ? ? ? ? ? ? ? ?
> > ?gen_context(system_u:object_r:gpg_secret_t,s0)
> > ?HOME_DIR/\.gnupg/log-socket? ? ? ? ? ? -s? ? ?
> > gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> > +HOME_DIR/\.gnupg/S\.dirmngr? ? ? ? ? ? -s? ? ?
> > gen_context(system_u:object_r:gpg_dirmngr_tmp_t,s0)
> > ?HOME_DIR/\.gnupg/S\.gpg-agent.*? ? ? ? ? ? ? ? -s? ? ?
> > gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> > ?HOME_DIR/\.gnupg/S\.scdaemon? ? ? ? ? ?-s? ? ?
> > gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> >
> > +/usr/bin/dirmngr.*? ? ? ? ? ? ? ? ? ? ?--? ? ?
> > gen_context(system_u:object_r:gpg_dirmngr_exec_t,s0)
> > ?/usr/bin/gpg(2)?? ? ? ? ? ? ? ? ? ? ? ?--? ? ?
> > gen_context(system_u:object_r:gpg_exec_t,s0)
> > ?/usr/bin/gpgsm? ? ? ? ? ? ? ? ? ? ? ? ?--? ? ?
> > gen_context(system_u:object_r:gpg_exec_t,s0)
> > ?/usr/bin/gpg-agent? ? ? ? ? ? ? ? ? ? ?--? ? ?
> > gen_context(system_u:object_r:gpg_agent_exec_t,s0)
> > @@ -11,4 +13,4 @@ HOME_DIR/\.gnupg/S\.scdaemon? ? ? ? ? -s? ? ?
> > gen_con
> > ?/usr/lib/gnupg/.*? ? ? ? ? ? ? ? ? ? ? --? ? ?
> > gen_context(system_u:object_r:gpg_exec_t,s0)
> > ?/usr/lib/gnupg/gpgkeys.*? ? ? ? ? ? ? ?--? ? ?
> > gen_context(system_u:object_r:gpg_helper_exec_t,s0)
> >
> > -/run/user/%{USERID}/gnupg(/.*)?? ? ? ? ? ? ? ? ? ? ? ?
> > gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> > +/run/user/%{USERID}/gnupg(/.*)?? ? ? ? ? ? ? ? ? ? ? ?
> > gen_context(system_u:object_r:gpg_runtime_t,s0)
> > --- a/policy/modules/contrib/gpg.if? ? ?2017-03-29
> > 17:58:00.282386397 +0200
> > +++ b/policy/modules/contrib/gpg.if? ? ?2017-05-24
> > 16:57:35.837700478 +0200
> > @@ -214,6 +214,28 @@ interface(`gpg_stream_connect_agent',`
> > ? ? ? ? userdom_search_user_home_dirs($1)
> > ?')
> >
> > +######################################
> > +## <summary>
> > +##? ? ?Connect to gpg dirmngr socket
> > +## </summary>
> > +## <param name="domain">
> > +##? ? ?<summary>
> > +##? ? ?Domain allowed access.
> > +##? ? ?</summary>
> > +## </param>
> > +#
> > +interface(`gpg_stream_connect_dirmngr',`
> > +? ? ? ?gen_require(`
> > +? ? ? ? ? ? ? ?type gpg_dirmngr_t, gpg_dirmngr_tmp_t;
> > +? ? ? ? ? ? ? ?type gpg_secret_t;
> > +? ? ? ?')
> > +
> > +? ? ? ?stream_connect_pattern($1, gpg_dirmngr_tmp_t,
> > gpg_dirmngr_tmp_t, gpg_dirmngr_t)
> > +? ? ? ?allow $1 gpg_secret_t:dir search_dir_perms;
> > +? ? ? ?userdom_search_user_runtime($1)
> > +? ? ? ?userdom_search_user_home_dirs($1)
> > +')
> > +
> > ?########################################
> > ?## <summary>
> > ?##? ? ?Send messages to and from gpg
> > --- a/policy/modules/contrib/gpg.te? ? ?2017-04-26
> > 17:47:20.555423022 +0200
> > +++ b/policy/modules/contrib/gpg.te? ? ?2017-05-24
> > 18:21:19.538679939 +0200
> > @@ -19,6 +19,8 @@ roleattribute system_r gpg_roles;
> >
> > ?attribute_role gpg_agent_roles;
> >
> > +attribute_role gpg_dirmngr_roles;
> > +
> > ?attribute_role gpg_helper_roles;
> > ?roleattribute system_r gpg_helper_roles;
> >
> > @@ -29,6 +31,9 @@ type gpg_exec_t;
> > ?userdom_user_application_domain(gpg_t, gpg_exec_t)
> > ?role gpg_roles types gpg_t;
> >
> > +type gpg_runtime_t;
> > +files_pid_file(gpg_runtime_t)
> > +
> > ?type gpg_agent_t;
> > ?type gpg_agent_exec_t;
> > ?userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t)
> > @@ -37,6 +42,14 @@ role gpg_agent_roles types gpg_agent_t;
> > ?type gpg_agent_tmp_t;
> > ?userdom_user_tmp_file(gpg_agent_tmp_t)
> >
> > +type gpg_dirmngr_t;
> > +type gpg_dirmngr_exec_t;
> > +userdom_user_application_domain(gpg_dirmngr_t, gpg_dirmngr_exec_t)
> > +role gpg_dirmngr_roles types gpg_dirmngr_t;
> > +
> > +type gpg_dirmngr_tmp_t;
> > +userdom_user_tmp_file(gpg_dirmngr_tmp_t)
> > +
> > ?type gpg_secret_t;
> > ?userdom_user_home_content(gpg_secret_t)
> >
> > @@ -72,10 +85,19 @@ dontaudit gpg_t self:netlink_audit_socke
> > ?allow gpg_t self:fifo_file rw_fifo_file_perms;
> > ?allow gpg_t self:tcp_socket { accept listen };
> >
> > +manage_dirs_pattern(gpg_t, gpg_runtime_t, gpg_runtime_t)
> > +userdom_user_runtime_filetrans(gpg_t, gpg_runtime_t, dir, "gnupg")
> > +
> > ?manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> > ?manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> > +manage_sock_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> > ?files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
> >
> > +manage_dirs_pattern(gpg_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t)
> > +manage_files_pattern(gpg_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t)
> > +manage_sock_files_pattern(gpg_t, gpg_dirmngr_tmp_t,
> > gpg_dirmngr_tmp_t)
> > +manage_sock_files_pattern(gpg_t, gpg_dirmngr_tmp_t,
> > gpg_dirmngr_tmp_t)
> > +
> > ?manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
> > ?manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
> > ?manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
> > @@ -83,8 +105,10 @@ manage_lnk_files_pattern(gpg_t, gpg_secr
> > ?userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
> >
> > ?gpg_stream_connect_agent(gpg_t)
> > +gpg_stream_connect_dirmngr(gpg_t)
> >
> > ?domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
> > +domtrans_pattern(gpg_t, gpg_dirmngr_exec_t, gpg_dirmngr_t)
> > ?domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
> >
> > ?kernel_read_crypto_sysctls(gpg_t)
> > @@ -124,6 +148,7 @@ miscfiles_read_localization(gpg_t)
> >
> > ?userdom_use_user_terminals(gpg_t)
> >
> > +userdom_manage_user_tmp_dirs(gpg_t)
> > ?userdom_manage_user_tmp_files(gpg_t)
> > ?userdom_manage_user_home_content_files(gpg_t)
> > ?userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
> > @@ -215,6 +240,9 @@ manage_sock_files_pattern(gpg_agent_t, g
> > ?manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
> > ?manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
> >
> > +manage_dirs_pattern(gpg_agent_t, gpg_runtime_t, gpg_runtime_t)
> > +userdom_user_runtime_filetrans(gpg_agent_t, gpg_runtime_t, dir,
> > "gnupg")
> > +
> > ?manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> > ?manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t,
> > gpg_agent_tmp_t)
> > ?manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t,
> > gpg_agent_tmp_t)
> > @@ -226,6 +254,12 @@ filetrans_pattern(gpg_agent_t, gpg_secre
> > ?filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t,
> > sock_file, "S.gpg-agent.extra")
> > ?filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t,
> > sock_file, "S.gpg-agent.ssh")
> > ?filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t,
> > sock_file, "S.scdaemon")
> > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t,
> > sock_file, "log-socket")
> > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t,
> > sock_file, "S.gpg-agent")
> > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t,
> > sock_file, "S.gpg-agent.browser")
> > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t,
> > sock_file, "S.gpg-agent.extra")
> > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t,
> > sock_file, "S.gpg-agent.ssh")
> > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t,
> > sock_file, "S.scdaemon")
> >
> > ?domtrans_pattern(gpg_agent_t, gpg_pinentry_exec_t, gpg_pinentry_t)
> >
> > @@ -250,7 +284,7 @@ miscfiles_read_localization(gpg_agent_t)
> > ?userdom_use_user_terminals(gpg_agent_t)
> > ?userdom_search_user_home_dirs(gpg_agent_t)
> > ?userdom_search_user_runtime(gpg_agent_t)
> > -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
> > +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir
> > file sock_file })
> >
> > ?ifdef(`hide_broken_symptoms',`
> > ? ? ? ? userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
> > @@ -291,6 +325,44 @@ optional_policy(`
> > ? ? ? ? xserver_read_user_xauth(gpg_agent_t)
> > ?')
> >
> > +#######################################
> > +#
> > +# Dirmngr local policy
> > +#
> > +
> > +allow gpg_dirmngr_t gpg_secret_t:file read_file_perms;
> > +
> > +manage_dirs_pattern(gpg_dirmngr_t, gpg_runtime_t, gpg_runtime_t)
> > +userdom_user_runtime_filetrans(gpg_dirmngr_t, gpg_runtime_t, dir,
> > "gnupg")
> > +
> > +manage_dirs_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t,
> > gpg_dirmngr_tmp_t)
> > +manage_files_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t,
> > gpg_dirmngr_tmp_t)
> > +manage_sock_files_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t,
> > gpg_dirmngr_tmp_t)
> > +filetrans_pattern(gpg_dirmngr_t, gpg_runtime_t, gpg_dirmngr_tmp_t,
> > sock_file, "S.dirmngr")
> > +
> > +corenet_sendrecv_pgpkeyserver_client_packets(gpg_dirmngr_t)
> > +corenet_tcp_connect_pgpkeyserver_port(gpg_dirmngr_t)
> > +corenet_tcp_sendrecv_pgpkeyserver_port(gpg_dirmngr_t)
> > +
> > +corenet_udp_bind_all_unreserved_ports(gpg_dirmngr_t)
> > +corenet_udp_bind_generic_node(gpg_dirmngr_t)
> > +
> > +dev_read_rand(gpg_dirmngr_t)
> > +dev_read_urand(gpg_dirmngr_t)
> > +
> > +files_read_etc_files(gpg_dirmngr_t)
> > +files_read_usr_files(gpg_dirmngr_t)
> > +
> > +miscfiles_read_all_certs(gpg_dirmngr_t)
> > +miscfiles_read_localization(gpg_dirmngr_t)
> > +
> > +sysnet_dns_name_resolve(gpg_dirmngr_t)
> > +
> > +userdom_search_user_home_dirs(gpg_dirmngr_t)
> > +
> > +userdom_search_user_runtime(gpg_dirmngr_t)
> > +userdom_user_runtime_filetrans(gpg_dirmngr_t, gpg_dirmngr_tmp_t, {
> > dir file sock_file })
> > +
> > ?##############################
> > ?#
> > ?# Pinentry local policy
> > @@ -310,6 +382,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p
> >
> > ?can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)
> >
> > +kernel_dontaudit_search_sysctl(gpg_pinentry_t)
> > ?kernel_read_system_state(gpg_pinentry_t)
> >
> > ?corecmd_exec_shell(gpg_pinentry_t)
> > @@ -327,6 +400,7 @@ domain_use_interactive_fds(gpg_pinentry_
> >
> > ?files_read_usr_files(gpg_pinentry_t)
> >
> > +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
> > ?fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
> >
> > ?auth_use_nsswitch(gpg_pinentry_t)
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> >

