From: domg472@gmail.com (Dominick Grift) Date: Sun, 1 Nov 2009 21:47:58 +0100 Subject: [refpolicy] [gpg patch 1/1] Extend the Gnupg domain to allow key signing (with seahorse). Message-ID: <20091101204755.GA6075@notebook3.grift.internal> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com When we sign a Gnupg key in atleast Seahorse, the gpg_t domain wants to transition to the gpg_agent_t domain. The gpg_pinentry_t domain also has to be able to prompt for the key passphrase. Signed-off-by: Dominick Grift --- :100644 100644 9d162a8... 009274d... M policy/modules/apps/gpg.te policy/modules/apps/gpg.te | 46 ++++++++++++++++++++++++++++++++++++++++--- 1 files changed, 42 insertions(+), 4 deletions(-) diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te index 9d162a8..009274d 100644 --- a/policy/modules/apps/gpg.te +++ b/policy/modules/apps/gpg.te @@ -53,6 +53,10 @@ typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t } application_domain(gpg_pinentry_t, pinentry_exec_t) ubac_constrained(gpg_pinentry_t) +type gpg_pinentry_tmpfs_t; +files_tmpfs_file(gpg_pinentry_tmpfs_t) +ubac_constrained(gpg_pinentry_tmpfs_t) + ######################################## # # GPG local policy @@ -69,6 +73,8 @@ manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file }) +domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) + # transition from the gpg domain to the helper domain domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) @@ -190,6 +196,7 @@ files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) # allow gpg to connect to the gpg agent stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t) +corecmd_read_bin_symlinks(gpg_agent_t) corecmd_search_bin(gpg_agent_t) domain_use_interactive_fds(gpg_agent_t) @@ -227,9 +234,15 @@ tunable_policy(`use_samba_home_dirs',` # Pinentry local policy # +allow gpg_pinentry_t self:process { getcap getsched signal }; +allow gpg_pinentry_t self:unix_dgram_socket create; allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms; +manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) +manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) +fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) + # we need to allow gpg-agent to call pinentry so it can get the passphrase # from the user. domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t) @@ -237,6 +250,10 @@ domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t) # read /proc/meminfo kernel_read_system_state(gpg_pinentry_t) +dev_read_urand(gpg_pinentry_t) + +fs_getattr_tmpfs(gpg_pinentry_t) + files_read_usr_files(gpg_pinentry_t) # read /etc/X11/qtrc files_read_etc_files(gpg_pinentry_t) @@ -244,15 +261,36 @@ files_read_etc_files(gpg_pinentry_t) miscfiles_read_fonts(gpg_pinentry_t) miscfiles_read_localization(gpg_pinentry_t) -# for .Xauthority -userdom_read_user_home_content_files(gpg_pinentry_t) +userdom_manage_user_tmp_dirs(gpg_pinentry_t) +userdom_write_user_tmp_sockets(gpg_pinentry_t) +userdom_manage_user_home_content_files(gpg_pinentry_t) +userdom_signull_unpriv_users(gpg_pinentry_t) +userdom_stream_connect(gpg_pinentry_t) tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(gpg_pinentry_t) + fs_manage_nfs_dirs(gpg_pinentry_t) + fs_manage_nfs_files(gpg_pinentry_t) + fs_manage_nfs_named_sockets(gpg_pinentry_t) ') tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(gpg_pinentry_t) + fs_manage_cifs_dirs(gpg_pinentry_t) + fs_manage_cifs_files(gpg_pinentry_t) + fs_manage_cifs_named_sockets(gpg_pinentry_t) +') + +optional_policy(` + dbus_session_bus_client(gpg_pinentry_t) + dbus_system_bus_client(gpg_pinentry_t) +') + +optional_policy(` + gnome_manage_config(gpg_pinentry_t) +') + +optional_policy(` + pulseaudio_domtrans(gpg_pinentry_t) + pulseaudio_stream_connect(gpg_pinentry_t) ') optional_policy(` -- 1.6.5.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20091101/420a6e2b/attachment.bin