---
dirmngr.if | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
gpg.te | 4 ++++
2 files changed, 73 insertions(+)
diff --git a/dirmngr.if b/dirmngr.if
index 4cd2810..2f6875a 100644
--- a/dirmngr.if
+++ b/dirmngr.if
@@ -1,5 +1,74 @@
## <summary>Server for managing and downloading certificate revocation lists.</summary>
+############################################################
+## <summary>
+## Role access for dirmngr.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`dirmngr_role',`
+ gen_require(`
+ type dirmngr_t, dirmngr_exec_t;
+ ')
+
+ role $1 types dirmngr_t;
+
+ domtrans_pattern($2, dirmngr_exec_t, dirmngr_t)
+
+ allow $2 dirmngr_t:process { ptrace signal_perms };
+ ps_process_pattern($2, dirmngr_t)
+
+ allow dirmngr_t $2:fd use;
+ allow dirmngr_t $2:fifo_file { read write };
+')
+
+########################################
+## <summary>
+## Execute dirmngr in the dirmngr domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dirmngr_domtrans',`
+ gen_require(`
+ type dirmngr_t, dirmngr_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dirmngr_exec_t, dirmngr_t)
+')
+
+########################################
+## <summary>
+## Execute the dirmngr in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirmngr_exec',`
+ gen_require(`
+ type dirmngr_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, dirmngr_exec_t)
+')
+
########################################
## <summary>
## All of the rules required to
diff --git a/gpg.te b/gpg.te
index 5e87028..d6239c5 100644
--- a/gpg.te
+++ b/gpg.te
@@ -139,6 +139,10 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ dirmngr_domtrans(gpg_t)
+')
+
+optional_policy(`
evolution_read_orbit_tmp_files(gpg_t)
')
--
2.13.0
On 05/26/2017 11:57 AM, Jason Zaman wrote:
> ---
> dirmngr.fc | 2 ++
> dirmngr.te | 7 +++++++
> gpg.if | 20 ++++++++++++++++++++
> 3 files changed, 29 insertions(+)
>
> diff --git a/dirmngr.fc b/dirmngr.fc
> index a9cf15a..60f19f4 100644
> --- a/dirmngr.fc
> +++ b/dirmngr.fc
> @@ -1,3 +1,5 @@
> +HOME_DIR/\.gnupg/crls\.d(/.+)? gen_context(system_u:object_r:dirmngr_home_t,s0)
> +
> /etc/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_conf_t,s0)
>
> /etc/rc\.d/init\.d/dirmngr -- gen_context(system_u:object_r:dirmngr_initrc_exec_t,s0)
> diff --git a/dirmngr.te b/dirmngr.te
> index 8e4a1a8..17cce56 100644
> --- a/dirmngr.te
> +++ b/dirmngr.te
> @@ -27,6 +27,9 @@ files_type(dirmngr_var_lib_t)
> type dirmngr_var_run_t;
> files_pid_file(dirmngr_var_run_t)
>
> +type dirmngr_home_t;
> +userdom_user_home_content(dirmngr_home_t)
> +
> ########################################
> #
> # Local policy
> @@ -37,6 +40,8 @@ allow dirmngr_t self:fifo_file rw_file_perms;
> allow dirmngr_t dirmngr_conf_t:dir list_dir_perms;
> allow dirmngr_t dirmngr_conf_t:file read_file_perms;
> allow dirmngr_t dirmngr_conf_t:lnk_file read_lnk_file_perms;
> +allow dirmngr_t dirmngr_home_t:dir list_dir_perms;
> +allow dirmngr_t dirmngr_home_t:file read_file_perms;
>
> manage_dirs_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t)
> append_files_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t)
> @@ -61,6 +66,7 @@ kernel_read_crypto_sysctls(dirmngr_t)
> files_read_etc_files(dirmngr_t)
>
> miscfiles_read_localization(dirmngr_t)
> +miscfiles_read_generic_certs(dirmngr_t)
>
> userdom_search_user_home_dirs(dirmngr_t)
> userdom_search_user_runtime(dirmngr_t)
> @@ -68,4 +74,5 @@ userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
>
> optional_policy(`
> gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
> + gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
> ')
> diff --git a/gpg.if b/gpg.if
> index 4480f9c..e5a1275 100644
> --- a/gpg.if
> +++ b/gpg.if
> @@ -254,6 +254,26 @@ interface(`gpg_agent_tmp_filetrans',`
>
> ########################################
> ## <summary>
> +## filetrans in gpg_secret_t dirs
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gpg_secret_filetrans',`
> + gen_require(`
> + type gpg_secret_t;
> + ')
> +
> + filetrans_pattern($1, gpg_secret_t, $2, $3, $4)
> + allow $1 gpg_secret_t:dir search_dir_perms;
> + userdom_search_user_home_dirs($1)
> +')
Merged.
