From: domg472@gmail.com (Dominick Grift) Date: Sun, 01 Nov 2009 22:00:08 +0100 Subject: [refpolicy] [gpg patch 1/1] Extend the Gnupg domain to allow key signing (with seahorse). In-Reply-To: <20091101204755.GA6075@notebook3.grift.internal> References: <20091101204755.GA6075@notebook3.grift.internal> Message-ID: <1257109208.6100.5.camel@localhost> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sun, 2009-11-01 at 21:47 +0100, Dominick Grift wrote: Forget this patch i screwed up the use_samba/nfs_homedirs booleans by adding policy for tmp objects. Also what is really annoying is that it needs to manage generic home files. I am also not totally confident this all is correct since some domain transitions are involved. If someone is brave enough or feels inspired by the patch below, try to sign some gpg keys with and without seahorse to see what is required. (i ran out of keys to sign) > When we sign a Gnupg key in atleast Seahorse, the gpg_t domain wants to transition to the gpg_agent_t domain. > The gpg_pinentry_t domain also has to be able to prompt for the key passphrase. > > Signed-off-by: Dominick Grift > --- > :100644 100644 9d162a8... 009274d... M policy/modules/apps/gpg.te > policy/modules/apps/gpg.te | 46 ++++++++++++++++++++++++++++++++++++++++--- > 1 files changed, 42 insertions(+), 4 deletions(-) > > diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te > index 9d162a8..009274d 100644 > --- a/policy/modules/apps/gpg.te > +++ b/policy/modules/apps/gpg.te > @@ -53,6 +53,10 @@ typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t } > application_domain(gpg_pinentry_t, pinentry_exec_t) > ubac_constrained(gpg_pinentry_t) > > +type gpg_pinentry_tmpfs_t; > +files_tmpfs_file(gpg_pinentry_tmpfs_t) > +ubac_constrained(gpg_pinentry_tmpfs_t) > + > ######################################## > # > # GPG local policy > @@ -69,6 +73,8 @@ manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) > manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) > files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file }) > > +domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) > + > # transition from the gpg domain to the helper domain > domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) > > @@ -190,6 +196,7 @@ files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) > # allow gpg to connect to the gpg agent > stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t) > > +corecmd_read_bin_symlinks(gpg_agent_t) > corecmd_search_bin(gpg_agent_t) > > domain_use_interactive_fds(gpg_agent_t) > @@ -227,9 +234,15 @@ tunable_policy(`use_samba_home_dirs',` > # Pinentry local policy > # > > +allow gpg_pinentry_t self:process { getcap getsched signal }; > +allow gpg_pinentry_t self:unix_dgram_socket create; > allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; > allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms; > > +manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) > +manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) > +fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) > + > # we need to allow gpg-agent to call pinentry so it can get the passphrase > # from the user. > domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t) > @@ -237,6 +250,10 @@ domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t) > # read /proc/meminfo > kernel_read_system_state(gpg_pinentry_t) > > +dev_read_urand(gpg_pinentry_t) > + > +fs_getattr_tmpfs(gpg_pinentry_t) > + > files_read_usr_files(gpg_pinentry_t) > # read /etc/X11/qtrc > files_read_etc_files(gpg_pinentry_t) > @@ -244,15 +261,36 @@ files_read_etc_files(gpg_pinentry_t) > miscfiles_read_fonts(gpg_pinentry_t) > miscfiles_read_localization(gpg_pinentry_t) > > -# for .Xauthority > -userdom_read_user_home_content_files(gpg_pinentry_t) > +userdom_manage_user_tmp_dirs(gpg_pinentry_t) > +userdom_write_user_tmp_sockets(gpg_pinentry_t) > +userdom_manage_user_home_content_files(gpg_pinentry_t) > +userdom_signull_unpriv_users(gpg_pinentry_t) > +userdom_stream_connect(gpg_pinentry_t) > > tunable_policy(`use_nfs_home_dirs',` > - fs_read_nfs_files(gpg_pinentry_t) > + fs_manage_nfs_dirs(gpg_pinentry_t) > + fs_manage_nfs_files(gpg_pinentry_t) > + fs_manage_nfs_named_sockets(gpg_pinentry_t) > ') > > tunable_policy(`use_samba_home_dirs',` > - fs_read_cifs_files(gpg_pinentry_t) > + fs_manage_cifs_dirs(gpg_pinentry_t) > + fs_manage_cifs_files(gpg_pinentry_t) > + fs_manage_cifs_named_sockets(gpg_pinentry_t) > +') > + > +optional_policy(` > + dbus_session_bus_client(gpg_pinentry_t) > + dbus_system_bus_client(gpg_pinentry_t) > +') > + > +optional_policy(` > + gnome_manage_config(gpg_pinentry_t) > +') > + > +optional_policy(` > + pulseaudio_domtrans(gpg_pinentry_t) > + pulseaudio_stream_connect(gpg_pinentry_t) > ') > > optional_policy(`