scdaemon is part of gnupg's subsystem for handling smartcards. The two
new gpg-agent sockets are used by gnupg 2.1.16.
---
gpg.fc | 4 ++--
gpg.te | 3 +++
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/gpg.fc b/gpg.fc
index 3f1d1d2..eee870e 100644
--- a/gpg.fc
+++ b/gpg.fc
@@ -1,7 +1,7 @@
HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
-HOME_DIR/\.gnupg/S\.gpg-agent -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
-HOME_DIR/\.gnupg/S\.gpg-agent\.ssh -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg/S\.gpg-agent.* -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg/S\.scdaemon -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
diff --git a/gpg.te b/gpg.te
index 02e868d..a671ffe 100644
--- a/gpg.te
+++ b/gpg.te
@@ -230,7 +230,10 @@ files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent")
+filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.browser")
+filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.extra")
filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh")
+filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.scdaemon")
domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
--
2.11.0
---
gpg.fc | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/gpg.fc b/gpg.fc
index eee870e..3067dae 100644
--- a/gpg.fc
+++ b/gpg.fc
@@ -1,14 +1,14 @@
-HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
+HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
HOME_DIR/\.gnupg/S\.gpg-agent.* -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
HOME_DIR/\.gnupg/S\.scdaemon -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
-/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
-/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
-/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
-/usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0)
+/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
+/usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0)
-/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
/var/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
--
2.11.0
GnuPG 2.1 uses a separate dirmngr process for retrieving keys from a
keyserver.
This policy may be lacking permissions for some of dirmngr's features I
don't use, such as key retrieval via http or ldap and OCSP lookups.
---
gpg.fc | 2 ++
gpg.if | 39 +++++++++++++++++++++++++++++++-------
gpg.te | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 102 insertions(+), 7 deletions(-)
diff --git a/gpg.fc b/gpg.fc
index 3067dae..d96b347 100644
--- a/gpg.fc
+++ b/gpg.fc
@@ -1,8 +1,10 @@
HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+HOME_DIR/\.gnupg/S\.dirmngr -s gen_context(system_u:object_r:gpg_dirmngr_tmp_t,s0)
HOME_DIR/\.gnupg/S\.gpg-agent.* -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
HOME_DIR/\.gnupg/S\.scdaemon -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+/usr/bin/dirmngr -- gen_context(system_u:object_r:gpg_dirmngr_exec_t,s0)
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
diff --git a/gpg.if b/gpg.if
index efffff8..7612c57 100644
--- a/gpg.if
+++ b/gpg.if
@@ -17,32 +17,35 @@
#
interface(`gpg_role',`
gen_require(`
- attribute_role gpg_roles, gpg_agent_roles, gpg_helper_roles, gpg_pinentry_roles;
+ attribute_role gpg_roles, gpg_agent_roles, gpg_dirmngr_roles, gpg_helper_roles, gpg_pinentry_roles;
type gpg_t, gpg_exec_t, gpg_agent_t;
type gpg_agent_exec_t, gpg_agent_tmp_t, gpg_helper_t;
type gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_secret_t;
+ type gpg_dirmngr_t, gpg_dirmngr_exec_t, gpg_dirmngr_tmp_t;
')
roleattribute $1 gpg_roles;
roleattribute $1 gpg_agent_roles;
+ roleattribute $1 gpg_dirmngr_roles;
roleattribute $1 gpg_helper_roles;
roleattribute $1 gpg_pinentry_roles;
domtrans_pattern($2, gpg_exec_t, gpg_t)
domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
+ domtrans_pattern($2, gpg_dirmngr_exec_t, gpg_dirmngr_t)
allow $2 self:process setrlimit;
- allow $2 { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }:process { ptrace signal_perms };
- ps_process_pattern($2, { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t })
+ allow $2 { gpg_t gpg_agent_t gpg_dirmngr_t gpg_helper_t gpg_pinentry_t }:process { ptrace signal_perms };
+ ps_process_pattern($2, { gpg_t gpg_agent_t gpg_dirmngr_t gpg_helper_t gpg_pinentry_t })
allow gpg_pinentry_t $2:process signull;
allow gpg_helper_t $2:fd use;
- allow { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t } $2:fifo_file { read write };
+ allow { gpg_t gpg_agent_t gpg_dirmngr_t gpg_helper_t gpg_pinentry_t } $2:fifo_file { read write };
- allow $2 { gpg_agent_tmp_t gpg_secret_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { gpg_agent_tmp_t gpg_secret_t }:file { manage_file_perms relabel_file_perms };
+ allow $2 { gpg_agent_tmp_t gpg_dirmngr_tmp_t gpg_secret_t }:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 { gpg_agent_tmp_t gpg_dirmngr_tmp_t gpg_secret_t }:file { manage_file_perms relabel_file_perms };
allow $2 gpg_secret_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
- allow $2 { gpg_agent_tmp_t gpg_pinentry_tmp_t gpg_secret_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ allow $2 { gpg_agent_tmp_t gpg_dirmngr_tmp_t gpg_pinentry_tmp_t gpg_secret_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
filetrans_pattern($2, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
userdom_user_home_dir_filetrans($2, gpg_secret_t, dir, ".gnupg")
@@ -216,6 +219,28 @@ interface(`gpg_stream_connect_agent',`
########################################
## <summary>
+## Connect to gpg dirmngr socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_stream_connect_dirmngr',`
+ gen_require(`
+ type gpg_dirmngr_t, gpg_dirmngr_tmp_t;
+ type gpg_secret_t;
+ ')
+
+ stream_connect_pattern($1, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t, gpg_dirmngr_t)
+ allow $1 gpg_secret_t:dir search_dir_perms;
+ userdom_search_user_runtime($1)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
