From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Sat, 13 Aug 2011 20:25:04 +0200
Subject: [refpolicy] [PATCH 4/4] Allow gpg to search through portage
	configuration files
In-Reply-To: <20110813182048.GA12571@siphos.be>
References: <20110813182048.GA12571@siphos.be>
Message-ID: <20110813182504.GE12571@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com


When working with signed snapshots, the GnuPG keystore is usually stored in
/etc/portage/gpg. Although the location itself can (and through this patch is)
labeled as gpg_secret_t, gpg does need search privileges to the parent
directories (in this case, /etc/portage as /etc is already implied through gpg
policy).

We create an interface called portage_search_conf which grants exactly these
privileges and assign it to gpg_t.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/admin/portage.if |   21 +++++++++++++++++++++
 policy/modules/apps/gpg.fc      |    2 ++
 policy/modules/apps/gpg.te      |    1 +
 3 files changed, 24 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 86948c7..1682add 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -269,6 +269,27 @@ interface(`portage_read_tmp_files',`
 
 ########################################
 ## <summary>
+##   Allow a domain search privileges through portage_conf_t
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain to allow search privileges
+##   </summary>
+## </param>
+#
+interface(`portage_search_conf',`
+	gen_require(`
+		type portage_conf_t;
+	')
+
+	allow $1 portage_conf_t:dir search_dir_perms;
+')
+
+
+
+
+########################################
+## <summary>
 ##	Do not audit attempts to search the
 ##	portage temporary directories.
 ## </summary>
diff --git a/policy/modules/apps/gpg.fc b/policy/modules/apps/gpg.fc
index e9853d4..be2423c 100644
--- a/policy/modules/apps/gpg.fc
+++ b/policy/modules/apps/gpg.fc
@@ -1,5 +1,7 @@
 HOME_DIR/\.gnupg(/.+)?		gen_context(system_u:object_r:gpg_secret_t,s0)
 
+/etc/portage/gpg(/.*)?		gen_context(system_u:object_r:gpg_secret_t,s0)
+
 /usr/bin/gpg(2)?	--	gen_context(system_u:object_r:gpg_exec_t,s0)
 /usr/bin/gpg-agent	--	gen_context(system_u:object_r:gpg_agent_exec_t,s0)
 /usr/bin/kgpg		--	gen_context(system_u:object_r:gpg_exec_t,s0)
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
index 469dc93..90826de 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -148,6 +148,7 @@ optional_policy(`
 
 optional_policy(`
 	portage_read_tmp_files(gpg_t)
+	portage_search_conf(gpg_t)
 ')
 
 optional_policy(`
-- 
1.7.3.4