--
Chris PeBenito
On 05/26/2017 11:57 AM, Jason Zaman wrote:
> type=AVC msg=audit(1494163667.921:24917): avc: denied { name_bind } for pid=15683 comm=636F6E6E2066643D36 src=19321 scontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0
> ---
> dirmngr.te | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/dirmngr.te b/dirmngr.te
> index 17cce56..4cec7fc 100644
> --- a/dirmngr.te
> +++ b/dirmngr.te
> @@ -62,6 +62,10 @@ manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
> files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file })
>
> kernel_read_crypto_sysctls(dirmngr_t)
> +dev_read_rand(dirmngr_t)
> +sysnet_dns_name_resolve(dirmngr_t)
> +
> +corenet_tcp_connect_pgpkeyserver_port(dirmngr_t)
>
> files_read_etc_files(dirmngr_t)
Merged.
--
Chris PeBenito
On 05/26/2017 11:57 AM, Jason Zaman wrote:
> ---
> dirmngr.if | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> gpg.te | 4 ++++
> 2 files changed, 73 insertions(+)
>
> diff --git a/dirmngr.if b/dirmngr.if
> index 4cd2810..2f6875a 100644
> --- a/dirmngr.if
> +++ b/dirmngr.if
> @@ -1,5 +1,74 @@
> ## <summary>Server for managing and downloading certificate revocation lists.</summary>
>
> +############################################################
> +## <summary>
> +## Role access for dirmngr.
> +## </summary>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## User domain for the role.
> +## </summary>
> +## </param>
> +#
> +interface(`dirmngr_role',`
> + gen_require(`
> + type dirmngr_t, dirmngr_exec_t;
> + ')
> +
> + role $1 types dirmngr_t;
> +
> + domtrans_pattern($2, dirmngr_exec_t, dirmngr_t)
> +
> + allow $2 dirmngr_t:process { ptrace signal_perms };
> + ps_process_pattern($2, dirmngr_t)
> +
> + allow dirmngr_t $2:fd use;
> + allow dirmngr_t $2:fifo_file { read write };
> +')
> +
> +########################################
> +## <summary>
> +## Execute dirmngr in the dirmngr domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`dirmngr_domtrans',`
> + gen_require(`
> + type dirmngr_t, dirmngr_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, dirmngr_exec_t, dirmngr_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute the dirmngr in the caller domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dirmngr_exec',`
> + gen_require(`
> + type dirmngr_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + can_exec($1, dirmngr_exec_t)
> +')
> +
> ########################################
> ## <summary>
> ## All of the rules required to
> diff --git a/gpg.te b/gpg.te
> index 5e87028..d6239c5 100644
> --- a/gpg.te
> +++ b/gpg.te
> @@ -139,6 +139,10 @@ tunable_policy(`use_samba_home_dirs',`
> ')
>
> optional_policy(`
> + dirmngr_domtrans(gpg_t)
> +')
> +
> +optional_policy(`
> evolution_read_orbit_tmp_files(gpg_t)
> ')
Merged.
--
Chris PeBenito
On 05/26/2017 11:57 AM, Jason Zaman wrote:
> ---
> dirmngr.fc | 2 ++
> dirmngr.if | 25 +++++++++++++++++++++++++
> dirmngr.te | 13 +++++++++++++
> gpg.if | 38 ++++++++++++++++++++++++++++++++++++++
> gpg.te | 1 +
> 5 files changed, 79 insertions(+)
>
> diff --git a/dirmngr.fc b/dirmngr.fc
> index a0f261c..a9cf15a 100644
> --- a/dirmngr.fc
> +++ b/dirmngr.fc
> @@ -12,3 +12,5 @@
> /run/dirmngr\.pid -- gen_context(system_u:object_r:dirmngr_var_run_t,s0)
>
> /run/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_run_t,s0)
> +
> +/run/user/%{USERID}/gnupg/S.dirmngr -s gen_context(system_u:object_r:dirmngr_tmp_t,s0)
> diff --git a/dirmngr.if b/dirmngr.if
> index 2f6875a..07af506 100644
> --- a/dirmngr.if
> +++ b/dirmngr.if
> @@ -18,6 +18,7 @@
> interface(`dirmngr_role',`
> gen_require(`
> type dirmngr_t, dirmngr_exec_t;
> + type dirmngr_tmp_t;
> ')
>
> role $1 types dirmngr_t;
> @@ -29,6 +30,8 @@ interface(`dirmngr_role',`
>
> allow dirmngr_t $2:fd use;
> allow dirmngr_t $2:fifo_file { read write };
> +
> + allow $2 dirmngr_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
> ')
>
> ########################################
> @@ -71,6 +74,28 @@ interface(`dirmngr_exec',`
>
> ########################################
> ## <summary>
> +## Connect to dirmngr socket
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dirmngr_stream_connect',`
> + gen_require(`
> + type dirmngr_t, dirmngr_tmp_t;
> + ')
> +
> + gpg_search_agent_tmp_dirs($1)
> + allow $1 dirmngr_tmp_t:sock_file rw_sock_file_perms;
> + allow $1 dirmngr_t:unix_stream_socket connectto;
> + userdom_search_user_runtime($1)
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +## <summary>
> ## All of the rules required to
> ## administrate an dirmngr environment.