## Send messages to and from gpg
## pinentry over DBUS.
## </summary>
diff --git a/gpg.te b/gpg.te
index a671ffe..0b35d77 100644
--- a/gpg.te
+++ b/gpg.te
@@ -19,6 +19,8 @@ roleattribute system_r gpg_roles;
attribute_role gpg_agent_roles;
+attribute_role gpg_dirmngr_roles;
+
attribute_role gpg_helper_roles;
roleattribute system_r gpg_helper_roles;
@@ -72,6 +74,18 @@ optional_policy(`
pulseaudio_tmpfs_content(gpg_pinentry_tmpfs_t)
')
+type gpg_dirmngr_t;
+type gpg_dirmngr_exec_t;
+typealias gpg_dirmngr_t alias { user_gpg_dirmngr_t staff_gpg_dirmngr_t sysadm_gpg_dirmngr_t };
+typealias gpg_dirmngr_t alias { auditadm_gpg_dirmngr_t secadm_gpg_dirmngr_t };
+userdom_user_application_domain(gpg_dirmngr_t, gpg_dirmngr_exec_t)
+role gpg_dirmngr_roles types gpg_dirmngr_t;
+
+type gpg_dirmngr_tmp_t;
+typealias gpg_dirmngr_tmp_t alias { user_gpg_dirmngr_tmp_t staff_gpg_dirmngr_tmp_t sysadm_gpg_dirmngr_tmp_t };
+typealias gpg_dirmngr_tmp_t alias { auditadm_gpg_dirmngr_tmp_t secadm_gpg_dirmngr_tmp_t };
+userdom_user_tmp_file(gpg_dirmngr_tmp_t)
+
########################################
#
# Local policy
@@ -94,8 +108,10 @@ manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
gpg_stream_connect_agent(gpg_t)
+gpg_stream_connect_dirmngr(gpg_t)
domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+domtrans_pattern(gpg_t, gpg_dirmngr_exec_t, gpg_dirmngr_t)
domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
kernel_read_sysctl(gpg_t)
@@ -359,3 +375,55 @@ optional_policy(`
optional_policy(`
xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
')
+
+##############################
+#
+# Dirmngr local policy
+#
+
+allow gpg_dirmngr_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+manage_dirs_pattern(gpg_dirmngr_t, gpg_secret_t, gpg_secret_t)
+manage_files_pattern(gpg_dirmngr_t, gpg_secret_t, gpg_secret_t)
+manage_lnk_files_pattern(gpg_dirmngr_t, gpg_secret_t, gpg_secret_t)
+manage_sock_files_pattern(gpg_dirmngr_t, gpg_secret_t, gpg_secret_t)
+
+manage_dirs_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t)
+manage_files_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t)
+manage_sock_files_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t)
+files_tmp_filetrans(gpg_dirmngr_t, gpg_dirmngr_tmp_t, { file sock_file dir })
+
+filetrans_pattern(gpg_dirmngr_t, gpg_secret_t, gpg_dirmngr_tmp_t, sock_file, "S.dirmngr")
+
+domain_use_interactive_fds(gpg_dirmngr_t)
+
+userdom_use_user_terminals(gpg_dirmngr_t)
+userdom_search_user_home_dirs(gpg_dirmngr_t)
+
+dev_read_rand(gpg_dirmngr_t)
+dev_read_urand(gpg_dirmngr_t)
+
+miscfiles_read_localization(gpg_dirmngr_t)
+
+auth_use_nsswitch(gpg_dirmngr_t)
+
+corenet_all_recvfrom_unlabeled(gpg_dirmngr_t)
+corenet_all_recvfrom_netlabel(gpg_dirmngr_t)
+corenet_tcp_sendrecv_generic_if(gpg_dirmngr_t)
+corenet_tcp_sendrecv_generic_node(gpg_dirmngr_t)
+
+corenet_sendrecv_all_client_packets(gpg_dirmngr_t)
+corenet_tcp_connect_all_ports(gpg_dirmngr_t)
+corenet_tcp_sendrecv_all_ports(gpg_dirmngr_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(gpg_dirmngr_t)
+ fs_manage_nfs_files(gpg_dirmngr_t)
+ fs_manage_nfs_symlinks(gpg_dirmngr_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(gpg_dirmngr_t)
+ fs_manage_cifs_files(gpg_dirmngr_t)
+ fs_manage_cifs_symlinks(gpg_dirmngr_t)
+')
--
2.11.0
On 12/09/16 13:14, Luis Ressel via refpolicy wrote:
> GnuPG 2.1 uses a separate dirmngr process for retrieving keys from a
> keyserver.
