From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 20 Apr 2017 03:01:10 +0200 Subject: [refpolicy] [PATCH 10/33] gpg: curb on userdom permissions Message-ID: <1492650070.14733.80.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch curbs on userdomain file read and/or write permissions for the gpg application module. It aims to ensure user data confidentiality. A boolean has been introduced to revert the previous read/write behavior. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/gpg.te | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) --- refpolicy-2.20170204-orig/policy/modules/contrib/gpg.te 2017-02-04 19:30:28.000000000 +0100 +++ refpolicy-2.20170204/policy/modules/contrib/gpg.te 2017-04-20 00:31:39.578445137 +0200 @@ -7,12 +7,11 @@ policy_module(gpg, 2.11.0) ## ##

-## Determine whether GPG agent can manage -## generic user home content files. This is -## required by the --write-env-file option. +## Determine whether gpg can manage +## the user home directories and files. ##

## -gen_tunable(gpg_agent_env_file, false) +gen_tunable(gpg_enable_home_dirs, false) attribute_role gpg_roles; roleattribute system_r gpg_roles; @@ -124,8 +123,15 @@ miscfiles_read_localization(gpg_t) userdom_use_user_terminals(gpg_t) userdom_manage_user_tmp_files(gpg_t) -userdom_manage_user_home_content_files(gpg_t) -userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) + +tunable_policy(`gpg_enable_home_dirs',` + userdom_manage_user_home_content_dirs(gpg_t) + userdom_manage_user_home_content_files(gpg_t) + userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) +',` + userdom_dontaudit_manage_user_home_content_dirs(gpg_t) + userdom_dontaudit_manage_user_home_content_files(gpg_t) +') tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(gpg_t) @@ -253,10 +259,13 @@ ifdef(`hide_broken_symptoms',` userdom_dontaudit_read_user_tmp_files(gpg_agent_t) ') -tunable_policy(`gpg_agent_env_file',` +tunable_policy(`gpg_enable_home_dirs',` userdom_manage_user_home_content_dirs(gpg_agent_t) userdom_manage_user_home_content_files(gpg_agent_t) - userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file) + userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, { dir file }) +',` + userdom_dontaudit_manage_user_home_content_dirs(gpg_agent_t) + userdom_dontaudit_manage_user_home_content_files(gpg_agent_t) ') tunable_policy(`use_nfs_home_dirs',`