Currently the GPG pin entry dialog does not work for confined users. Enclosed patch is an attempt to fix that.
I realize that chances of this patch ever getting adopted is slim but i would be satisfied if the issue is recognized.
Some considerations:
- In this patch i decided to user pulseaudio_exec instead of pulseaudio_domtrans. This decision causes considerable more policy to be required
and i am not confident that this is worth it.
- This patch implements labelling inspired by the freedesktop xdg specification.
Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 223a9d1... 1bc8056... M policy/modules/apps/gnome.fc
:100644 100644 9601de0... a407f5b... M policy/modules/apps/gnome.if
:100644 100644 984009e... 1828bd0... M policy/modules/apps/gnome.te
:100644 100644 b8c96f6... 8d56244... M policy/modules/apps/gpg.te
:100644 100644 5164058... c9024db... M policy/modules/apps/pulseaudio.fc
:100644 100644 2116903... d31ac6a... M policy/modules/apps/pulseaudio.if
:100644 100644 1d0dded... 0818c97... M policy/modules/apps/pulseaudio.te
:100644 100644 990063c... 16f15a6... M policy/modules/system/userdomain.if
policy/modules/apps/gnome.fc | 5 +++
policy/modules/apps/gnome.if | 19 ++++++++++
policy/modules/apps/gnome.te | 12 ++++++-
policy/modules/apps/gpg.te | 67 +++++++++++++++++++++++++++++++++--
policy/modules/apps/pulseaudio.fc | 5 ++-
policy/modules/apps/pulseaudio.if | 58 ++++++++++++++++++++++++++++++
policy/modules/apps/pulseaudio.te | 8 ++++
policy/modules/system/userdomain.if | 19 ++++++++++
8 files changed, 188 insertions(+), 5 deletions(-)
diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc
index 223a9d1..1bc8056 100644
--- a/policy/modules/apps/gnome.fc
+++ b/policy/modules/apps/gnome.fc
@@ -1,5 +1,10 @@
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.local/share(.*)? gen_context(system_u:object_r:data_home_t,s0)
+/HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
index 9601de0..a407f5b 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -91,3 +91,22 @@ interface(`gnome_manage_config',`
allow $1 gnome_home_t:file manage_file_perms;
userdom_search_user_home_dirs($1)
')
+
+########################################
+## <summary>
+## Read and write Gnome cache home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_rw_cache_home_files',`
+ gen_require(`
+ type cache_home_t;
+ ')
+
+ rw_files_pattern($1, cache_home_t, cache_home_t)
+ userdom_search_user_home_dirs($1)
+')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
index 984009e..1828bd0 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -7,11 +7,21 @@ policy_module(gnome, 2.0.0)
#
attribute gnomedomain;
+attribute gnome_home_type;
type gconf_etc_t;
files_type(gconf_etc_t)
-type gconf_home_t;
+type data_home_t, gnome_home_type;
+userdom_user_home_content(data_home_t)
+
+type config_home_t, gnome_home_type;
+userdom_user_home_content(config_home_t)
+
+type cache_home_t, gnome_home_type;
+userdom_user_home_content(cache_home_t)
+
+type gconf_home_t, gnome_home_type;
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
userdom_user_home_content(gconf_home_t)
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
index b8c96f6..8d56244 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -53,6 +53,10 @@ typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t }
application_domain(gpg_pinentry_t, pinentry_exec_t)
ubac_constrained(gpg_pinentry_t)
+type gpg_pinentry_tmpfs_t;
+files_tmpfs_file(gpg_pinentry_tmpfs_t)
+ubac_constrained(gpg_pinentry_tmpfs_t)
+
########################################
#
# GPG local policy
@@ -60,7 +64,7 @@ ubac_constrained(gpg_pinentry_t)
allow gpg_t self:capability { ipc_lock setuid };
# setrlimit is for ulimit -c 0
-allow gpg_t self:process { signal setrlimit getcap setcap setpgid };
+allow gpg_t self:process { signal signull setrlimit getcap setcap setpgid };
allow gpg_t self:fifo_file rw_fifo_file_perms;
allow gpg_t self:tcp_socket create_stream_socket_perms;
@@ -69,6 +73,8 @@ manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+
# transition from the gpg domain to the helper domain
domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
@@ -79,6 +85,9 @@ userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
kernel_read_sysctl(gpg_t)
+corecmd_exec_shell(gpg_t)
+corecmd_exec_bin(gpg_t)
+
corenet_all_recvfrom_unlabeled(gpg_t)
corenet_all_recvfrom_netlabel(gpg_t)
corenet_tcp_sendrecv_generic_if(gpg_t)
@@ -95,6 +104,7 @@ dev_read_urand(gpg_t)
dev_read_generic_usb_dev(gpg_t)
fs_getattr_xattr_fs(gpg_t)
+fs_list_inotifyfs(gpg_t)
domain_use_interactive_fds(gpg_t)
@@ -205,8 +215,11 @@ files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
# allow gpg to connect to the gpg agent
stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+corecmd_exec_shell(gpg_agent_t)
corecmd_search_bin(gpg_agent_t)
+fs_list_inotifyfs(gpg_agent_t)
+
domain_use_interactive_fds(gpg_agent_t)
miscfiles_read_localization(gpg_agent_t)
@@ -242,8 +255,20 @@ tunable_policy(`use_samba_home_dirs',`
# Pinentry local policy
#
-allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
+allow gpg_pinentry_t self:process { getcap getsched setsched signal };
allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
+allow gpg_pinentry_t self:netlink_route_socket create_netlink_socket_perms;
+allow gpg_pinentry_t self:shm create_shm_perms;
+allow gpg_pinentry_t self:tcp_socket create_stream_socket_perms;
+allow gpg_pinentry_t self:unix_dgram_socket sendto;
+allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
+
+manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
+fs_getattr_tmpfs(gpg_pinentry_t)
+
+can_exec(gpg_pinentry_t, pinentry_exec_t)
# we need to allow gpg-agent to call pinentry so it can get the passphrase
# from the user.
@@ -252,15 +277,34 @@ domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
# read /proc/meminfo
kernel_read_system_state(gpg_pinentry_t)
+corecmd_exec_bin(gpg_pinentry_t)
+
+corenet_all_recvfrom_netlabel(gpg_pinentry_t)
+corenet_all_recvfrom_unlabeled(gpg_pinentry_t)
+corenet_tcp_bind_generic_node(gpg_pinentry_t)
+corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t)
+corenet_tcp_sendrecv_generic_if(gpg_pinentry_t)
+corenet_tcp_sendrecv_generic_node(gpg_pinentry_t)
+corenet_tcp_sendrecv_generic_port(gpg_pinentry_t)
+corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t)
+
+dev_read_urand(gpg_pinentry_t)
+dev_read_rand(gpg_pinentry_t)
+
files_read_usr_files(gpg_pinentry_t)
# read /etc/X11/qtrc
files_read_etc_files(gpg_pinentry_t)
+logging_send_syslog_msg(gpg_pinentry_t)
+
miscfiles_read_fonts(gpg_pinentry_t)
miscfiles_read_localization(gpg_pinentry_t)
+userdom_manage_user_tmp_sockets(gpg_pinentry_t)
# for .Xauthority
userdom_read_user_home_content_files(gpg_pinentry_t)
+userdom_read_user_tmpfs_files(gpg_pinentry_t)
+userdom_signull_unpriv_users(gpg_pinentry_t)
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(gpg_pinentry_t)
@@ -271,5 +315,22 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
- xserver_stream_connect(gpg_pinentry_t)
+ dbus_session_bus_client(gpg_pinentry_t)
+ dbus_system_bus_client(gpg_pinentry_t)
+')
+
+optional_policy(`
+ gnome_rw_cache_home_files(gpg_pinentry_t)
+')
+
+optional_policy(`
+ pulseaudio_exec(gpg_pinentry_t)
+ pulseaudio_rw_home_files(gpg_pinentry_t)
+ pulseaudio_stream_connect(gpg_pinentry_t)
+ pulseaudio_setattr_home_dirs(gpg_pinentry_t)
+ pulseaudio_signull(gpg_pinentry_t)
+')
+
+optional_policy(`
+ xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
')
diff --git a/policy/modules/apps/pulseaudio.fc b/policy/modules/apps/pulseaudio.fc
index 5164058..c9024db 100644
--- a/policy/modules/apps/pulseaudio.fc
+++ b/policy/modules/apps/pulseaudio.fc
@@ -1 +1,4 @@
-/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
+HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.pulse-cookie gen_context(system_u:object_r:pulseaudio_home_t,s0)
+
+/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
index 2116903..d31ac6a 100644
--- a/policy/modules/apps/pulseaudio.if
+++ b/policy/modules/apps/pulseaudio.if
@@ -127,6 +127,64 @@ interface(`pulseaudio_dbus_chat',`
########################################
## <summary>
+## Read and write pulseaudio home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_rw_home_files',`
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+')
+
+########################################
+## <summary>
+## Send and SIGNULL signal to
+## pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_signull',`
+ gen_require(`
+ type pulseaudio_t;
+ ')
+
+ allow $1 pulseaudio_t:process signull;
+')
+
+########################################
+## <summary>
+## Set attributes of pulseaudio home
+## directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_setattr_home_dirs',`
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ setattr_dirs_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+')
+
+########################################
+## <summary>
## pulsaudio connection template.
## </summary>
## <param name="user_domain">
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
index 1d0dded..0818c97 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -11,6 +11,9 @@ type pulseaudio_exec_t;
application_domain(pulseaudio_t, pulseaudio_exec_t)
role system_r types pulseaudio_t;
+type pulseaudio_home_t;
+userdom_user_home_content(pulseaudio_home_t)
+
########################################
#
# pulseaudio local policy
@@ -24,6 +27,11 @@ allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
allow pulseaudio_t self:udp_socket create_socket_perms;
allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
+manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+# userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, { dir file })
+userdom_search_user_home_dirs(pulseaudio_t)
+
can_exec(pulseaudio_t, pulseaudio_exec_t)
kernel_read_system_state(pulseaudio_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 990063c..16f15a6 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -3077,6 +3077,25 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
+## Send a SIGNULL signal to
+## unprivileged user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_signull_unpriv_users',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ allow $1 unpriv_userdomain:process signull;
+')
+
+########################################
+## <summary>
## Create keys for all user domains.
## </summary>
## <param name="domain">
--
1.7.0.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100322/cbac7f73/attachment.bin