> ## </summary>
> diff --git a/dirmngr.te b/dirmngr.te
> index 23f4045..8e4a1a8 100644
> --- a/dirmngr.te
> +++ b/dirmngr.te
> @@ -18,6 +18,9 @@ init_script_file(dirmngr_initrc_exec_t)
> type dirmngr_log_t;
> logging_log_file(dirmngr_log_t)
>
> +type dirmngr_tmp_t;
> +userdom_user_tmp_file(dirmngr_tmp_t)
> +
> type dirmngr_var_lib_t;
> files_type(dirmngr_var_lib_t)
>
> @@ -46,6 +49,8 @@ manage_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t)
> manage_lnk_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t)
> files_var_lib_filetrans(dirmngr_t, dirmngr_var_lib_t, dir)
>
> +manage_sock_files_pattern(dirmngr_t, dirmngr_tmp_t, dirmngr_tmp_t)
> +
> manage_dirs_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
> manage_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
> manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
> @@ -56,3 +61,11 @@ kernel_read_crypto_sysctls(dirmngr_t)
> files_read_etc_files(dirmngr_t)
>
> miscfiles_read_localization(dirmngr_t)
> +
> +userdom_search_user_home_dirs(dirmngr_t)
> +userdom_search_user_runtime(dirmngr_t)
> +userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
> +
> +optional_policy(`
> + gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
> +')
> diff --git a/gpg.if b/gpg.if
> index efffff8..4480f9c 100644
> --- a/gpg.if
> +++ b/gpg.if
> @@ -216,6 +216,44 @@ interface(`gpg_stream_connect_agent',`
>
> ########################################
> ## <summary>
> +## Search gpg agent dirs.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gpg_search_agent_tmp_dirs',`
> + gen_require(`
> + type gpg_agent_tmp_t;
> + ')
> +
> + allow $1 gpg_agent_tmp_t:dir search_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +## filetrans in gpg_agent_tmp_t dirs
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gpg_agent_tmp_filetrans',`
> + gen_require(`
> + type gpg_agent_t, gpg_agent_tmp_t;
> + type gpg_secret_t;
> + ')
> +
> + filetrans_pattern($1, gpg_agent_tmp_t, $2, $3, $4)
> + userdom_search_user_runtime($1)
> +')
> +
> +########################################
> +## <summary>
> ## Send messages to and from gpg
> ## pinentry over DBUS.
> ## </summary>
> diff --git a/gpg.te b/gpg.te
> index d6239c5..0ddbc18 100644
> --- a/gpg.te
> +++ b/gpg.te
> @@ -140,6 +140,7 @@ tunable_policy(`use_samba_home_dirs',`
>
> optional_policy(`
> dirmngr_domtrans(gpg_t)
> + dirmngr_stream_connect(gpg_t)
> ')
Merged.
