From: dominick.grift@gmail.com (Dominick Grift) Date: Tue, 09 Oct 2012 14:53:55 +0200 Subject: [refpolicy] [PATCH 9/9] Add dirmngr support In-Reply-To: <1346794648-27101-9-git-send-email-bigon@debian.org> References: <1346794648-27101-1-git-send-email-bigon@debian.org> <1346794648-27101-9-git-send-email-bigon@debian.org> Message-ID: <1349787235.30521.13.camel@d30.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 2012-09-04 at 23:37 +0200, Laurent Bigonville wrote: > From: Russell Coker > > --- > dirmngr.fc | 9 +++++++++ > dirmngr.if | 1 + > dirmngr.te | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > 3 files changed, 67 insertions(+) > create mode 100644 dirmngr.fc > create mode 100644 dirmngr.if > create mode 100644 dirmngr.te > > diff --git a/dirmngr.fc b/dirmngr.fc > new file mode 100644 > index 0000000..f4a88e0 > --- /dev/null > +++ b/dirmngr.fc > @@ -0,0 +1,9 @@ > +/etc/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_conf_t,s0) > + > +/usr/bin/dirmngr -- gen_context(system_u:object_r:dirmngr_exec_t,s0) > + > +# labelling for PID file that is created by init script > +/var/run/dirmngr\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0) > +/var/run/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_run_t,s0) > +/var/log/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_log_t,s0) > +/var/lib/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_data_t,s0) > diff --git a/dirmngr.if b/dirmngr.if > new file mode 100644 > index 0000000..3eb6a30 > --- /dev/null > +++ b/dirmngr.if > @@ -0,0 +1 @@ > +## > diff --git a/dirmngr.te b/dirmngr.te > new file mode 100644 > index 0000000..f7f7df3 > --- /dev/null > +++ b/dirmngr.te > @@ -0,0 +1,57 @@ > +policy_module(dirmngr, 1.10.0) > + > +######################################## > +# > +# Declarations > +# > + > +type dirmngr_t; > +type dirmngr_exec_t; > +init_daemon_domain(dirmngr_t, dirmngr_exec_t) > + > +# type for /var/cache/dirmngr > +type dirmngr_data_t; > +files_type(dirmngr_data_t) > + > +type dirmngr_conf_t; > +files_type(dirmngr_conf_t) > + > +type dirmngr_initrc_exec_t; > +init_script_file(dirmngr_initrc_exec_t) > + > +type dirmngr_log_t; > +logging_log_file(dirmngr_log_t) > + > +type dirmngr_var_run_t; > +files_pid_file(dirmngr_var_run_t) > + > +######################################## > +# > +# Local policy > +# > + > +allow dirmngr_t dirmngr_var_run_t:sock_file manage_file_perms; > +allow dirmngr_t self:fifo_file rw_file_perms; > +files_list_var_lib(dirmngr_t) > +files_read_etc_files(dirmngr_t) > +files_read_var_files(dirmngr_t) > +kernel_read_crypto_sysctls(dirmngr_t) > +logging_read_generic_logs(dirmngr_t) > +miscfiles_read_localization(dirmngr_t) > + > + > +# Grant permissions to create, access, and delete cache files. > +manage_dirs_pattern(dirmngr_t, dirmngr_data_t, dirmngr_data_t) > +manage_files_pattern(dirmngr_t, dirmngr_data_t, dirmngr_data_t) > +manage_lnk_files_pattern(dirmngr_t, dirmngr_data_t, dirmngr_data_t) > + > +allow dirmngr_t dirmngr_conf_t:dir list_dir_perms; > +read_files_pattern(dirmngr_t, dirmngr_conf_t, dirmngr_conf_t) > +read_lnk_files_pattern(dirmngr_t, dirmngr_conf_t, dirmngr_conf_t) > + > +manage_dirs_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t) > +manage_files_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t) > +logging_log_filetrans(dirmngr_t, dirmngr_log_t, { file dir }) > + > +manage_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) > +files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { file sock_file }) Merged with changes, thanks