From: pebenito@ieee.org (Chris PeBenito)
Date: Wed, 31 May 2017 21:05:03 -0400
Subject: [refpolicy] [PATCH 2/6] gpg dirmngr: create and connect to
	socket
In-Reply-To: <20170526155801.5441-2-jason@perfinion.com>
References: <20170526155801.5441-1-jason@perfinion.com>
	<20170526155801.5441-2-jason@perfinion.com>
Message-ID: <d0e44819-1415-cca7-f501-5db40688485b@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 05/26/2017 11:57 AM, Jason Zaman wrote:
> ---
>  dirmngr.fc |  2 ++
>  dirmngr.if | 25 +++++++++++++++++++++++++
>  dirmngr.te | 13 +++++++++++++
>  gpg.if     | 38 ++++++++++++++++++++++++++++++++++++++
>  gpg.te     |  1 +
>  5 files changed, 79 insertions(+)
>
> diff --git a/dirmngr.fc b/dirmngr.fc
> index a0f261c..a9cf15a 100644
> --- a/dirmngr.fc
> +++ b/dirmngr.fc
> @@ -12,3 +12,5 @@
>  /run/dirmngr\.pid	--	gen_context(system_u:object_r:dirmngr_var_run_t,s0)
>
>  /run/dirmngr(/.*)?	gen_context(system_u:object_r:dirmngr_var_run_t,s0)
> +
> +/run/user/%{USERID}/gnupg/S.dirmngr	-s	gen_context(system_u:object_r:dirmngr_tmp_t,s0)
> diff --git a/dirmngr.if b/dirmngr.if
> index 2f6875a..07af506 100644
> --- a/dirmngr.if
> +++ b/dirmngr.if
> @@ -18,6 +18,7 @@
>  interface(`dirmngr_role',`
>  	gen_require(`
>  		type dirmngr_t, dirmngr_exec_t;
> +		type dirmngr_tmp_t;
>  	')
>
>  	role $1 types dirmngr_t;
> @@ -29,6 +30,8 @@ interface(`dirmngr_role',`
>
>  	allow dirmngr_t $2:fd use;
>  	allow dirmngr_t $2:fifo_file { read write };
> +
> +	allow $2 dirmngr_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
>  ')
>
>  ########################################
> @@ -71,6 +74,28 @@ interface(`dirmngr_exec',`
>
>  ########################################
>  ## <summary>
> +##	Connect to dirmngr socket
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`dirmngr_stream_connect',`
> +	gen_require(`
> +		type dirmngr_t, dirmngr_tmp_t;
> +	')
> +
> +	gpg_search_agent_tmp_dirs($1)
> +	allow $1 dirmngr_tmp_t:sock_file rw_sock_file_perms;
> +	allow $1 dirmngr_t:unix_stream_socket connectto;
> +	userdom_search_user_runtime($1)
> +	userdom_search_user_home_dirs($1)
> +')
> +
> +########################################
> +## <summary>
>  ##	All of the rules required to
>  ##	administrate an dirmngr environment.
>  ## </summary>
> diff --git a/dirmngr.te b/dirmngr.te
> index 23f4045..8e4a1a8 100644
> --- a/dirmngr.te
> +++ b/dirmngr.te
> @@ -18,6 +18,9 @@ init_script_file(dirmngr_initrc_exec_t)
>  type dirmngr_log_t;
>  logging_log_file(dirmngr_log_t)
>
> +type dirmngr_tmp_t;
> +userdom_user_tmp_file(dirmngr_tmp_t)
> +
>  type dirmngr_var_lib_t;
>  files_type(dirmngr_var_lib_t)
>
> @@ -46,6 +49,8 @@ manage_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t)
>  manage_lnk_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t)
>  files_var_lib_filetrans(dirmngr_t, dirmngr_var_lib_t, dir)
>
> +manage_sock_files_pattern(dirmngr_t, dirmngr_tmp_t, dirmngr_tmp_t)
> +
>  manage_dirs_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
>  manage_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
>  manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
> @@ -56,3 +61,11 @@ kernel_read_crypto_sysctls(dirmngr_t)
>  files_read_etc_files(dirmngr_t)
>
>  miscfiles_read_localization(dirmngr_t)
> +
> +userdom_search_user_home_dirs(dirmngr_t)
> +userdom_search_user_runtime(dirmngr_t)
> +userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
> +
> +optional_policy(`
> +	gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
> +')
> diff --git a/gpg.if b/gpg.if
> index efffff8..4480f9c 100644
> --- a/gpg.if
> +++ b/gpg.if
> @@ -216,6 +216,44 @@ interface(`gpg_stream_connect_agent',`
>
>  ########################################
>  ## <summary>
> +##	Search gpg agent dirs.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`gpg_search_agent_tmp_dirs',`
> +	gen_require(`
> +		type gpg_agent_tmp_t;
> +	')
> +
> +	allow $1 gpg_agent_tmp_t:dir search_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	filetrans in gpg_agent_tmp_t dirs
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`gpg_agent_tmp_filetrans',`
> +	gen_require(`
> +		type gpg_agent_t, gpg_agent_tmp_t;
> +		type gpg_secret_t;
> +	')
> +
> +	filetrans_pattern($1, gpg_agent_tmp_t, $2, $3, $4)
> +	userdom_search_user_runtime($1)
> +')
> +
> +########################################
> +## <summary>
>  ##	Send messages to and from gpg
>  ##	pinentry over DBUS.
>  ## </summary>
> diff --git a/gpg.te b/gpg.te
> index d6239c5..0ddbc18 100644
> --- a/gpg.te
> +++ b/gpg.te
> @@ -140,6 +140,7 @@ tunable_policy(`use_samba_home_dirs',`
>
>  optional_policy(`
>  	dirmngr_domtrans(gpg_t)
> +	dirmngr_stream_connect(gpg_t)
>  ')

Merged.

-- 
Chris PeBenito