2017-05-24 17:49:48

by Dac Override

[permalink] [raw]
Subject: [refpolicy] [PATCH v3] gpg: manage user runtime socket files and directories

On Wed, May 24, 2017 at 07:46:39PM +0200, Guido Trentalancia via refpolicy wrote:
> However, I must say that I think the dirmngr policy should be in the
> gpg module !
>
> Having the dirmngr policy in a separate module is wrong.

I have a tendency to agree. I am pro-modular but dirmngr is part of the gnupg package, so if you install gpg then you most likely have dirmngr as well

>
> I hope this helps...
>
> Guido
>
> On Thu, 25/05/2017 at 01.37 +0800, Jason Zaman wrote:
> > NACK to this whole thing. Why are you just redoing what I already did
> > like a week ago? Dirmngr already has a policy separate from gpg and
> > what you're doing will just conflict with it.?
> > I've been too busy to fix and resend my patch. If you really want
> > this in at least take that version and fix what the comments were
> > instead of doing it again badly :P
> >
> > -- Jason
> >
> > On May 25, 2017 00:32, "Guido Trentalancia via refpolicy" <refpolicy@
> > oss.tresys.com> wrote:
> > > Update the gpg module so that it can correctly manage socket files
> > > and directories in the user runtime directories.
> > >
> > > Update the gpg module in order to support dirmngr (gpg version 2).
> > >
> > > Some other minor gpg fixes are also included in this patch.
> > >
> > > This is the third version (v3) of this patch. Since version 2, it
> > > features some improvements thanks to feedback received from
> > > Christopher PeBenito.
> > >
> > > Signed-off-by: Guido Trentalancia <[email protected]>
> > > ---
> > > ?policy/modules/contrib/gpg.fc |? ? 4 +-
> > > ?policy/modules/contrib/gpg.if |? ?22 ++++++++++++
> > > ?policy/modules/contrib/gpg.te |? ?76
> > > +++++++++++++++++++++++++++++++++++++++++-
> > > ?3 files changed, 100 insertions(+), 2 deletions(-)
> > >
> > > --- a/policy/modules/contrib/gpg.fc? ? ?2017-03-29
> > > 17:58:00.281386397 +0200
> > > +++ b/policy/modules/contrib/gpg.fc? ? ?2017-05-24
> > > 18:18:33.792680617 +0200
> > > @@ -1,8 +1,10 @@
> > > ?HOME_DIR/\.gnupg(/.+)?? ? ? ? ? ? ? ? ? ? ? ?
> > > ?gen_context(system_u:object_r:gpg_secret_t,s0)
> > > ?HOME_DIR/\.gnupg/log-socket? ? ? ? ? ? -s? ? ?
> > > gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> > > +HOME_DIR/\.gnupg/S\.dirmngr? ? ? ? ? ? -s? ? ?
> > > gen_context(system_u:object_r:gpg_dirmngr_tmp_t,s0)
> > > ?HOME_DIR/\.gnupg/S\.gpg-agent.*? ? ? ? ? ? ? ? -s? ? ?
> > > gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> > > ?HOME_DIR/\.gnupg/S\.scdaemon? ? ? ? ? ?-s? ? ?
> > > gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> > >
> > > +/usr/bin/dirmngr.*? ? ? ? ? ? ? ? ? ? ?--? ? ?
> > > gen_context(system_u:object_r:gpg_dirmngr_exec_t,s0)
> > > ?/usr/bin/gpg(2)?? ? ? ? ? ? ? ? ? ? ? ?--? ? ?
> > > gen_context(system_u:object_r:gpg_exec_t,s0)
> > > ?/usr/bin/gpgsm? ? ? ? ? ? ? ? ? ? ? ? ?--? ? ?
> > > gen_context(system_u:object_r:gpg_exec_t,s0)
> > > ?/usr/bin/gpg-agent? ? ? ? ? ? ? ? ? ? ?--? ? ?
> > > gen_context(system_u:object_r:gpg_agent_exec_t,s0)
> > > @@ -11,4 +13,4 @@ HOME_DIR/\.gnupg/S\.scdaemon? ? ? ? ? -s? ? ?
> > > gen_con
> > > ?/usr/lib/gnupg/.*? ? ? ? ? ? ? ? ? ? ? --? ? ?
> > > gen_context(system_u:object_r:gpg_exec_t,s0)
> > > ?/usr/lib/gnupg/gpgkeys.*? ? ? ? ? ? ? ?--? ? ?
> > > gen_context(system_u:object_r:gpg_helper_exec_t,s0)
> > >
> > > -/run/user/%{USERID}/gnupg(/.*)?? ? ? ? ? ? ? ? ? ? ? ?
> > > gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> > > +/run/user/%{USERID}/gnupg(/.*)?? ? ? ? ? ? ? ? ? ? ? ?
> > > gen_context(system_u:object_r:gpg_runtime_t,s0)
> > > --- a/policy/modules/contrib/gpg.if? ? ?2017-03-29
> > > 17:58:00.282386397 +0200
> > > +++ b/policy/modules/contrib/gpg.if? ? ?2017-05-24
> > > 16:57:35.837700478 +0200
> > > @@ -214,6 +214,28 @@ interface(`gpg_stream_connect_agent',`
> > > ? ? ? ? userdom_search_user_home_dirs($1)
> > > ?')
> > >
> > > +######################################
> > > +## <summary>
> > > +##? ? ?Connect to gpg dirmngr socket
> > > +## </summary>
> > > +## <param name="domain">
> > > +##? ? ?<summary>
> > > +##? ? ?Domain allowed access.
> > > +##? ? ?</summary>
> > > +## </param>
> > > +#
> > > +interface(`gpg_stream_connect_dirmngr',`
> > > +? ? ? ?gen_require(`
> > > +? ? ? ? ? ? ? ?type gpg_dirmngr_t, gpg_dirmngr_tmp_t;
> > > +? ? ? ? ? ? ? ?type gpg_secret_t;
> > > +? ? ? ?')
> > > +
> > > +? ? ? ?stream_connect_pattern($1, gpg_dirmngr_tmp_t,
> > > gpg_dirmngr_tmp_t, gpg_dirmngr_t)
> > > +? ? ? ?allow $1 gpg_secret_t:dir search_dir_perms;
> > > +? ? ? ?userdom_search_user_runtime($1)
> > > +? ? ? ?userdom_search_user_home_dirs($1)
> > > +')
> > > +
> > > ?########################################
> > > ?## <summary>
> > > ?##? ? ?Send messages to and from gpg
> > > --- a/policy/modules/contrib/gpg.te? ? ?2017-04-26
> > > 17:47:20.555423022 +0200
> > > +++ b/policy/modules/contrib/gpg.te? ? ?2017-05-24
> > > 18:21:19.538679939 +0200
> > > @@ -19,6 +19,8 @@ roleattribute system_r gpg_roles;
> > >
> > > ?attribute_role gpg_agent_roles;
> > >
> > > +attribute_role gpg_dirmngr_roles;
> > > +
> > > ?attribute_role gpg_helper_roles;
> > > ?roleattribute system_r gpg_helper_roles;
> > >
> > > @@ -29,6 +31,9 @@ type gpg_exec_t;
> > > ?userdom_user_application_domain(gpg_t, gpg_exec_t)
> > > ?role gpg_roles types gpg_t;
> > >
> > > +type gpg_runtime_t;
> > > +files_pid_file(gpg_runtime_t)
> > > +
> > > ?type gpg_agent_t;
> > > ?type gpg_agent_exec_t;
> > > ?userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t)
> > > @@ -37,6 +42,14 @@ role gpg_agent_roles types gpg_agent_t;
> > > ?type gpg_agent_tmp_t;
> > > ?userdom_user_tmp_file(gpg_agent_tmp_t)
> > >
> > > +type gpg_dirmngr_t;
> > > +type gpg_dirmngr_exec_t;
> > > +userdom_user_application_domain(gpg_dirmngr_t, gpg_dirmngr_exec_t)
> > > +role gpg_dirmngr_roles types gpg_dirmngr_t;
> > > +
> > > +type gpg_dirmngr_tmp_t;
> > > +userdom_user_tmp_file(gpg_dirmngr_tmp_t)
> > > +
> > > ?type gpg_secret_t;
> > > ?userdom_user_home_content(gpg_secret_t)
> > >
> > > @@ -72,10 +85,19 @@ dontaudit gpg_t self:netlink_audit_socke
> > > ?allow gpg_t self:fifo_file rw_fifo_file_perms;
> > > ?allow gpg_t self:tcp_socket { accept listen };
> > >
> > > +manage_dirs_pattern(gpg_t, gpg_runtime_t, gpg_runtime_t)
> > > +userdom_user_runtime_filetrans(gpg_t, gpg_runtime_t, dir, "gnupg")