--
Chris PeBenito
On 05/26/2017 11:58 AM, Jason Zaman wrote:
> ---
> cgmanager.fc | 9 ++++++++
> cgmanager.if | 22 ++++++++++++++++++++
> cgmanager.te | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 98 insertions(+)
> create mode 100644 cgmanager.fc
> create mode 100644 cgmanager.if
> create mode 100644 cgmanager.te
>
> diff --git a/cgmanager.fc b/cgmanager.fc
> new file mode 100644
> index 0000000..b02ca99
> --- /dev/null
> +++ b/cgmanager.fc
> @@ -0,0 +1,9 @@
> +/usr/sbin/cgmanager -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
> +/usr/sbin/cgproxy -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
> +/usr/libexec/cgmanager/cgm-release-agent -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
> +
> +/sys/fs/cgroup/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_cgroup_t,s0)
> +
> +/run/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_run_t,s0)
> +/run/cgmanager.pid gen_context(system_u:object_r:cgmanager_run_t,s0)
> +/run/cgmanager/fs(/.*)? <<none>>
> diff --git a/cgmanager.if b/cgmanager.if
> new file mode 100644
> index 0000000..ad459a6
> --- /dev/null
> +++ b/cgmanager.if
> @@ -0,0 +1,22 @@
> +## <summary>Control Group manager daemon.</summary>
> +
> +########################################
> +## <summary>
> +## Connect to cgmanager with a unix
> +## domain stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`cgmanager_stream_connect',`
> + gen_require(`
> + type cgmanager_t, cgmanager_cgroup_t;
> + ')
> +
> + fs_search_cgroup_dirs($1)
> + list_dirs_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t)
> + stream_connect_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t, cgmanager_t)
> +')
> diff --git a/cgmanager.te b/cgmanager.te
> new file mode 100644
> index 0000000..d70e8ca
> --- /dev/null
> +++ b/cgmanager.te
> @@ -0,0 +1,67 @@
> +policy_module(cgmanager, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type cgmanager_t;
> +type cgmanager_exec_t;
> +init_daemon_domain(cgmanager_t, cgmanager_exec_t)
> +
> +type cgmanager_run_t;
> +files_pid_file(cgmanager_run_t)
> +
> +type cgmanager_cgroup_t;
> +files_type(cgmanager_cgroup_t)
> +
> +########################################
> +#
> +# CGManager local policy
> +#
> +
> +allow cgmanager_t self:capability { sys_admin dac_override };
> +allow cgmanager_t self:fifo_file rw_fifo_file_perms;
> +
> +manage_dirs_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
> +manage_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
> +manage_lnk_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
> +files_pid_filetrans(cgmanager_t, cgmanager_run_t, { file dir })
> +allow cgmanager_t cgmanager_run_t:dir mounton;
> +
> +manage_dirs_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
> +manage_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
> +manage_sock_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
> +fs_cgroup_filetrans(cgmanager_t, cgmanager_cgroup_t, dir, "cgmanager")
The above interface doesn't exist.
> +# for the release agent
> +kernel_domtrans_to(cgmanager_t, cgmanager_exec_t)
> +kernel_read_system_state(cgmanager_t)
> +
> +corecmd_exec_bin(cgmanager_t)
> +can_exec(cgmanager_t, cgmanager_exec_t)
> +
> +domain_read_all_domains_state(cgmanager_t)
> +
> +files_read_etc_files(cgmanager_t)
> +
> +# cgmanager unmounts everything in its own mount namespace and mounts tmpfs on some things
> +files_mounton_all_mountpoints(cgmanager_t)
> +files_unmount_all_file_type_fs(cgmanager_t)
> +fs_unmount_xattr_fs(cgmanager_t)
> +
> +fs_manage_cgroup_dirs(cgmanager_t)
> +fs_manage_cgroup_files(cgmanager_t)
> +
> +fs_getattr_tmpfs(cgmanager_t)
> +
> +fs_manage_tmpfs_dirs(cgmanager_t)
> +fs_manage_tmpfs_files(cgmanager_t)
> +
> +fs_mount_cgroup(cgmanager_t)
> +fs_mount_tmpfs(cgmanager_t)
> +fs_mounton_tmpfs(cgmanager_t)
> +fs_remount_cgroup(cgmanager_t)
> +fs_remount_tmpfs(cgmanager_t)
> +fs_unmount_cgroup(cgmanager_t)
> +fs_unmount_tmpfs(cgmanager_t)
>
--
Chris PeBenito
---
dirmngr.fc | 2 ++
dirmngr.if | 25 +++++++++++++++++++++++++
dirmngr.te | 13 +++++++++++++
gpg.if | 38 ++++++++++++++++++++++++++++++++++++++
gpg.te | 1 +
5 files changed, 79 insertions(+)
diff --git a/dirmngr.fc b/dirmngr.fc
index a0f261c..a9cf15a 100644
--- a/dirmngr.fc
+++ b/dirmngr.fc
@@ -12,3 +12,5 @@
/run/dirmngr\.pid -- gen_context(system_u:object_r:dirmngr_var_run_t,s0)
/run/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_run_t,s0)
+
+/run/user/%{USERID}/gnupg/S.dirmngr -s gen_context(system_u:object_r:dirmngr_tmp_t,s0)
diff --git a/dirmngr.if b/dirmngr.if
index 2f6875a..07af506 100644
--- a/dirmngr.if
+++ b/dirmngr.if
@@ -18,6 +18,7 @@
interface(`dirmngr_role',`
gen_require(`
type dirmngr_t, dirmngr_exec_t;
+ type dirmngr_tmp_t;
')
role $1 types dirmngr_t;
@@ -29,6 +30,8 @@ interface(`dirmngr_role',`
allow dirmngr_t $2:fd use;
allow dirmngr_t $2:fifo_file { read write };
+
+ allow $2 dirmngr_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
')
########################################
@@ -71,6 +74,28 @@ interface(`dirmngr_exec',`
########################################
## <summary>
+## Connect to dirmngr socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirmngr_stream_connect',`
+ gen_require(`
+ type dirmngr_t, dirmngr_tmp_t;
+ ')
+
+ gpg_search_agent_tmp_dirs($1)
+ allow $1 dirmngr_tmp_t:sock_file rw_sock_file_perms;
+ allow $1 dirmngr_t:unix_stream_socket connectto;
+ userdom_search_user_runtime($1)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an dirmngr environment.
