When we sign a Gnupg key in atleast Seahorse, the gpg_t domain wants to transition to the gpg_agent_t domain.
The gpg_pinentry_t domain also has to be able to prompt for the key passphrase.
Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 9d162a8... 009274d... M policy/modules/apps/gpg.te
policy/modules/apps/gpg.te | 46 ++++++++++++++++++++++++++++++++++++++++---
1 files changed, 42 insertions(+), 4 deletions(-)
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
index 9d162a8..009274d 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -53,6 +53,10 @@ typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t }
application_domain(gpg_pinentry_t, pinentry_exec_t)
ubac_constrained(gpg_pinentry_t)
+type gpg_pinentry_tmpfs_t;
+files_tmpfs_file(gpg_pinentry_tmpfs_t)
+ubac_constrained(gpg_pinentry_tmpfs_t)
+
########################################
#
# GPG local policy
@@ -69,6 +73,8 @@ manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+
# transition from the gpg domain to the helper domain
domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
@@ -190,6 +196,7 @@ files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
# allow gpg to connect to the gpg agent
stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+corecmd_read_bin_symlinks(gpg_agent_t)
corecmd_search_bin(gpg_agent_t)
domain_use_interactive_fds(gpg_agent_t)
@@ -227,9 +234,15 @@ tunable_policy(`use_samba_home_dirs',`
# Pinentry local policy
#
+allow gpg_pinentry_t self:process { getcap getsched signal };
+allow gpg_pinentry_t self:unix_dgram_socket create;
allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
+manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
+
# we need to allow gpg-agent to call pinentry so it can get the passphrase
# from the user.
domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
@@ -237,6 +250,10 @@ domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
# read /proc/meminfo
kernel_read_system_state(gpg_pinentry_t)
+dev_read_urand(gpg_pinentry_t)
+
+fs_getattr_tmpfs(gpg_pinentry_t)
+
files_read_usr_files(gpg_pinentry_t)
# read /etc/X11/qtrc
files_read_etc_files(gpg_pinentry_t)
@@ -244,15 +261,36 @@ files_read_etc_files(gpg_pinentry_t)
miscfiles_read_fonts(gpg_pinentry_t)
miscfiles_read_localization(gpg_pinentry_t)
-# for .Xauthority
-userdom_read_user_home_content_files(gpg_pinentry_t)
+userdom_manage_user_tmp_dirs(gpg_pinentry_t)
+userdom_write_user_tmp_sockets(gpg_pinentry_t)
+userdom_manage_user_home_content_files(gpg_pinentry_t)
+userdom_signull_unpriv_users(gpg_pinentry_t)
+userdom_stream_connect(gpg_pinentry_t)
tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(gpg_pinentry_t)
+ fs_manage_nfs_dirs(gpg_pinentry_t)
+ fs_manage_nfs_files(gpg_pinentry_t)
+ fs_manage_nfs_named_sockets(gpg_pinentry_t)
')
tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(gpg_pinentry_t)
+ fs_manage_cifs_dirs(gpg_pinentry_t)
+ fs_manage_cifs_files(gpg_pinentry_t)
+ fs_manage_cifs_named_sockets(gpg_pinentry_t)
+')
+
+optional_policy(`
+ dbus_session_bus_client(gpg_pinentry_t)
+ dbus_system_bus_client(gpg_pinentry_t)
+')
+
+optional_policy(`
+ gnome_manage_config(gpg_pinentry_t)
+')
+
+optional_policy(`
+ pulseaudio_domtrans(gpg_pinentry_t)
+ pulseaudio_stream_connect(gpg_pinentry_t)
')
optional_policy(`
--
1.6.5.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20091101/420a6e2b/attachment.bin
On Sun, 2009-11-01 at 21:47 +0100, Dominick Grift wrote:
Forget this patch i screwed up the use_samba/nfs_homedirs booleans by
adding policy for tmp objects.
Also what is really annoying is that it needs to manage generic home
files.
I am also not totally confident this all is correct since some domain
transitions are involved.
If someone is brave enough or feels inspired by the patch below, try to
sign some gpg keys with and without seahorse to see what is required. (i
ran out of keys to sign)
> When we sign a Gnupg key in atleast Seahorse, the gpg_t domain wants to transition to the gpg_agent_t domain.