> > > +
> > > ?manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> > > ?manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> > > +manage_sock_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> > > ?files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
> > >
> > > +manage_dirs_pattern(gpg_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t)
> > > +manage_files_pattern(gpg_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t)
> > > +manage_sock_files_pattern(gpg_t, gpg_dirmngr_tmp_t,
> > > gpg_dirmngr_tmp_t)
> > > +manage_sock_files_pattern(gpg_t, gpg_dirmngr_tmp_t,
> > > gpg_dirmngr_tmp_t)
> > > +
> > > ?manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
> > > ?manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
> > > ?manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
> > > @@ -83,8 +105,10 @@ manage_lnk_files_pattern(gpg_t, gpg_secr
> > > ?userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
> > >
> > > ?gpg_stream_connect_agent(gpg_t)
> > > +gpg_stream_connect_dirmngr(gpg_t)
> > >
> > > ?domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
> > > +domtrans_pattern(gpg_t, gpg_dirmngr_exec_t, gpg_dirmngr_t)
> > > ?domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
> > >
> > > ?kernel_read_crypto_sysctls(gpg_t)
> > > @@ -124,6 +148,7 @@ miscfiles_read_localization(gpg_t)
> > >
> > > ?userdom_use_user_terminals(gpg_t)
> > >
> > > +userdom_manage_user_tmp_dirs(gpg_t)
> > > ?userdom_manage_user_tmp_files(gpg_t)
> > > ?userdom_manage_user_home_content_files(gpg_t)
> > > ?userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
> > > @@ -215,6 +240,9 @@ manage_sock_files_pattern(gpg_agent_t, g
> > > ?manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
> > > ?manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
> > >
> > > +manage_dirs_pattern(gpg_agent_t, gpg_runtime_t, gpg_runtime_t)
> > > +userdom_user_runtime_filetrans(gpg_agent_t, gpg_runtime_t, dir,
> > > "gnupg")
> > > +
> > > ?manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> > > ?manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t,
> > > gpg_agent_tmp_t)
> > > ?manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t,
> > > gpg_agent_tmp_t)
> > > @@ -226,6 +254,12 @@ filetrans_pattern(gpg_agent_t, gpg_secre
> > > ?filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t,
> > > sock_file, "S.gpg-agent.extra")
> > > ?filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t,
> > > sock_file, "S.gpg-agent.ssh")
> > > ?filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t,
> > > sock_file, "S.scdaemon")
> > > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t,
> > > sock_file, "log-socket")
> > > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t,
> > > sock_file, "S.gpg-agent")
> > > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t,
> > > sock_file, "S.gpg-agent.browser")
> > > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t,
> > > sock_file, "S.gpg-agent.extra")
> > > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t,
> > > sock_file, "S.gpg-agent.ssh")
> > > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t,
> > > sock_file, "S.scdaemon")
> > >
> > > ?domtrans_pattern(gpg_agent_t, gpg_pinentry_exec_t, gpg_pinentry_t)
> > >
> > > @@ -250,7 +284,7 @@ miscfiles_read_localization(gpg_agent_t)
> > > ?userdom_use_user_terminals(gpg_agent_t)
> > > ?userdom_search_user_home_dirs(gpg_agent_t)
> > > ?userdom_search_user_runtime(gpg_agent_t)
> > > -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
> > > +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir
> > > file sock_file })
> > >
> > > ?ifdef(`hide_broken_symptoms',`
> > > ? ? ? ? userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
> > > @@ -291,6 +325,44 @@ optional_policy(`
> > > ? ? ? ? xserver_read_user_xauth(gpg_agent_t)
> > > ?')
> > >
> > > +#######################################
> > > +#
> > > +# Dirmngr local policy
> > > +#
> > > +
> > > +allow gpg_dirmngr_t gpg_secret_t:file read_file_perms;
> > > +
> > > +manage_dirs_pattern(gpg_dirmngr_t, gpg_runtime_t, gpg_runtime_t)
> > > +userdom_user_runtime_filetrans(gpg_dirmngr_t, gpg_runtime_t, dir,
> > > "gnupg")
> > > +
> > > +manage_dirs_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t,
> > > gpg_dirmngr_tmp_t)
> > > +manage_files_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t,
> > > gpg_dirmngr_tmp_t)
> > > +manage_sock_files_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t,
> > > gpg_dirmngr_tmp_t)
> > > +filetrans_pattern(gpg_dirmngr_t, gpg_runtime_t, gpg_dirmngr_tmp_t,
> > > sock_file, "S.dirmngr")
> > > +
> > > +corenet_sendrecv_pgpkeyserver_client_packets(gpg_dirmngr_t)
> > > +corenet_tcp_connect_pgpkeyserver_port(gpg_dirmngr_t)
> > > +corenet_tcp_sendrecv_pgpkeyserver_port(gpg_dirmngr_t)
> > > +
> > > +corenet_udp_bind_all_unreserved_ports(gpg_dirmngr_t)
> > > +corenet_udp_bind_generic_node(gpg_dirmngr_t)
> > > +
> > > +dev_read_rand(gpg_dirmngr_t)
> > > +dev_read_urand(gpg_dirmngr_t)
> > > +
> > > +files_read_etc_files(gpg_dirmngr_t)
> > > +files_read_usr_files(gpg_dirmngr_t)
> > > +
> > > +miscfiles_read_all_certs(gpg_dirmngr_t)
> > > +miscfiles_read_localization(gpg_dirmngr_t)
> > > +
> > > +sysnet_dns_name_resolve(gpg_dirmngr_t)
> > > +
> > > +userdom_search_user_home_dirs(gpg_dirmngr_t)
> > > +
> > > +userdom_search_user_runtime(gpg_dirmngr_t)
> > > +userdom_user_runtime_filetrans(gpg_dirmngr_t, gpg_dirmngr_tmp_t, {
> > > dir file sock_file })
> > > +
> > > ?##############################
> > > ?#
> > > ?# Pinentry local policy
> > > @@ -310,6 +382,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p
> > >
> > > ?can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)
> > >
> > > +kernel_dontaudit_search_sysctl(gpg_pinentry_t)
> > > ?kernel_read_system_state(gpg_pinentry_t)
> > >
> > > ?corecmd_exec_shell(gpg_pinentry_t)
> > > @@ -327,6 +400,7 @@ domain_use_interactive_fds(gpg_pinentry_
> > >
> > > ?files_read_usr_files(gpg_pinentry_t)
> > >
> > > +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
> > > ?fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
> > >
> > > ?auth_use_nsswitch(gpg_pinentry_t)
> > > _______________________________________________
> > > refpolicy mailing list
> > > refpolicy at oss.tresys.com
> > > http://oss.tresys.com/mailman/listinfo/refpolicy
> > >
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170524/1dab7062/attachment.bin