## </summary>
diff --git a/dirmngr.te b/dirmngr.te
index 23f4045..8e4a1a8 100644
--- a/dirmngr.te
+++ b/dirmngr.te
@@ -18,6 +18,9 @@ init_script_file(dirmngr_initrc_exec_t)
type dirmngr_log_t;
logging_log_file(dirmngr_log_t)
+type dirmngr_tmp_t;
+userdom_user_tmp_file(dirmngr_tmp_t)
+
type dirmngr_var_lib_t;
files_type(dirmngr_var_lib_t)
@@ -46,6 +49,8 @@ manage_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t)
manage_lnk_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t)
files_var_lib_filetrans(dirmngr_t, dirmngr_var_lib_t, dir)
+manage_sock_files_pattern(dirmngr_t, dirmngr_tmp_t, dirmngr_tmp_t)
+
manage_dirs_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
manage_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
@@ -56,3 +61,11 @@ kernel_read_crypto_sysctls(dirmngr_t)
files_read_etc_files(dirmngr_t)
miscfiles_read_localization(dirmngr_t)
+
+userdom_search_user_home_dirs(dirmngr_t)
+userdom_search_user_runtime(dirmngr_t)
+userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
+
+optional_policy(`
+ gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
+')
diff --git a/gpg.if b/gpg.if
index efffff8..4480f9c 100644
--- a/gpg.if
+++ b/gpg.if
@@ -216,6 +216,44 @@ interface(`gpg_stream_connect_agent',`
########################################
## <summary>
+## Search gpg agent dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_search_agent_tmp_dirs',`
+ gen_require(`
+ type gpg_agent_tmp_t;
+ ')
+
+ allow $1 gpg_agent_tmp_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## filetrans in gpg_agent_tmp_t dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_agent_tmp_filetrans',`
+ gen_require(`
+ type gpg_agent_t, gpg_agent_tmp_t;
+ type gpg_secret_t;
+ ')
+
+ filetrans_pattern($1, gpg_agent_tmp_t, $2, $3, $4)
+ userdom_search_user_runtime($1)
+')
+
+########################################
+## <summary>
## Send messages to and from gpg
## pinentry over DBUS.
## </summary>
diff --git a/gpg.te b/gpg.te
index d6239c5..0ddbc18 100644
--- a/gpg.te
+++ b/gpg.te
@@ -140,6 +140,7 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dirmngr_domtrans(gpg_t)
+ dirmngr_stream_connect(gpg_t)
')
optional_policy(`
--
2.13.0
---
dirmngr.fc | 2 ++
dirmngr.te | 7 +++++++
gpg.if | 20 ++++++++++++++++++++
3 files changed, 29 insertions(+)
diff --git a/dirmngr.fc b/dirmngr.fc
index a9cf15a..60f19f4 100644
--- a/dirmngr.fc
+++ b/dirmngr.fc
@@ -1,3 +1,5 @@
+HOME_DIR/\.gnupg/crls\.d(/.+)? gen_context(system_u:object_r:dirmngr_home_t,s0)
+
/etc/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_conf_t,s0)
/etc/rc\.d/init\.d/dirmngr -- gen_context(system_u:object_r:dirmngr_initrc_exec_t,s0)
diff --git a/dirmngr.te b/dirmngr.te
index 8e4a1a8..17cce56 100644
--- a/dirmngr.te
+++ b/dirmngr.te
@@ -27,6 +27,9 @@ files_type(dirmngr_var_lib_t)
type dirmngr_var_run_t;
files_pid_file(dirmngr_var_run_t)
+type dirmngr_home_t;
+userdom_user_home_content(dirmngr_home_t)
+
########################################
#
# Local policy
@@ -37,6 +40,8 @@ allow dirmngr_t self:fifo_file rw_file_perms;
allow dirmngr_t dirmngr_conf_t:dir list_dir_perms;
allow dirmngr_t dirmngr_conf_t:file read_file_perms;
allow dirmngr_t dirmngr_conf_t:lnk_file read_lnk_file_perms;
+allow dirmngr_t dirmngr_home_t:dir list_dir_perms;
+allow dirmngr_t dirmngr_home_t:file read_file_perms;
manage_dirs_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t)
append_files_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t)
@@ -61,6 +66,7 @@ kernel_read_crypto_sysctls(dirmngr_t)
files_read_etc_files(dirmngr_t)
miscfiles_read_localization(dirmngr_t)
+miscfiles_read_generic_certs(dirmngr_t)
userdom_search_user_home_dirs(dirmngr_t)
userdom_search_user_runtime(dirmngr_t)
@@ -68,4 +74,5 @@ userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
optional_policy(`
gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
+ gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
')
diff --git a/gpg.if b/gpg.if
index 4480f9c..e5a1275 100644
--- a/gpg.if
+++ b/gpg.if
@@ -254,6 +254,26 @@ interface(`gpg_agent_tmp_filetrans',`
########################################
## <summary>
+## filetrans in gpg_secret_t dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_secret_filetrans',`
+ gen_require(`
+ type gpg_secret_t;
+ ')
+
+ filetrans_pattern($1, gpg_secret_t, $2, $3, $4)
+ allow $1 gpg_secret_t:dir search_dir_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