>
> This policy may be lacking permissions for some of dirmngr's features I
> don't use, such as key retrieval via http or ldap and OCSP lookups.
How does this relate to the existing dirmngr module? There is a
conflict in the /usr/bin/dirmngr labeling.
> ---
> gpg.fc | 2 ++
> gpg.if | 39 +++++++++++++++++++++++++++++++-------
> gpg.te | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 102 insertions(+), 7 deletions(-)
>
> diff --git a/gpg.fc b/gpg.fc
> index 3067dae..d96b347 100644
> --- a/gpg.fc
> +++ b/gpg.fc
> @@ -1,8 +1,10 @@
> HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
> HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> +HOME_DIR/\.gnupg/S\.dirmngr -s gen_context(system_u:object_r:gpg_dirmngr_tmp_t,s0)
> HOME_DIR/\.gnupg/S\.gpg-agent.* -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> HOME_DIR/\.gnupg/S\.scdaemon -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
>
> +/usr/bin/dirmngr -- gen_context(system_u:object_r:gpg_dirmngr_exec_t,s0)
> /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
> /usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
> /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
> diff --git a/gpg.if b/gpg.if
> index efffff8..7612c57 100644
> --- a/gpg.if
> +++ b/gpg.if
> @@ -17,32 +17,35 @@
> #
> interface(`gpg_role',`
> gen_require(`
> - attribute_role gpg_roles, gpg_agent_roles, gpg_helper_roles, gpg_pinentry_roles;
> + attribute_role gpg_roles, gpg_agent_roles, gpg_dirmngr_roles, gpg_helper_roles, gpg_pinentry_roles;
> type gpg_t, gpg_exec_t, gpg_agent_t;
> type gpg_agent_exec_t, gpg_agent_tmp_t, gpg_helper_t;
> type gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_secret_t;
> + type gpg_dirmngr_t, gpg_dirmngr_exec_t, gpg_dirmngr_tmp_t;
> ')
>
> roleattribute $1 gpg_roles;
> roleattribute $1 gpg_agent_roles;
> + roleattribute $1 gpg_dirmngr_roles;
> roleattribute $1 gpg_helper_roles;
> roleattribute $1 gpg_pinentry_roles;
>
> domtrans_pattern($2, gpg_exec_t, gpg_t)
> domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
> + domtrans_pattern($2, gpg_dirmngr_exec_t, gpg_dirmngr_t)
>
> allow $2 self:process setrlimit;
> - allow $2 { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }:process { ptrace signal_perms };
> - ps_process_pattern($2, { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t })
> + allow $2 { gpg_t gpg_agent_t gpg_dirmngr_t gpg_helper_t gpg_pinentry_t }:process { ptrace signal_perms };
> + ps_process_pattern($2, { gpg_t gpg_agent_t gpg_dirmngr_t gpg_helper_t gpg_pinentry_t })
>
> allow gpg_pinentry_t $2:process signull;
> allow gpg_helper_t $2:fd use;
> - allow { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t } $2:fifo_file { read write };
> + allow { gpg_t gpg_agent_t gpg_dirmngr_t gpg_helper_t gpg_pinentry_t } $2:fifo_file { read write };
>
> - allow $2 { gpg_agent_tmp_t gpg_secret_t }:dir { manage_dir_perms relabel_dir_perms };
> - allow $2 { gpg_agent_tmp_t gpg_secret_t }:file { manage_file_perms relabel_file_perms };
> + allow $2 { gpg_agent_tmp_t gpg_dirmngr_tmp_t gpg_secret_t }:dir { manage_dir_perms relabel_dir_perms };
> + allow $2 { gpg_agent_tmp_t gpg_dirmngr_tmp_t gpg_secret_t }:file { manage_file_perms relabel_file_perms };
> allow $2 gpg_secret_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
> - allow $2 { gpg_agent_tmp_t gpg_pinentry_tmp_t gpg_secret_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
> + allow $2 { gpg_agent_tmp_t gpg_dirmngr_tmp_t gpg_pinentry_tmp_t gpg_secret_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
> filetrans_pattern($2, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
> userdom_user_home_dir_filetrans($2, gpg_secret_t, dir, ".gnupg")
>
> @@ -216,6 +219,28 @@ interface(`gpg_stream_connect_agent',`
>
> ########################################
> ## <summary>
> +## Connect to gpg dirmngr socket
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gpg_stream_connect_dirmngr',`
> + gen_require(`
> + type gpg_dirmngr_t, gpg_dirmngr_tmp_t;
> + type gpg_secret_t;
> + ')
> +
> + stream_connect_pattern($1, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t, gpg_dirmngr_t)
> + allow $1 gpg_secret_t:dir search_dir_perms;
> + userdom_search_user_runtime($1)
> + userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +## <summary>
> ## Send messages to and from gpg
> ## pinentry over DBUS.