2017-05-24 18:05:58

by Guido Trentalancia

[permalink] [raw]
Subject: [refpolicy] [PATCH v4] gpg: manage user runtime socket files and directories

Update the gpg module so that it can correctly manage socket files
and directories in the user runtime directories.

Some other minor gpg fixes are also included in this patch.

This is the fourth version (v4) of this patch and it features some
improvements thanks to feedback received from Christopher PeBenito.

The dirmngr policy introduced in version 3 has now been removed
because someone else was already working on it (I was not aware of
it).

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/gpg.fc | 2 +-
policy/modules/contrib/gpg.te | 21 ++++++++++++++++++++-
2 files changed, 21 insertions(+), 2 deletions(-)

--- a/policy/modules/contrib/gpg.fc 2017-03-29 17:58:00.281386397 +0200
+++ b/policy/modules/contrib/gpg.fc 2017-05-24 19:47:04.943660156 +0200
@@ -11,4 +11,4 @@ HOME_DIR/\.gnupg/S\.scdaemon -s gen_con
/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)

-/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_runtime_t,s0)
--- a/policy/modules/contrib/gpg.te 2017-04-26 17:47:20.555423022 +0200
+++ b/policy/modules/contrib/gpg.te 2017-05-24 19:47:39.484660015 +0200
@@ -29,6 +29,9 @@ type gpg_exec_t;
userdom_user_application_domain(gpg_t, gpg_exec_t)
role gpg_roles types gpg_t;

+type gpg_runtime_t;
+files_pid_file(gpg_runtime_t)
+
type gpg_agent_t;
type gpg_agent_exec_t;
userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t)
@@ -72,8 +75,12 @@ dontaudit gpg_t self:netlink_audit_socke
allow gpg_t self:fifo_file rw_fifo_file_perms;
allow gpg_t self:tcp_socket { accept listen };

+manage_dirs_pattern(gpg_t, gpg_runtime_t, gpg_runtime_t)
+userdom_user_runtime_filetrans(gpg_t, gpg_runtime_t, dir, "gnupg")
+
manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_sock_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })

manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
@@ -124,6 +131,7 @@ miscfiles_read_localization(gpg_t)

userdom_use_user_terminals(gpg_t)

