From: bigon@debian.org (Laurent Bigonville) Date: Tue, 4 Sep 2012 23:37:28 +0200 Subject: [refpolicy] [PATCH 9/9] Add dirmngr support In-Reply-To: <1346794648-27101-1-git-send-email-bigon@debian.org> References: <1346794648-27101-1-git-send-email-bigon@debian.org> Message-ID: <1346794648-27101-9-git-send-email-bigon@debian.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com From: Russell Coker --- dirmngr.fc | 9 +++++++++ dirmngr.if | 1 + dirmngr.te | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 67 insertions(+) create mode 100644 dirmngr.fc create mode 100644 dirmngr.if create mode 100644 dirmngr.te diff --git a/dirmngr.fc b/dirmngr.fc new file mode 100644 index 0000000..f4a88e0 --- /dev/null +++ b/dirmngr.fc @@ -0,0 +1,9 @@ +/etc/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_conf_t,s0) + +/usr/bin/dirmngr -- gen_context(system_u:object_r:dirmngr_exec_t,s0) + +# labelling for PID file that is created by init script +/var/run/dirmngr\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0) +/var/run/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_run_t,s0) +/var/log/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_log_t,s0) +/var/lib/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_data_t,s0) diff --git a/dirmngr.if b/dirmngr.if new file mode 100644 index 0000000..3eb6a30 --- /dev/null +++ b/dirmngr.if @@ -0,0 +1 @@ +## diff --git a/dirmngr.te b/dirmngr.te new file mode 100644 index 0000000..f7f7df3 --- /dev/null +++ b/dirmngr.te @@ -0,0 +1,57 @@ +policy_module(dirmngr, 1.10.0) + +######################################## +# +# Declarations +# + +type dirmngr_t; +type dirmngr_exec_t; +init_daemon_domain(dirmngr_t, dirmngr_exec_t) + +# type for /var/cache/dirmngr +type dirmngr_data_t; +files_type(dirmngr_data_t) + +type dirmngr_conf_t; +files_type(dirmngr_conf_t) + +type dirmngr_initrc_exec_t; +init_script_file(dirmngr_initrc_exec_t) + +type dirmngr_log_t; +logging_log_file(dirmngr_log_t) + +type dirmngr_var_run_t; +files_pid_file(dirmngr_var_run_t) + +######################################## +# +# Local policy +# + +allow dirmngr_t dirmngr_var_run_t:sock_file manage_file_perms; +allow dirmngr_t self:fifo_file rw_file_perms; +files_list_var_lib(dirmngr_t) +files_read_etc_files(dirmngr_t) +files_read_var_files(dirmngr_t) +kernel_read_crypto_sysctls(dirmngr_t) +logging_read_generic_logs(dirmngr_t) +miscfiles_read_localization(dirmngr_t) + + +# Grant permissions to create, access, and delete cache files. +manage_dirs_pattern(dirmngr_t, dirmngr_data_t, dirmngr_data_t) +manage_files_pattern(dirmngr_t, dirmngr_data_t, dirmngr_data_t) +manage_lnk_files_pattern(dirmngr_t, dirmngr_data_t, dirmngr_data_t) + +allow dirmngr_t dirmngr_conf_t:dir list_dir_perms; +read_files_pattern(dirmngr_t, dirmngr_conf_t, dirmngr_conf_t) +read_lnk_files_pattern(dirmngr_t, dirmngr_conf_t, dirmngr_conf_t) + +manage_dirs_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t) +manage_files_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t) +logging_log_filetrans(dirmngr_t, dirmngr_log_t, { file dir }) + +manage_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) +files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { file sock_file }) -- 1.7.10.4