## Send messages to and from gpg
## pinentry over DBUS.
## </summary>
--
2.13.0
type=AVC msg=audit(1494163667.921:24917): avc: denied { name_bind } for pid=15683 comm=636F6E6E2066643D36 src=19321 scontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0
---
dirmngr.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/dirmngr.te b/dirmngr.te
index 17cce56..4cec7fc 100644
--- a/dirmngr.te
+++ b/dirmngr.te
@@ -62,6 +62,10 @@ manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file })
kernel_read_crypto_sysctls(dirmngr_t)
+dev_read_rand(dirmngr_t)
+sysnet_dns_name_resolve(dirmngr_t)
+
+corenet_tcp_connect_pgpkeyserver_port(dirmngr_t)
files_read_etc_files(dirmngr_t)
--
2.13.0
---
cgmanager.fc | 9 ++++++++
cgmanager.if | 22 ++++++++++++++++++++
cgmanager.te | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 98 insertions(+)
create mode 100644 cgmanager.fc
create mode 100644 cgmanager.if
create mode 100644 cgmanager.te
diff --git a/cgmanager.fc b/cgmanager.fc
new file mode 100644
index 0000000..b02ca99
--- /dev/null
+++ b/cgmanager.fc
@@ -0,0 +1,9 @@
+/usr/sbin/cgmanager -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+/usr/sbin/cgproxy -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+/usr/libexec/cgmanager/cgm-release-agent -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
+
+/sys/fs/cgroup/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_cgroup_t,s0)
+
+/run/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_run_t,s0)
+/run/cgmanager.pid gen_context(system_u:object_r:cgmanager_run_t,s0)
+/run/cgmanager/fs(/.*)? <<none>>
diff --git a/cgmanager.if b/cgmanager.if
new file mode 100644
index 0000000..ad459a6
--- /dev/null
+++ b/cgmanager.if
@@ -0,0 +1,22 @@
+## <summary>Control Group manager daemon.</summary>
+
+########################################
+## <summary>
+## Connect to cgmanager with a unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgmanager_stream_connect',`
+ gen_require(`
+ type cgmanager_t, cgmanager_cgroup_t;
+ ')
+
+ fs_search_cgroup_dirs($1)
+ list_dirs_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t)
+ stream_connect_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t, cgmanager_t)
+')
diff --git a/cgmanager.te b/cgmanager.te
new file mode 100644
index 0000000..d70e8ca
--- /dev/null
+++ b/cgmanager.te
@@ -0,0 +1,67 @@
+policy_module(cgmanager, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cgmanager_t;
+type cgmanager_exec_t;
+init_daemon_domain(cgmanager_t, cgmanager_exec_t)
+
+type cgmanager_run_t;
+files_pid_file(cgmanager_run_t)
+
+type cgmanager_cgroup_t;
+files_type(cgmanager_cgroup_t)
+
+########################################
+#
+# CGManager local policy
+#
+
+allow cgmanager_t self:capability { sys_admin dac_override };
+allow cgmanager_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
+manage_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
+manage_lnk_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
+files_pid_filetrans(cgmanager_t, cgmanager_run_t, { file dir })
+allow cgmanager_t cgmanager_run_t:dir mounton;
+
+manage_dirs_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
+manage_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
+manage_sock_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