+userdom_manage_user_tmp_dirs(gpg_t)
userdom_manage_user_tmp_files(gpg_t)
userdom_manage_user_home_content_files(gpg_t)
userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
@@ -215,6 +223,9 @@ manage_sock_files_pattern(gpg_agent_t, g
manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)

+manage_dirs_pattern(gpg_agent_t, gpg_runtime_t, gpg_runtime_t)
+userdom_user_runtime_filetrans(gpg_agent_t, gpg_runtime_t, dir, "gnupg")
+
manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
@@ -226,6 +237,12 @@ filetrans_pattern(gpg_agent_t, gpg_secre
filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.extra")
filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh")
filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.scdaemon")
+filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "log-socket")
+filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent")
+filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.browser")
+filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.extra")
+filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh")
+filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.scdaemon")

domtrans_pattern(gpg_agent_t, gpg_pinentry_exec_t, gpg_pinentry_t)

@@ -250,7 +267,7 @@ miscfiles_read_localization(gpg_agent_t)
userdom_use_user_terminals(gpg_agent_t)
userdom_search_user_home_dirs(gpg_agent_t)
userdom_search_user_runtime(gpg_agent_t)
-userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
+userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir file sock_file })

ifdef(`hide_broken_symptoms',`
userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
@@ -310,6 +327,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p

can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)

+kernel_dontaudit_search_sysctl(gpg_pinentry_t)
kernel_read_system_state(gpg_pinentry_t)

corecmd_exec_shell(gpg_pinentry_t)
@@ -327,6 +345,7 @@ domain_use_interactive_fds(gpg_pinentry_

files_read_usr_files(gpg_pinentry_t)

+fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
fs_dontaudit_list_inotifyfs(gpg_pinentry_t)

auth_use_nsswitch(gpg_pinentry_t)

2017-06-05 00:42:18

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH v4] gpg: manage user runtime socket files and directories

On 05/24/2017 02:05 PM, Guido Trentalancia via refpolicy wrote:
> Update the gpg module so that it can correctly manage socket files
> and directories in the user runtime directories.
>
> Some other minor gpg fixes are also included in this patch.
>
> This is the fourth version (v4) of this patch and it features some
> improvements thanks to feedback received from Christopher PeBenito.
>
> The dirmngr policy introduced in version 3 has now been removed
> because someone else was already working on it (I was not aware of
> it).
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/gpg.fc | 2 +-
> policy/modules/contrib/gpg.te | 21 ++++++++++++++++++++-
> 2 files changed, 21 insertions(+), 2 deletions(-)
>
> --- a/policy/modules/contrib/gpg.fc 2017-03-29 17:58:00.281386397 +0200
> +++ b/policy/modules/contrib/gpg.fc 2017-05-24 19:47:04.943660156 +0200
> @@ -11,4 +11,4 @@ HOME_DIR/\.gnupg/S\.scdaemon -s gen_con
> /usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
> /usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
>
> -/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> +/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_runtime_t,s0)
> --- a/policy/modules/contrib/gpg.te 2017-04-26 17:47:20.555423022 +0200
> +++ b/policy/modules/contrib/gpg.te 2017-05-24 19:47:39.484660015 +0200
> @@ -29,6 +29,9 @@ type gpg_exec_t;
> userdom_user_application_domain(gpg_t, gpg_exec_t)
> role gpg_roles types gpg_t;
>
> +type gpg_runtime_t;
> +files_pid_file(gpg_runtime_t)
> +
> type gpg_agent_t;
> type gpg_agent_exec_t;
> userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t)
> @@ -72,8 +75,12 @@ dontaudit gpg_t self:netlink_audit_socke
> allow gpg_t self:fifo_file rw_fifo_file_perms;
> allow gpg_t self:tcp_socket { accept listen };
>
> +manage_dirs_pattern(gpg_t, gpg_runtime_t, gpg_runtime_t)
> +userdom_user_runtime_filetrans(gpg_t, gpg_runtime_t, dir, "gnupg")
> +
> manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> +manage_sock_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
>
> manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
> @@ -124,6 +131,7 @@ miscfiles_read_localization(gpg_t)
>
> userdom_use_user_terminals(gpg_t)
>
> +userdom_manage_user_tmp_dirs(gpg_t)
> userdom_manage_user_tmp_files(gpg_t)
> userdom_manage_user_home_content_files(gpg_t)
> userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
> @@ -215,6 +223,9 @@ manage_sock_files_pattern(gpg_agent_t, g
> manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
> manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
>
> +manage_dirs_pattern(gpg_agent_t, gpg_runtime_t, gpg_runtime_t)
> +userdom_user_runtime_filetrans(gpg_agent_t, gpg_runtime_t, dir, "gnupg")
> +
> manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> @@ -226,6 +237,12 @@ filetrans_pattern(gpg_agent_t, gpg_secre
> filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.extra")
> filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh")
> filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.scdaemon")
> +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "log-socket")
> +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent")
> +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.browser")
> +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.extra")
> +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh")
> +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.scdaemon")

My only question is with these name transitions. Yes, there already are
several, but are there any sock_files that are not gpg_agent_tmp_t? If
not, then I see no value with doing anything but having two transitions,
on gpg_secret_t and gpg_runtime_t, without specifying any names.


> domtrans_pattern(gpg_agent_t, gpg_pinentry_exec_t, gpg_pinentry_t)
>
> @@ -250,7 +267,7 @@ miscfiles_read_localization(gpg_agent_t)
> userdom_use_user_terminals(gpg_agent_t)
> userdom_search_user_home_dirs(gpg_agent_t)
> userdom_search_user_runtime(gpg_agent_t)
> -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
> +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir file sock_file })
>
> ifdef(`hide_broken_symptoms',`
> userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
> @@ -310,6 +327,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p
>
> can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)
>
> +kernel_dontaudit_search_sysctl(gpg_pinentry_t)
> kernel_read_system_state(gpg_pinentry_t)
>
> corecmd_exec_shell(gpg_pinentry_t)
> @@ -327,6 +345,7 @@ domain_use_interactive_fds(gpg_pinentry_
>
> files_read_usr_files(gpg_pinentry_t)
>
> +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
> fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
>
> auth_use_nsswitch(gpg_pinentry_t)

--
Chris PeBenito

2017-06-05 07:35:11

by Dac Override

[permalink] [raw]
Subject: [refpolicy] [PATCH v4] gpg: manage user runtime socket files and directories

