From: pebenito@ieee.org (Chris PeBenito)
Date: Wed, 31 May 2017 21:04:38 -0400
Subject: [refpolicy] [PATCH 3/6] dirmngr: fcontext for ~/.gnupg/crls.d/
In-Reply-To: <20170526155801.5441-3-jason@perfinion.com>
References: <20170526155801.5441-1-jason@perfinion.com>
	<20170526155801.5441-3-jason@perfinion.com>
Message-ID: <e7dc8950-75b1-1a12-9fd1-a8217b2e7831@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 05/26/2017 11:57 AM, Jason Zaman wrote:
> ---
>  dirmngr.fc |  2 ++
>  dirmngr.te |  7 +++++++
>  gpg.if     | 20 ++++++++++++++++++++
>  3 files changed, 29 insertions(+)
>
> diff --git a/dirmngr.fc b/dirmngr.fc
> index a9cf15a..60f19f4 100644
> --- a/dirmngr.fc
> +++ b/dirmngr.fc
> @@ -1,3 +1,5 @@
> +HOME_DIR/\.gnupg/crls\.d(/.+)?		gen_context(system_u:object_r:dirmngr_home_t,s0)
> +
>  /etc/dirmngr(/.*)?	gen_context(system_u:object_r:dirmngr_conf_t,s0)
>
>  /etc/rc\.d/init\.d/dirmngr	--	gen_context(system_u:object_r:dirmngr_initrc_exec_t,s0)
> diff --git a/dirmngr.te b/dirmngr.te
> index 8e4a1a8..17cce56 100644
> --- a/dirmngr.te
> +++ b/dirmngr.te
> @@ -27,6 +27,9 @@ files_type(dirmngr_var_lib_t)
>  type dirmngr_var_run_t;
>  files_pid_file(dirmngr_var_run_t)
>
> +type dirmngr_home_t;
> +userdom_user_home_content(dirmngr_home_t)
> +
>  ########################################
>  #
>  # Local policy
> @@ -37,6 +40,8 @@ allow dirmngr_t self:fifo_file rw_file_perms;
>  allow dirmngr_t dirmngr_conf_t:dir list_dir_perms;
>  allow dirmngr_t dirmngr_conf_t:file read_file_perms;
>  allow dirmngr_t dirmngr_conf_t:lnk_file read_lnk_file_perms;
> +allow dirmngr_t dirmngr_home_t:dir list_dir_perms;
> +allow dirmngr_t dirmngr_home_t:file read_file_perms;
>
>  manage_dirs_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t)
>  append_files_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t)
> @@ -61,6 +66,7 @@ kernel_read_crypto_sysctls(dirmngr_t)
>  files_read_etc_files(dirmngr_t)
>
>  miscfiles_read_localization(dirmngr_t)
> +miscfiles_read_generic_certs(dirmngr_t)
>
>  userdom_search_user_home_dirs(dirmngr_t)
>  userdom_search_user_runtime(dirmngr_t)
> @@ -68,4 +74,5 @@ userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
>
>  optional_policy(`
>  	gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
> +	gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
>  ')
> diff --git a/gpg.if b/gpg.if
> index 4480f9c..e5a1275 100644
> --- a/gpg.if
> +++ b/gpg.if
> @@ -254,6 +254,26 @@ interface(`gpg_agent_tmp_filetrans',`
>
>  ########################################
>  ## <summary>
> +##	filetrans in gpg_secret_t dirs
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`gpg_secret_filetrans',`
> +	gen_require(`
> +		type gpg_secret_t;
> +	')
> +
> +	filetrans_pattern($1, gpg_secret_t, $2, $3, $4)
> +	allow $1 gpg_secret_t:dir search_dir_perms;
> +	userdom_search_user_home_dirs($1)
> +')

Merged.

-- 
Chris PeBenito