+fs_cgroup_filetrans(cgmanager_t, cgmanager_cgroup_t, dir, "cgmanager")
+
+# for the release agent
+kernel_domtrans_to(cgmanager_t, cgmanager_exec_t)
+kernel_read_system_state(cgmanager_t)
+
+corecmd_exec_bin(cgmanager_t)
+can_exec(cgmanager_t, cgmanager_exec_t)
+
+domain_read_all_domains_state(cgmanager_t)
+
+files_read_etc_files(cgmanager_t)
+
+# cgmanager unmounts everything in its own mount namespace and mounts tmpfs on some things
+files_mounton_all_mountpoints(cgmanager_t)
+files_unmount_all_file_type_fs(cgmanager_t)
+fs_unmount_xattr_fs(cgmanager_t)
+
+fs_manage_cgroup_dirs(cgmanager_t)
+fs_manage_cgroup_files(cgmanager_t)
+
+fs_getattr_tmpfs(cgmanager_t)
+
+fs_manage_tmpfs_dirs(cgmanager_t)
+fs_manage_tmpfs_files(cgmanager_t)
+
+fs_mount_cgroup(cgmanager_t)
+fs_mount_tmpfs(cgmanager_t)
+fs_mounton_tmpfs(cgmanager_t)
+fs_remount_cgroup(cgmanager_t)
+fs_remount_tmpfs(cgmanager_t)
+fs_unmount_cgroup(cgmanager_t)
+fs_unmount_tmpfs(cgmanager_t)
--
2.13.0
setattr chr_files is to setting dev nodes on login
rw sysfs and devicekit for suspend
fifo_files are for inhibit
connect to cgmanager to track sessions with cgroups
---
consolekit.te | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/consolekit.te b/consolekit.te
index c99a6cb..d51634e 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -40,6 +40,7 @@ logging_log_filetrans(consolekit_t, consolekit_log_t, file)
manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
+manage_fifo_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
files_pid_filetrans(consolekit_t, consolekit_var_run_t, { dir file })
kernel_read_system_state(consolekit_t)
@@ -53,7 +54,8 @@ corecmd_exec_bin(consolekit_t)
corecmd_exec_shell(consolekit_t)
dev_read_urand(consolekit_t)
-dev_read_sysfs(consolekit_t)
+dev_rw_sysfs(consolekit_t)
+dev_setattr_all_chr_files(consolekit_t)
domain_read_all_domains_state(consolekit_t)
domain_use_interactive_fds(consolekit_t)
@@ -104,6 +106,10 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ cgmanager_stream_connect(consolekit_t)
+')
+
+optional_policy(`
dbus_read_lib_files(consolekit_t)
dbus_system_domain(consolekit_t, consolekit_exec_t)
@@ -125,6 +131,10 @@ optional_policy(`
')
optional_policy(`
+ devicekit_manage_log_files(consolekit_t)
+')
+
+optional_policy(`
hal_ptrace(consolekit_t)
')
@@ -156,6 +166,7 @@ optional_policy(`
optional_policy(`
udev_domtrans(consolekit_t)
udev_read_db(consolekit_t)
+ udev_read_pid_files(consolekit_t)
udev_signal(consolekit_t)
')
--
2.13.0
As already explained earlier on, the whole dirmngr policy goes in the
existing gpg module.
Creating a separate module for dirmngr is wrong !
Regards,
Guido
On Fri, 26/05/2017 at 23.57 +0800, Jason Zaman via refpolicy
wrote:
> ---
> dirmngr.if | 69
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> gpg.te | 4 ++++
> 2 files changed, 73 insertions(+)
>
> diff --git a/dirmngr.if b/dirmngr.if
> index 4cd2810..2f6875a 100644
> --- a/dirmngr.if
> +++ b/dirmngr.if
> @@ -1,5 +1,74 @@
> ## <summary>Server for managing and downloading certificate
> revocation lists.</summary>
>
> +############################################################
> +## <summary>
> +## Role access for dirmngr.
> +## </summary>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## User domain for the role.