> The gpg_pinentry_t domain also has to be able to prompt for the key passphrase.
>
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> :100644 100644 9d162a8... 009274d... M policy/modules/apps/gpg.te
> policy/modules/apps/gpg.te | 46 ++++++++++++++++++++++++++++++++++++++++---
> 1 files changed, 42 insertions(+), 4 deletions(-)
>
> diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
> index 9d162a8..009274d 100644
> --- a/policy/modules/apps/gpg.te
> +++ b/policy/modules/apps/gpg.te
> @@ -53,6 +53,10 @@ typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t }
> application_domain(gpg_pinentry_t, pinentry_exec_t)
> ubac_constrained(gpg_pinentry_t)
>
> +type gpg_pinentry_tmpfs_t;
> +files_tmpfs_file(gpg_pinentry_tmpfs_t)
> +ubac_constrained(gpg_pinentry_tmpfs_t)
> +
> ########################################
> #
> # GPG local policy
> @@ -69,6 +73,8 @@ manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
>
> +domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
> +
> # transition from the gpg domain to the helper domain
> domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
>
> @@ -190,6 +196,7 @@ files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
> # allow gpg to connect to the gpg agent
> stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
>
> +corecmd_read_bin_symlinks(gpg_agent_t)
> corecmd_search_bin(gpg_agent_t)
>
> domain_use_interactive_fds(gpg_agent_t)
> @@ -227,9 +234,15 @@ tunable_policy(`use_samba_home_dirs',`
> # Pinentry local policy
> #
>
> +allow gpg_pinentry_t self:process { getcap getsched signal };
> +allow gpg_pinentry_t self:unix_dgram_socket create;
> allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
> allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
>
> +manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
> +manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
> +fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
> +
> # we need to allow gpg-agent to call pinentry so it can get the passphrase
> # from the user.
> domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
> @@ -237,6 +250,10 @@ domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
> # read /proc/meminfo
> kernel_read_system_state(gpg_pinentry_t)
>
> +dev_read_urand(gpg_pinentry_t)
> +
> +fs_getattr_tmpfs(gpg_pinentry_t)
> +
> files_read_usr_files(gpg_pinentry_t)
> # read /etc/X11/qtrc
> files_read_etc_files(gpg_pinentry_t)
> @@ -244,15 +261,36 @@ files_read_etc_files(gpg_pinentry_t)
> miscfiles_read_fonts(gpg_pinentry_t)
> miscfiles_read_localization(gpg_pinentry_t)
>
> -# for .Xauthority
> -userdom_read_user_home_content_files(gpg_pinentry_t)
> +userdom_manage_user_tmp_dirs(gpg_pinentry_t)
> +userdom_write_user_tmp_sockets(gpg_pinentry_t)
> +userdom_manage_user_home_content_files(gpg_pinentry_t)
> +userdom_signull_unpriv_users(gpg_pinentry_t)
> +userdom_stream_connect(gpg_pinentry_t)
>
> tunable_policy(`use_nfs_home_dirs',`
> - fs_read_nfs_files(gpg_pinentry_t)
> + fs_manage_nfs_dirs(gpg_pinentry_t)
> + fs_manage_nfs_files(gpg_pinentry_t)
> + fs_manage_nfs_named_sockets(gpg_pinentry_t)
> ')
>
> tunable_policy(`use_samba_home_dirs',`
> - fs_read_cifs_files(gpg_pinentry_t)
> + fs_manage_cifs_dirs(gpg_pinentry_t)
> + fs_manage_cifs_files(gpg_pinentry_t)
> + fs_manage_cifs_named_sockets(gpg_pinentry_t)
> +')
> +
> +optional_policy(`
> + dbus_session_bus_client(gpg_pinentry_t)
> + dbus_system_bus_client(gpg_pinentry_t)
> +')
> +
> +optional_policy(`
> + gnome_manage_config(gpg_pinentry_t)
> +')
> +
> +optional_policy(`
> + pulseaudio_domtrans(gpg_pinentry_t)
> + pulseaudio_stream_connect(gpg_pinentry_t)
> ')
>
> optional_policy(`