From: jason@perfinion.com (Jason Zaman) Date: Thu, 27 Oct 2016 01:19:19 +0800 Subject: [refpolicy] [PATCH 2/4] gpg: add new socket paths In-Reply-To: <1477502361-20223-1-git-send-email-jason@perfinion.com> References: <1477502361-20223-1-git-send-email-jason@perfinion.com> Message-ID: <1477502361-20223-2-git-send-email-jason@perfinion.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com GPG 2.1 has sockets in /run/user/UID/gnupg/ and ~/.gnupg/S.gpg-agent{,.ssh}. also allow pinentry to dbus chat gkeyring --- gpg.fc | 4 ++++ gpg.if | 4 ++++ gpg.te | 8 ++++++++ 3 files changed, 16 insertions(+) diff --git a/gpg.fc b/gpg.fc index 888cd2c..dcd6a16 100644 --- a/gpg.fc +++ b/gpg.fc @@ -1,5 +1,7 @@ HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0) +HOME_DIR/\.gnupg/S.gpg-agent -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0) +HOME_DIR/\.gnupg/S.gpg-agent.ssh -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0) /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0) @@ -8,3 +10,5 @@ HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0) /usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) + +/var/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_agent_tmp_t,s0) diff --git a/gpg.if b/gpg.if index 0370dd1..5f4cefc 100644 --- a/gpg.if +++ b/gpg.if @@ -205,9 +205,13 @@ interface(`gpg_rw_agent_pipes',` interface(`gpg_stream_connect_agent',` gen_require(` type gpg_agent_t, gpg_agent_tmp_t; + type gpg_secret_t; ') stream_connect_pattern($1, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t) + allow $1 gpg_secret_t:dir search_dir_perms; + userdom_search_user_runtime($1) + userdom_search_user_home_dirs($1) ') ######################################## diff --git a/gpg.te b/gpg.te index 7b4ba9d..61da3a7 100644 --- a/gpg.te +++ b/gpg.te @@ -229,6 +229,8 @@ manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket") +filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent") +filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh") domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t) @@ -250,6 +252,8 @@ miscfiles_read_localization(gpg_agent_t) userdom_use_user_terminals(gpg_agent_t) userdom_search_user_home_dirs(gpg_agent_t) +userdom_search_user_runtime(gpg_agent_t) +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir) ifdef(`hide_broken_symptoms',` userdom_dontaudit_read_user_tmp_files(gpg_agent_t) @@ -339,6 +343,10 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` dbus_all_session_bus_client(gpg_pinentry_t) dbus_system_bus_client(gpg_pinentry_t) + + optional_policy(` + gnome_dbus_chat_all_gkeyringd(gpg_pinentry_t) + ') ') optional_policy(` -- 2.7.3