> +## </summary>
> +## </param>
> +#
> +interface(`dirmngr_role',`
> + gen_require(`
> + type dirmngr_t, dirmngr_exec_t;
> + ')
> +
> + role $1 types dirmngr_t;
> +
> + domtrans_pattern($2, dirmngr_exec_t, dirmngr_t)
> +
> + allow $2 dirmngr_t:process { ptrace signal_perms };
> + ps_process_pattern($2, dirmngr_t)
> +
> + allow dirmngr_t $2:fd use;
> + allow dirmngr_t $2:fifo_file { read write };
> +')
> +
> +########################################
> +## <summary>
> +## Execute dirmngr in the dirmngr domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`dirmngr_domtrans',`
> + gen_require(`
> + type dirmngr_t, dirmngr_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, dirmngr_exec_t, dirmngr_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute the dirmngr in the caller domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dirmngr_exec',`
> + gen_require(`
> + type dirmngr_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + can_exec($1, dirmngr_exec_t)
> +')
> +
> ########################################
> ## <summary>
> ## All of the rules required to
> diff --git a/gpg.te b/gpg.te
> index 5e87028..d6239c5 100644
> --- a/gpg.te
> +++ b/gpg.te
> @@ -139,6 +139,10 @@ tunable_policy(`use_samba_home_dirs',`
> ')
>
> optional_policy(`
> + dirmngr_domtrans(gpg_t)
> +')
> +
> +optional_policy(`
> evolution_read_orbit_tmp_files(gpg_t)
> ')
>
Ugh ... i forgot to add the v2 to all these ... :(
On Fri, May 26, 2017 at 11:57:59PM +0800, Jason Zaman wrote:
> type=AVC msg=audit(1494163667.921:24917): avc: denied { name_bind } for pid=15683 comm=636F6E6E2066643D36 src=19321 scontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0
> ---
> dirmngr.te | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/dirmngr.te b/dirmngr.te
> index 17cce56..4cec7fc 100644
> --- a/dirmngr.te
> +++ b/dirmngr.te
> @@ -62,6 +62,10 @@ manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
> files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file })
>
> kernel_read_crypto_sysctls(dirmngr_t)
> +dev_read_rand(dirmngr_t)
> +sysnet_dns_name_resolve(dirmngr_t)
> +
> +corenet_tcp_connect_pgpkeyserver_port(dirmngr_t)
I dropped the binds from here. I will confirm if dns needs them and send
a patch for this later. Figured it was better to get the rest merged
first.
-- Jason
>
> files_read_etc_files(dirmngr_t)
>
> --
> 2.13.0
>
On Fri, May 26, 2017 at 06:00:58PM +0200, Guido Trentalancia via refpolicy wrote:
> As already explained earlier on, the whole dirmngr policy goes in the
> existing gpg module.
>
> Creating a separate module for dirmngr is wrong !
I didnt create it, its been there for years ... im just updating it so
it actually works. there are tons of policies that are split apart
anyway this is hardly the first.
And if you did want to merge it into the gpg policy you'd have to take
care of the compat issues by setting aliases and all that.
-- Jason
>
> Regards,
>
> Guido
>
> On Fri, 26/05/2017 at 23.57 +0800, Jason Zaman via refpolicy
> wrote:
> > ---
> > dirmngr.if | 69
> > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> > gpg.te | 4 ++++
> > 2 files changed, 73 insertions(+)
> >
> > diff --git a/dirmngr.if b/dirmngr.if
> > index 4cd2810..2f6875a 100644
> > --- a/dirmngr.if
> > +++ b/dirmngr.if
> > @@ -1,5 +1,74 @@
> > ## <summary>Server for managing and downloading certificate
> > revocation lists.</summary>
> >
> > +############################################################
> > +## <summary>
> > +## Role access for dirmngr.
> > +## </summary>
> > +## <param name="role">
> > +## <summary>
> > +## Role allowed access.
> > +## </summary>
> > +## </param>
> > +## <param name="domain">
> > +## <summary>
> > +## User domain for the role.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`dirmngr_role',`
> > + gen_require(`
> > + type dirmngr_t, dirmngr_exec_t;
> > + ')
> > +
> > + role $1 types dirmngr_t;
> > +
> > + domtrans_pattern($2, dirmngr_exec_t, dirmngr_t)
> > +
> > + allow $2 dirmngr_t:process { ptrace signal_perms };
> > + ps_process_pattern($2, dirmngr_t)
> > +
> > + allow dirmngr_t $2:fd use;
> > + allow dirmngr_t $2:fifo_file { read write };
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Execute dirmngr in the dirmngr domain.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed to transition.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`dirmngr_domtrans',`
> > + gen_require(`
> > + type dirmngr_t, dirmngr_exec_t;
> > + ')
> > +
> > + corecmd_search_bin($1)
> > + domtrans_pattern($1, dirmngr_exec_t, dirmngr_t)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Execute the dirmngr in the caller domain.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`dirmngr_exec',`
> > + gen_require(`
> > + type dirmngr_exec_t;
> > + ')
> > +
> > + corecmd_search_bin($1)
> > + can_exec($1, dirmngr_exec_t)
> > +')
> > +
> > ########################################
> > ## <summary>
> > ## All of the rules required to
> > diff --git a/gpg.te b/gpg.te
> > index 5e87028..d6239c5 100644
> > --- a/gpg.te
> > +++ b/gpg.te
> > @@ -139,6 +139,10 @@ tunable_policy(`use_samba_home_dirs',`
> > ')
> >
> > optional_policy(`
> > + dirmngr_domtrans(gpg_t)
> > +')
> > +
> > +optional_policy(`
> > evolution_read_orbit_tmp_files(gpg_t)
> > ')
> >
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy