---
gpg.if | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/gpg.if b/gpg.if
index 359560f..78efb18 100644
--- a/gpg.if
+++ b/gpg.if
@@ -123,6 +123,25 @@ interface(`gpg_spec_domtrans',`
domain_auto_transition_pattern($1, gpg_exec_t, $2)
')
+########################################
+## <summary>
+## Execute the gpg-agent in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_exec_agent',`
+ gen_require(`
+ type gpg_agent_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, gpg_agent_exec_t)
+')
+
######################################
## <summary>
## Make gpg executable files an
--
2.16.4
---
portage.te | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/portage.te b/portage.te
index 2146005..b762d87 100644
--- a/portage.te
+++ b/portage.te
@@ -218,6 +218,10 @@ optional_policy(`
cron_system_entry(portage_fetch_t, portage_fetch_exec_t)
')
+optional_policy(`
+ gpg_spec_domtrans(portage_t, portage_fetch_t)
+')
+
optional_policy(`
modutils_run(portage_t, portage_roles)
#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
@@ -244,7 +248,7 @@ allow portage_fetch_t self:process signal;
allow portage_fetch_t self:capability { chown dac_override fowner fsetid };
allow portage_fetch_t self:fifo_file rw_fifo_file_perms;
allow portage_fetch_t self:tcp_socket { accept listen };
-allow portage_fetch_t self:unix_stream_socket create_socket_perms;
+allow portage_fetch_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow portage_fetch_t portage_conf_t:dir list_dir_perms;
@@ -255,6 +259,7 @@ allow portage_fetch_t portage_gpg_t:file manage_file_perms;
allow portage_fetch_t portage_tmp_t:dir manage_dir_perms;
allow portage_fetch_t portage_tmp_t:file manage_file_perms;
+allow portage_fetch_t portage_tmp_t:sock_file manage_sock_file_perms;
read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t)
@@ -287,8 +292,10 @@ corenet_sendrecv_rsync_client_packets(portage_fetch_t)
# it occasionally comes up
corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
corenet_tcp_connect_generic_port(portage_fetch_t)
+corenet_udp_bind_generic_node(portage_fetch_t)
+corenet_udp_bind_all_unreserved_ports(portage_fetch_t)
-dev_dontaudit_read_rand(portage_fetch_t)
+dev_read_rand(portage_fetch_t)
domain_use_interactive_fds(portage_fetch_t)
@@ -325,7 +332,13 @@ tunable_policy(`portage_use_nfs',`
')
optional_policy(`
+ gpg_entry_type(portage_fetch_t)
gpg_exec(portage_fetch_t)
+ gpg_exec_agent(portage_fetch_t)
+')
+
+optional_policy(`
+ dirmngr_exec(portage_fetch_t)
')
##########################################
--
2.16.4
On 06/08/2018 07:23 AM, Jason Zaman wrote:
> ---
> gpg.if | 19 +++++++++++++++++++
> 1 file changed, 19 insertions(+)
>
> diff --git a/gpg.if b/gpg.if
> index 359560f..78efb18 100644
> --- a/gpg.if
> +++ b/gpg.if
> @@ -123,6 +123,25 @@ interface(`gpg_spec_domtrans',`
> domain_auto_transition_pattern($1, gpg_exec_t, $2)
> ')
>
> +########################################
> +## <summary>
> +## Execute the gpg-agent in the caller domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gpg_exec_agent',`
> + gen_require(`
> + type gpg_agent_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + can_exec($1, gpg_agent_exec_t)
> +')
> +
> ######################################
> ## <summary>
> ## Make gpg executable files an
Merged.
--
Chris PeBenito
On 06/08/2018 07:24 AM, Jason Zaman wrote:
> ---
> portage.te | 17 +++++++++++++++--
> 1 file changed, 15 insertions(+), 2 deletions(-)
>
> diff --git a/portage.te b/portage.te
> index 2146005..b762d87 100644
> --- a/portage.te
> +++ b/portage.te
> @@ -218,6 +218,10 @@ optional_policy(`
> cron_system_entry(portage_fetch_t, portage_fetch_exec_t)
> ')
>
> +optional_policy(`
> + gpg_spec_domtrans(portage_t, portage_fetch_t)
> +')
> +
> optional_policy(`
> modutils_run(portage_t, portage_roles)
> #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
> @@ -244,7 +248,7 @@ allow portage_fetch_t self:process signal;
> allow portage_fetch_t self:capability { chown dac_override fowner fsetid };
> allow portage_fetch_t self:fifo_file rw_fifo_file_perms;
> allow portage_fetch_t self:tcp_socket { accept listen };
> -allow portage_fetch_t self:unix_stream_socket create_socket_perms;
> +allow portage_fetch_t self:unix_stream_socket { connectto create_stream_socket_perms };
>
> allow portage_fetch_t portage_conf_t:dir list_dir_perms;
>
> @@ -255,6 +259,7 @@ allow portage_fetch_t portage_gpg_t:file manage_file_perms;
>
> allow portage_fetch_t portage_tmp_t:dir manage_dir_perms;
> allow portage_fetch_t portage_tmp_t:file manage_file_perms;
> +allow portage_fetch_t portage_tmp_t:sock_file manage_sock_file_perms;
>
> read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t)
>
> @@ -287,8 +292,10 @@ corenet_sendrecv_rsync_client_packets(portage_fetch_t)
> # it occasionally comes up
> corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
> corenet_tcp_connect_generic_port(portage_fetch_t)
> +corenet_udp_bind_generic_node(portage_fetch_t)
> +corenet_udp_bind_all_unreserved_ports(portage_fetch_t)
>
> -dev_dontaudit_read_rand(portage_fetch_t)
> +dev_read_rand(portage_fetch_t)
>
> domain_use_interactive_fds(portage_fetch_t)
>
> @@ -325,7 +332,13 @@ tunable_policy(`portage_use_nfs',`
> ')
>
> optional_policy(`
> + gpg_entry_type(portage_fetch_t)
> gpg_exec(portage_fetch_t)
> + gpg_exec_agent(portage_fetch_t)
> +')
> +
> +optional_policy(`
> + dirmngr_exec(portage_fetch_t)
> ')
>
> ##########################################
Merged.
--
Chris PeBenito