From: pebenito@ieee.org (Chris PeBenito) Date: Wed, 31 May 2017 21:04:38 -0400 Subject: [refpolicy] [PATCH 3/6] dirmngr: fcontext for ~/.gnupg/crls.d/ In-Reply-To: <20170526155801.5441-3-jason@perfinion.com> References: <20170526155801.5441-1-jason@perfinion.com> <20170526155801.5441-3-jason@perfinion.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 05/26/2017 11:57 AM, Jason Zaman wrote: > --- > dirmngr.fc | 2 ++ > dirmngr.te | 7 +++++++ > gpg.if | 20 ++++++++++++++++++++ > 3 files changed, 29 insertions(+) > > diff --git a/dirmngr.fc b/dirmngr.fc > index a9cf15a..60f19f4 100644 > --- a/dirmngr.fc > +++ b/dirmngr.fc > @@ -1,3 +1,5 @@ > +HOME_DIR/\.gnupg/crls\.d(/.+)? gen_context(system_u:object_r:dirmngr_home_t,s0) > + > /etc/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_conf_t,s0) > > /etc/rc\.d/init\.d/dirmngr -- gen_context(system_u:object_r:dirmngr_initrc_exec_t,s0) > diff --git a/dirmngr.te b/dirmngr.te > index 8e4a1a8..17cce56 100644 > --- a/dirmngr.te > +++ b/dirmngr.te > @@ -27,6 +27,9 @@ files_type(dirmngr_var_lib_t) > type dirmngr_var_run_t; > files_pid_file(dirmngr_var_run_t) > > +type dirmngr_home_t; > +userdom_user_home_content(dirmngr_home_t) > + > ######################################## > # > # Local policy > @@ -37,6 +40,8 @@ allow dirmngr_t self:fifo_file rw_file_perms; > allow dirmngr_t dirmngr_conf_t:dir list_dir_perms; > allow dirmngr_t dirmngr_conf_t:file read_file_perms; > allow dirmngr_t dirmngr_conf_t:lnk_file read_lnk_file_perms; > +allow dirmngr_t dirmngr_home_t:dir list_dir_perms; > +allow dirmngr_t dirmngr_home_t:file read_file_perms; > > manage_dirs_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t) > append_files_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t) > @@ -61,6 +66,7 @@ kernel_read_crypto_sysctls(dirmngr_t) > files_read_etc_files(dirmngr_t) > > miscfiles_read_localization(dirmngr_t) > +miscfiles_read_generic_certs(dirmngr_t) > > userdom_search_user_home_dirs(dirmngr_t) > userdom_search_user_runtime(dirmngr_t) > @@ -68,4 +74,5 @@ userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir) > > optional_policy(` > gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file) > + gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir) > ') > diff --git a/gpg.if b/gpg.if > index 4480f9c..e5a1275 100644 > --- a/gpg.if > +++ b/gpg.if > @@ -254,6 +254,26 @@ interface(`gpg_agent_tmp_filetrans',` > > ######################################## > ## > +## filetrans in gpg_secret_t dirs > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`gpg_secret_filetrans',` > + gen_require(` > + type gpg_secret_t; > + ') > + > + filetrans_pattern($1, gpg_secret_t, $2, $3, $4) > + allow $1 gpg_secret_t:dir search_dir_perms; > + userdom_search_user_home_dirs($1) > +') Merged. -- Chris PeBenito