On Sun, Jun 04, 2017 at 08:42:18PM -0400, Chris PeBenito via refpolicy wrote:
> On 05/24/2017 02:05 PM, Guido Trentalancia via refpolicy wrote:
> > Update the gpg module so that it can correctly manage socket files
> > and directories in the user runtime directories.
> >
> > Some other minor gpg fixes are also included in this patch.
> >
> > This is the fourth version (v4) of this patch and it features some
> > improvements thanks to feedback received from Christopher PeBenito.
> >
> > The dirmngr policy introduced in version 3 has now been removed
> > because someone else was already working on it (I was not aware of
> > it).
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > policy/modules/contrib/gpg.fc | 2 +-
> > policy/modules/contrib/gpg.te | 21 ++++++++++++++++++++-
> > 2 files changed, 21 insertions(+), 2 deletions(-)
> >
> > --- a/policy/modules/contrib/gpg.fc 2017-03-29 17:58:00.281386397 +0200
> > +++ b/policy/modules/contrib/gpg.fc 2017-05-24 19:47:04.943660156 +0200
> > @@ -11,4 +11,4 @@ HOME_DIR/\.gnupg/S\.scdaemon -s gen_con
> > /usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
> > /usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
> >
> > -/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> > +/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_runtime_t,s0)
> > --- a/policy/modules/contrib/gpg.te 2017-04-26 17:47:20.555423022 +0200
> > +++ b/policy/modules/contrib/gpg.te 2017-05-24 19:47:39.484660015 +0200
> > @@ -29,6 +29,9 @@ type gpg_exec_t;
> > userdom_user_application_domain(gpg_t, gpg_exec_t)
> > role gpg_roles types gpg_t;
> >
> > +type gpg_runtime_t;
> > +files_pid_file(gpg_runtime_t)
> > +
> > type gpg_agent_t;
> > type gpg_agent_exec_t;
> > userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t)
> > @@ -72,8 +75,12 @@ dontaudit gpg_t self:netlink_audit_socke
> > allow gpg_t self:fifo_file rw_fifo_file_perms;
> > allow gpg_t self:tcp_socket { accept listen };
> >
> > +manage_dirs_pattern(gpg_t, gpg_runtime_t, gpg_runtime_t)
> > +userdom_user_runtime_filetrans(gpg_t, gpg_runtime_t, dir, "gnupg")
> > +
> > manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> > manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> > +manage_sock_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> > files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
> >
> > manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
> > @@ -124,6 +131,7 @@ miscfiles_read_localization(gpg_t)
> >
> > userdom_use_user_terminals(gpg_t)
> >
> > +userdom_manage_user_tmp_dirs(gpg_t)
> > userdom_manage_user_tmp_files(gpg_t)
> > userdom_manage_user_home_content_files(gpg_t)
> > userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
> > @@ -215,6 +223,9 @@ manage_sock_files_pattern(gpg_agent_t, g
> > manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
> > manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
> >
> > +manage_dirs_pattern(gpg_agent_t, gpg_runtime_t, gpg_runtime_t)
> > +userdom_user_runtime_filetrans(gpg_agent_t, gpg_runtime_t, dir, "gnupg")
> > +
> > manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> > manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> > manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> > @@ -226,6 +237,12 @@ filetrans_pattern(gpg_agent_t, gpg_secre
> > filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.extra")
> > filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh")
> > filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.scdaemon")
> > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "log-socket")
> > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent")
> > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.browser")
> > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.extra")
> > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh")
> > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.scdaemon")
>
> My only question is with these name transitions. Yes, there already are
> several, but are there any sock_files that are not gpg_agent_tmp_t? If
> not, then I see no value with doing anything but having two transitions,
> on gpg_secret_t and gpg_runtime_t, without specifying any names.

not sure scdaemon is targeted but s.scdaemon is owned by scdaemon, I am not aware of any "log-socket"
there is also a S.dirmngr socket but that is not handled in the gpg module i suppose

even then though there may be no need for name-based type transitions. I use name-based type transitions excessively for unconfined users, since they go nowhere ever, and since i still want the labels in /home consistently i am forced to use them where possible

>
>
> > domtrans_pattern(gpg_agent_t, gpg_pinentry_exec_t, gpg_pinentry_t)
> >
> > @@ -250,7 +267,7 @@ miscfiles_read_localization(gpg_agent_t)
> > userdom_use_user_terminals(gpg_agent_t)
> > userdom_search_user_home_dirs(gpg_agent_t)
> > userdom_search_user_runtime(gpg_agent_t)
> > -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
> > +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir file sock_file })
> >
> > ifdef(`hide_broken_symptoms',`
> > userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
> > @@ -310,6 +327,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p
> >
> > can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)
> >
> > +kernel_dontaudit_search_sysctl(gpg_pinentry_t)
> > kernel_read_system_state(gpg_pinentry_t)
> >
> > corecmd_exec_shell(gpg_pinentry_t)
> > @@ -327,6 +345,7 @@ domain_use_interactive_fds(gpg_pinentry_
> >
> > files_read_usr_files(gpg_pinentry_t)
> >
> > +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
> > fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
> >
> > auth_use_nsswitch(gpg_pinentry_t)
>
> --
> Chris PeBenito
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170605/68075ee4/attachment.bin

2017-06-05 12:13:45

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH v4] gpg: manage user runtime socket files and directories

On 06/05/2017 03:35 AM, Dominick Grift via refpolicy wrote:
> On Sun, Jun 04, 2017 at 08:42:18PM -0400, Chris PeBenito via refpolicy wrote:
>> On 05/24/2017 02:05 PM, Guido Trentalancia via refpolicy wrote:
>>> Update the gpg module so that it can correctly manage socket files
>>> and directories in the user runtime directories.
>>>
>>> Some other minor gpg fixes are also included in this patch.
>>>
>>> This is the fourth version (v4) of this patch and it features some
>>> improvements thanks to feedback received from Christopher PeBenito.
>>>
>>> The dirmngr policy introduced in version 3 has now been removed
>>> because someone else was already working on it (I was not aware of
>>> it).
>>>
>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>> ---
>>> policy/modules/contrib/gpg.fc | 2 +-
>>> policy/modules/contrib/gpg.te | 21 ++++++++++++++++++++-
>>> 2 files changed, 21 insertions(+), 2 deletions(-)
>>>
>>> --- a/policy/modules/contrib/gpg.fc 2017-03-29 17:58:00.281386397 +0200
>>> +++ b/policy/modules/contrib/gpg.fc 2017-05-24 19:47:04.943660156 +0200
>>> @@ -11,4 +11,4 @@ HOME_DIR/\.gnupg/S\.scdaemon -s gen_con
>>> /usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
>>> /usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
>>>
>>> -/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
>>> +/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_runtime_t,s0)
>>> --- a/policy/modules/contrib/gpg.te 2017-04-26 17:47:20.555423022 +0200
>>> +++ b/policy/modules/contrib/gpg.te 2017-05-24 19:47:39.484660015 +0200
>>> @@ -29,6 +29,9 @@ type gpg_exec_t;
>>> userdom_user_application_domain(gpg_t, gpg_exec_t)
>>> role gpg_roles types gpg_t;
>>>
>>> +type gpg_runtime_t;
>>> +files_pid_file(gpg_runtime_t)
>>> +
>>> type gpg_agent_t;
>>> type gpg_agent_exec_t;
>>> userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t)
>>> @@ -72,8 +75,12 @@ dontaudit gpg_t self:netlink_audit_socke
>>> allow gpg_t self:fifo_file rw_fifo_file_perms;
>>> allow gpg_t self:tcp_socket { accept listen };
>>>
>>> +manage_dirs_pattern(gpg_t, gpg_runtime_t, gpg_runtime_t)
>>> +userdom_user_runtime_filetrans(gpg_t, gpg_runtime_t, dir, "gnupg")
>>> +
>>> manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
>>> manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
>>> +manage_sock_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
>>> files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
>>>
>>> manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
>>> @@ -124,6 +131,7 @@ miscfiles_read_localization(gpg_t)
>>>
>>> userdom_use_user_terminals(gpg_t)
>>>
>>> +userdom_manage_user_tmp_dirs(gpg_t)
>>> userdom_manage_user_tmp_files(gpg_t)
>>> userdom_manage_user_home_content_files(gpg_t)
>>> userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
>>> @@ -215,6 +223,9 @@ manage_sock_files_pattern(gpg_agent_t, g
>>> manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
>>> manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
>>>
>>> +manage_dirs_pattern(gpg_agent_t, gpg_runtime_t, gpg_runtime_t)
>>> +userdom_user_runtime_filetrans(gpg_agent_t, gpg_runtime_t, dir, "gnupg")
>>> +
>>> manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
>>> manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
>>> manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
>>> @@ -226,6 +237,12 @@ filetrans_pattern(gpg_agent_t, gpg_secre
>>> filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.extra")
>>> filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh")
>>> filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.scdaemon")
>>> +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "log-socket")
>>> +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent")
>>> +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.browser")
>>> +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.extra")
>>> +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh")
>>> +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.scdaemon")
>>
>> My only question is with these name transitions. Yes, there already are
>> several, but are there any sock_files that are not gpg_agent_tmp_t? If
>> not, then I see no value with doing anything but having two transitions,
>> on gpg_secret_t and gpg_runtime_t, without specifying any names.
>
> not sure scdaemon is targeted but s.scdaemon is owned by scdaemon, I am not aware of any "log-socket"
> there is also a S.dirmngr socket but that is not handled in the gpg module i suppose
>
> even then though there may be no need for name-based type transitions. I use name-based type transitions excessively for unconfined users, since they go nowhere ever, and since i still want the labels in /home consistently i am forced to use them where possible

gpg_agent_t isn't unconfined.

--
Chris PeBenito

2017-06-05 14:42:24

by Guido Trentalancia

[permalink] [raw]
Subject: [refpolicy] [PATCH v5] gpg: manage user runtime socket files and directories

Update the gpg module so that it can correctly manage socket files
and directories in the user runtime directories.

Some other minor gpg fixes are also included in this patch.

This is the fifth version (v5) of this patch and it features some
improvements thanks to feedback received from Christopher PeBenito.

The dirmngr policy introduced in version 3 has now been removed
because dirmngr is handled in a separate module (although this
approach is probably wrong, it should be part of the gpg module).

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/gpg.fc | 2 +-
policy/modules/contrib/gpg.te | 23 ++++++++++++++++-------
2 files changed, 17 insertions(+), 8 deletions(-)

--- a/policy/modules/contrib/gpg.fc 2017-03-29 17:58:00.281386397 +0200
+++ b/policy/modules/contrib/gpg.fc 2017-06-05 16:33:38.335731893 +0200
@@ -11,4 +11,4 @@ HOME_DIR/\.gnupg/S\.scdaemon -s gen_con
/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)

-/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_runtime_t,s0)
--- a/policy/modules/contrib/gpg.te 2017-04-26 17:47:20.555423022 +0200
+++ b/policy/modules/contrib/gpg.te 2017-06-05 16:34:55.706731576 +0200
@@ -29,6 +29,9 @@ type gpg_exec_t;
userdom_user_application_domain(gpg_t, gpg_exec_t)
role gpg_roles types gpg_t;

+type gpg_runtime_t;
+files_pid_file(gpg_runtime_t)
+
type gpg_agent_t;
type gpg_agent_exec_t;
userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t)
@@ -72,8 +75,12 @@ dontaudit gpg_t self:netlink_audit_socke
allow gpg_t self:fifo_file rw_fifo_file_perms;
allow gpg_t self:tcp_socket { accept listen };

+manage_dirs_pattern(gpg_t, gpg_runtime_t, gpg_runtime_t)
+userdom_user_runtime_filetrans(gpg_t, gpg_runtime_t, dir, "gnupg")
+
manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_sock_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })

manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
@@ -124,6 +131,7 @@ miscfiles_read_localization(gpg_t)

userdom_use_user_terminals(gpg_t)

+userdom_manage_user_tmp_dirs(gpg_t)
userdom_manage_user_tmp_files(gpg_t)
userdom_manage_user_home_content_files(gpg_t)
userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
@@ -215,17 +223,16 @@ manage_sock_files_pattern(gpg_agent_t, g
manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)

+manage_dirs_pattern(gpg_agent_t, gpg_runtime_t, gpg_runtime_t)
+userdom_user_runtime_filetrans(gpg_agent_t, gpg_runtime_t, dir, "gnupg")
+
manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })

-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent")
-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.browser")
-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.extra")
-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh")
-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.scdaemon")
+filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file)
+filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file)

domtrans_pattern(gpg_agent_t, gpg_pinentry_exec_t, gpg_pinentry_t)

@@ -250,7 +257,7 @@ miscfiles_read_localization(gpg_agent_t)
userdom_use_user_terminals(gpg_agent_t)
userdom_search_user_home_dirs(gpg_agent_t)
userdom_search_user_runtime(gpg_agent_t)
-userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
+userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir file sock_file })

ifdef(`hide_broken_symptoms',`
userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
@@ -310,6 +317,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p

can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)

+kernel_dontaudit_search_sysctl(gpg_pinentry_t)
kernel_read_system_state(gpg_pinentry_t)

corecmd_exec_shell(gpg_pinentry_t)
@@ -327,6 +335,7 @@ domain_use_interactive_fds(gpg_pinentry_

files_read_usr_files(gpg_pinentry_t)

+fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
fs_dontaudit_list_inotifyfs(gpg_pinentry_t)

auth_use_nsswitch(gpg_pinentry_t)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170605/9170ca9e/attachment.bin

2017-06-05 12:49:38

by Dac Override

[permalink] [raw]
Subject: [refpolicy] [PATCH v4] gpg: manage user runtime socket files and directories