> ## </summary>
> diff --git a/gpg.te b/gpg.te
> index a671ffe..0b35d77 100644
> --- a/gpg.te
> +++ b/gpg.te
> @@ -19,6 +19,8 @@ roleattribute system_r gpg_roles;
>
> attribute_role gpg_agent_roles;
>
> +attribute_role gpg_dirmngr_roles;
> +
> attribute_role gpg_helper_roles;
> roleattribute system_r gpg_helper_roles;
>
> @@ -72,6 +74,18 @@ optional_policy(`
> pulseaudio_tmpfs_content(gpg_pinentry_tmpfs_t)
> ')
>
> +type gpg_dirmngr_t;
> +type gpg_dirmngr_exec_t;
> +typealias gpg_dirmngr_t alias { user_gpg_dirmngr_t staff_gpg_dirmngr_t sysadm_gpg_dirmngr_t };
> +typealias gpg_dirmngr_t alias { auditadm_gpg_dirmngr_t secadm_gpg_dirmngr_t };
> +userdom_user_application_domain(gpg_dirmngr_t, gpg_dirmngr_exec_t)
> +role gpg_dirmngr_roles types gpg_dirmngr_t;
> +
> +type gpg_dirmngr_tmp_t;
> +typealias gpg_dirmngr_tmp_t alias { user_gpg_dirmngr_tmp_t staff_gpg_dirmngr_tmp_t sysadm_gpg_dirmngr_tmp_t };
> +typealias gpg_dirmngr_tmp_t alias { auditadm_gpg_dirmngr_tmp_t secadm_gpg_dirmngr_tmp_t };
> +userdom_user_tmp_file(gpg_dirmngr_tmp_t)
> +
> ########################################
> #
> # Local policy
> @@ -94,8 +108,10 @@ manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
> userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
>
> gpg_stream_connect_agent(gpg_t)
> +gpg_stream_connect_dirmngr(gpg_t)
>
> domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
> +domtrans_pattern(gpg_t, gpg_dirmngr_exec_t, gpg_dirmngr_t)
> domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
>
> kernel_read_sysctl(gpg_t)
> @@ -359,3 +375,55 @@ optional_policy(`
> optional_policy(`
> xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
> ')
> +
> +##############################
> +#
> +# Dirmngr local policy
> +#
> +
> +allow gpg_dirmngr_t self:unix_stream_socket { create_stream_socket_perms connectto };
> +
> +manage_dirs_pattern(gpg_dirmngr_t, gpg_secret_t, gpg_secret_t)
> +manage_files_pattern(gpg_dirmngr_t, gpg_secret_t, gpg_secret_t)
> +manage_lnk_files_pattern(gpg_dirmngr_t, gpg_secret_t, gpg_secret_t)
> +manage_sock_files_pattern(gpg_dirmngr_t, gpg_secret_t, gpg_secret_t)
> +
> +manage_dirs_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t)
> +manage_files_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t)
> +manage_sock_files_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t)
> +files_tmp_filetrans(gpg_dirmngr_t, gpg_dirmngr_tmp_t, { file sock_file dir })
> +
> +filetrans_pattern(gpg_dirmngr_t, gpg_secret_t, gpg_dirmngr_tmp_t, sock_file, "S.dirmngr")
> +
> +domain_use_interactive_fds(gpg_dirmngr_t)
> +
> +userdom_use_user_terminals(gpg_dirmngr_t)
> +userdom_search_user_home_dirs(gpg_dirmngr_t)
> +
> +dev_read_rand(gpg_dirmngr_t)
> +dev_read_urand(gpg_dirmngr_t)
> +
> +miscfiles_read_localization(gpg_dirmngr_t)
> +
> +auth_use_nsswitch(gpg_dirmngr_t)
> +
> +corenet_all_recvfrom_unlabeled(gpg_dirmngr_t)
> +corenet_all_recvfrom_netlabel(gpg_dirmngr_t)
> +corenet_tcp_sendrecv_generic_if(gpg_dirmngr_t)
> +corenet_tcp_sendrecv_generic_node(gpg_dirmngr_t)
> +
> +corenet_sendrecv_all_client_packets(gpg_dirmngr_t)
> +corenet_tcp_connect_all_ports(gpg_dirmngr_t)
> +corenet_tcp_sendrecv_all_ports(gpg_dirmngr_t)
> +
> +tunable_policy(`use_nfs_home_dirs',`
> + fs_manage_nfs_dirs(gpg_dirmngr_t)
> + fs_manage_nfs_files(gpg_dirmngr_t)
> + fs_manage_nfs_symlinks(gpg_dirmngr_t)
> +')
> +
> +tunable_policy(`use_samba_home_dirs',`
> + fs_manage_cifs_dirs(gpg_dirmngr_t)
> + fs_manage_cifs_files(gpg_dirmngr_t)
> + fs_manage_cifs_symlinks(gpg_dirmngr_t)
> +')
>
--
Chris PeBenito
On 12/09/16 13:14, Luis Ressel via refpolicy wrote:
> scdaemon is part of gnupg's subsystem for handling smartcards. The two
