From: pebenito@ieee.org (Chris PeBenito) Date: Sun, 30 Oct 2016 14:21:09 -0400 Subject: [refpolicy] [PATCH v2 2/4] gpg: add new socket paths In-Reply-To: <1477580389-14244-1-git-send-email-jason@perfinion.com> References: <1477580389-14244-1-git-send-email-jason@perfinion.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 10/27/16 10:59, Jason Zaman wrote: > GPG 2.1 has sockets in /run/user/UID/gnupg/ and > ~/.gnupg/S.gpg-agent{,.ssh}. > > also allow pinentry to dbus chat gkeyring > --- > v2: escape . in fcontexts recommended by Nicolas Iooss > > gpg.fc | 4 ++++ > gpg.if | 4 ++++ > gpg.te | 8 ++++++++ > 3 files changed, 16 insertions(+) > > diff --git a/gpg.fc b/gpg.fc > index 888cd2c..3f1d1d2 100644 > --- a/gpg.fc > +++ b/gpg.fc > @@ -1,5 +1,7 @@ > HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) > HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0) > +HOME_DIR/\.gnupg/S\.gpg-agent -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0) > +HOME_DIR/\.gnupg/S\.gpg-agent\.ssh -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0) > > /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) > /usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0) > @@ -8,3 +10,5 @@ HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0) > > /usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) > /usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) > + > +/var/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_agent_tmp_t,s0) > diff --git a/gpg.if b/gpg.if > index 0370dd1..5f4cefc 100644 > --- a/gpg.if > +++ b/gpg.if > @@ -205,9 +205,13 @@ interface(`gpg_rw_agent_pipes',` > interface(`gpg_stream_connect_agent',` > gen_require(` > type gpg_agent_t, gpg_agent_tmp_t; > + type gpg_secret_t; > ') > > stream_connect_pattern($1, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t) > + allow $1 gpg_secret_t:dir search_dir_perms; > + userdom_search_user_runtime($1) > + userdom_search_user_home_dirs($1) > ') > > ######################################## > diff --git a/gpg.te b/gpg.te > index 7b4ba9d..61da3a7 100644 > --- a/gpg.te > +++ b/gpg.te > @@ -229,6 +229,8 @@ manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) > files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) > > filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket") > +filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent") > +filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh") > > domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t) > > @@ -250,6 +252,8 @@ miscfiles_read_localization(gpg_agent_t) > > userdom_use_user_terminals(gpg_agent_t) > userdom_search_user_home_dirs(gpg_agent_t) > +userdom_search_user_runtime(gpg_agent_t) > +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir) > > ifdef(`hide_broken_symptoms',` > userdom_dontaudit_read_user_tmp_files(gpg_agent_t) > @@ -339,6 +343,10 @@ tunable_policy(`use_samba_home_dirs',` > optional_policy(` > dbus_all_session_bus_client(gpg_pinentry_t) > dbus_system_bus_client(gpg_pinentry_t) > + > + optional_policy(` > + gnome_dbus_chat_all_gkeyringd(gpg_pinentry_t) > + ') > ') > > optional_policy(` Merged. -- Chris PeBenito