On Mon, Jun 05, 2017 at 08:13:45AM -0400, Chris PeBenito via refpolicy wrote:
> On 06/05/2017 03:35 AM, Dominick Grift via refpolicy wrote:
> > On Sun, Jun 04, 2017 at 08:42:18PM -0400, Chris PeBenito via refpolicy wrote:
> >> On 05/24/2017 02:05 PM, Guido Trentalancia via refpolicy wrote:
> >>> Update the gpg module so that it can correctly manage socket files
> >>> and directories in the user runtime directories.
> >>>
> >>> Some other minor gpg fixes are also included in this patch.
> >>>
> >>> This is the fourth version (v4) of this patch and it features some
> >>> improvements thanks to feedback received from Christopher PeBenito.
> >>>
> >>> The dirmngr policy introduced in version 3 has now been removed
> >>> because someone else was already working on it (I was not aware of
> >>> it).
> >>>
> >>> Signed-off-by: Guido Trentalancia <[email protected]>
> >>> ---
> >>> policy/modules/contrib/gpg.fc | 2 +-
> >>> policy/modules/contrib/gpg.te | 21 ++++++++++++++++++++-
> >>> 2 files changed, 21 insertions(+), 2 deletions(-)
> >>>
> >>> --- a/policy/modules/contrib/gpg.fc 2017-03-29 17:58:00.281386397 +0200
> >>> +++ b/policy/modules/contrib/gpg.fc 2017-05-24 19:47:04.943660156 +0200
> >>> @@ -11,4 +11,4 @@ HOME_DIR/\.gnupg/S\.scdaemon -s gen_con
> >>> /usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
> >>> /usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
> >>>
> >>> -/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> >>> +/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_runtime_t,s0)
> >>> --- a/policy/modules/contrib/gpg.te 2017-04-26 17:47:20.555423022 +0200
> >>> +++ b/policy/modules/contrib/gpg.te 2017-05-24 19:47:39.484660015 +0200
> >>> @@ -29,6 +29,9 @@ type gpg_exec_t;
> >>> userdom_user_application_domain(gpg_t, gpg_exec_t)
> >>> role gpg_roles types gpg_t;
> >>>
> >>> +type gpg_runtime_t;
> >>> +files_pid_file(gpg_runtime_t)
> >>> +
> >>> type gpg_agent_t;
> >>> type gpg_agent_exec_t;
> >>> userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t)
> >>> @@ -72,8 +75,12 @@ dontaudit gpg_t self:netlink_audit_socke
> >>> allow gpg_t self:fifo_file rw_fifo_file_perms;
> >>> allow gpg_t self:tcp_socket { accept listen };
> >>>
> >>> +manage_dirs_pattern(gpg_t, gpg_runtime_t, gpg_runtime_t)
> >>> +userdom_user_runtime_filetrans(gpg_t, gpg_runtime_t, dir, "gnupg")
> >>> +
> >>> manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> >>> manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> >>> +manage_sock_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> >>> files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
> >>>
> >>> manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
> >>> @@ -124,6 +131,7 @@ miscfiles_read_localization(gpg_t)
> >>>
> >>> userdom_use_user_terminals(gpg_t)
> >>>
> >>> +userdom_manage_user_tmp_dirs(gpg_t)
> >>> userdom_manage_user_tmp_files(gpg_t)
> >>> userdom_manage_user_home_content_files(gpg_t)
> >>> userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
> >>> @@ -215,6 +223,9 @@ manage_sock_files_pattern(gpg_agent_t, g
> >>> manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
> >>> manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
> >>>
> >>> +manage_dirs_pattern(gpg_agent_t, gpg_runtime_t, gpg_runtime_t)
> >>> +userdom_user_runtime_filetrans(gpg_agent_t, gpg_runtime_t, dir, "gnupg")
> >>> +
> >>> manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> >>> manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> >>> manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> >>> @@ -226,6 +237,12 @@ filetrans_pattern(gpg_agent_t, gpg_secre
> >>> filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.extra")
> >>> filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh")
> >>> filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.scdaemon")
> >>> +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "log-socket")
> >>> +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent")
> >>> +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.browser")
> >>> +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.extra")
> >>> +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh")
> >>> +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.scdaemon")
> >>
> >> My only question is with these name transitions. Yes, there already are
> >> several, but are there any sock_files that are not gpg_agent_tmp_t? If
> >> not, then I see no value with doing anything but having two transitions,
> >> on gpg_secret_t and gpg_runtime_t, without specifying any names.
> >
> > not sure scdaemon is targeted but s.scdaemon is owned by scdaemon, I am not aware of any "log-socket"
> > there is also a S.dirmngr socket but that is not handled in the gpg module i suppose
> >
> > even then though there may be no need for name-based type transitions. I use name-based type transitions excessively for unconfined users, since they go nowhere ever, and since i still want the labels in /home consistently i am forced to use them where possible
>
> gpg_agent_t isn't unconfined.

I know but i am refering to unconfined users. so if a unconfined user rules gpg-agent then gpg-agent ends up in "unconfined_t" but i still want that socket to be labeled with the private type

>
> --
> Chris PeBenito
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170605/e9471508/attachment.bin

2017-06-07 00:03:02

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH v5] gpg: manage user runtime socket files and directories

On 06/05/2017 10:42 AM, Guido Trentalancia via refpolicy wrote:
> Update the gpg module so that it can correctly manage socket files
> and directories in the user runtime directories.
>
> Some other minor gpg fixes are also included in this patch.
>
> This is the fifth version (v5) of this patch and it features some
> improvements thanks to feedback received from Christopher PeBenito.
>
> The dirmngr policy introduced in version 3 has now been removed
> because dirmngr is handled in a separate module (although this
> approach is probably wrong, it should be part of the gpg module).
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/gpg.fc | 2 +-
> policy/modules/contrib/gpg.te | 23 ++++++++++++++++-------
> 2 files changed, 17 insertions(+), 8 deletions(-)
>
> --- a/policy/modules/contrib/gpg.fc 2017-03-29 17:58:00.281386397 +0200
> +++ b/policy/modules/contrib/gpg.fc 2017-06-05 16:33:38.335731893 +0200
> @@ -11,4 +11,4 @@ HOME_DIR/\.gnupg/S\.scdaemon -s gen_con
> /usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
> /usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
>
> -/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> +/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_runtime_t,s0)
> --- a/policy/modules/contrib/gpg.te 2017-04-26 17:47:20.555423022 +0200
> +++ b/policy/modules/contrib/gpg.te 2017-06-05 16:34:55.706731576 +0200
> @@ -29,6 +29,9 @@ type gpg_exec_t;
> userdom_user_application_domain(gpg_t, gpg_exec_t)
> role gpg_roles types gpg_t;
>
> +type gpg_runtime_t;
> +files_pid_file(gpg_runtime_t)
> +
> type gpg_agent_t;
> type gpg_agent_exec_t;
> userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t)
> @@ -72,8 +75,12 @@ dontaudit gpg_t self:netlink_audit_socke
> allow gpg_t self:fifo_file rw_fifo_file_perms;
> allow gpg_t self:tcp_socket { accept listen };
>
> +manage_dirs_pattern(gpg_t, gpg_runtime_t, gpg_runtime_t)
> +userdom_user_runtime_filetrans(gpg_t, gpg_runtime_t, dir, "gnupg")
> +
> manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> +manage_sock_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
>
> manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
> @@ -124,6 +131,7 @@ miscfiles_read_localization(gpg_t)
>
> userdom_use_user_terminals(gpg_t)
>
> +userdom_manage_user_tmp_dirs(gpg_t)
> userdom_manage_user_tmp_files(gpg_t)
> userdom_manage_user_home_content_files(gpg_t)
> userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
> @@ -215,17 +223,16 @@ manage_sock_files_pattern(gpg_agent_t, g
> manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
> manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
>
> +manage_dirs_pattern(gpg_agent_t, gpg_runtime_t, gpg_runtime_t)
> +userdom_user_runtime_filetrans(gpg_agent_t, gpg_runtime_t, dir, "gnupg")
> +
> manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
>
> -filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
> -filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent")
> -filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.browser")
> -filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.extra")
> -filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh")
> -filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.scdaemon")
> +filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file)
> +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file)
>
> domtrans_pattern(gpg_agent_t, gpg_pinentry_exec_t, gpg_pinentry_t)
>
> @@ -250,7 +257,7 @@ miscfiles_read_localization(gpg_agent_t)
> userdom_use_user_terminals(gpg_agent_t)
> userdom_search_user_home_dirs(gpg_agent_t)
> userdom_search_user_runtime(gpg_agent_t)
> -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir)
> +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir file sock_file })
>
> ifdef(`hide_broken_symptoms',`
> userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
> @@ -310,6 +317,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p
>
> can_exec(gpg_pinentry_t, gpg_pinentry_exec_t)
>
> +kernel_dontaudit_search_sysctl(gpg_pinentry_t)
> kernel_read_system_state(gpg_pinentry_t)
>
> corecmd_exec_shell(gpg_pinentry_t)
> @@ -327,6 +335,7 @@ domain_use_interactive_fds(gpg_pinentry_
>
> files_read_usr_files(gpg_pinentry_t)
>
> +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
> fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
>
> auth_use_nsswitch(gpg_pinentry_t)

Merged.

--
Chris PeBenito