> new gpg-agent sockets are used by gnupg 2.1.16.
> ---
> gpg.fc | 4 ++--
> gpg.te | 3 +++
> 2 files changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/gpg.fc b/gpg.fc
> index 3f1d1d2..eee870e 100644
> --- a/gpg.fc
> +++ b/gpg.fc
> @@ -1,7 +1,7 @@
> HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
> HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> -HOME_DIR/\.gnupg/S\.gpg-agent -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> -HOME_DIR/\.gnupg/S\.gpg-agent\.ssh -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> +HOME_DIR/\.gnupg/S\.gpg-agent.* -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> +HOME_DIR/\.gnupg/S\.scdaemon -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
>
> /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
> /usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
> diff --git a/gpg.te b/gpg.te
> index 02e868d..a671ffe 100644
> --- a/gpg.te
> +++ b/gpg.te
> @@ -230,7 +230,10 @@ files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
>
> filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
> filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent")
> +filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.browser")
> +filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.extra")
> filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh")
> +filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.scdaemon")
>
> domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
Merged.
--
Chris PeBenito
On 12/09/16 13:14, Luis Ressel via refpolicy wrote:
> ---
> gpg.fc | 12 ++++++------
> 1 file changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/gpg.fc b/gpg.fc
> index eee870e..3067dae 100644
> --- a/gpg.fc
> +++ b/gpg.fc
> @@ -1,14 +1,14 @@
> -HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
> +HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
> HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> HOME_DIR/\.gnupg/S\.gpg-agent.* -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> HOME_DIR/\.gnupg/S\.scdaemon -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
>
> -/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
> -/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
> -/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
> -/usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0)
> +/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
> +/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
> +/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
> +/usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0)
>
> -/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
> +/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
> /usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
>
> /var/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
Merged.
--
Chris PeBenito
On Sun, 11 Dec 2016 14:27:56 -0500
Chris PeBenito via refpolicy <[email protected]> wrote:
> On 12/09/16 13:14, Luis Ressel via refpolicy wrote:
> > GnuPG 2.1 uses a separate dirmngr process for retrieving keys from a
> > keyserver.
> >
> > This policy may be lacking permissions for some of dirmngr's
> > features I don't use, such as key retrieval via http or ldap and
> > OCSP lookups.
>
> How does this relate to the existing dirmngr module? There is a
> conflict in the /usr/bin/dirmngr labeling.
WHOOOPS, I hadn't noticed the dirmngr module. Looks like dirmngr was
originally a separate program, which has only been bundled with gnupg
since gnupg 2.1. Thanks for noticing!
I'll go over the dirmngr module and check if it provides all
permissions required by gnupg 2.1's dirmngr. (And I obviously retract
this patch.)
Regards,
Luis