From: pebenito@ieee.org (Chris PeBenito) Date: Wed, 31 May 2017 21:05:03 -0400 Subject: [refpolicy] [PATCH 2/6] gpg dirmngr: create and connect to socket In-Reply-To: <20170526155801.5441-2-jason@perfinion.com> References: <20170526155801.5441-1-jason@perfinion.com> <20170526155801.5441-2-jason@perfinion.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 05/26/2017 11:57 AM, Jason Zaman wrote: > --- > dirmngr.fc | 2 ++ > dirmngr.if | 25 +++++++++++++++++++++++++ > dirmngr.te | 13 +++++++++++++ > gpg.if | 38 ++++++++++++++++++++++++++++++++++++++ > gpg.te | 1 + > 5 files changed, 79 insertions(+) > > diff --git a/dirmngr.fc b/dirmngr.fc > index a0f261c..a9cf15a 100644 > --- a/dirmngr.fc > +++ b/dirmngr.fc > @@ -12,3 +12,5 @@ > /run/dirmngr\.pid -- gen_context(system_u:object_r:dirmngr_var_run_t,s0) > > /run/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_run_t,s0) > + > +/run/user/%{USERID}/gnupg/S.dirmngr -s gen_context(system_u:object_r:dirmngr_tmp_t,s0) > diff --git a/dirmngr.if b/dirmngr.if > index 2f6875a..07af506 100644 > --- a/dirmngr.if > +++ b/dirmngr.if > @@ -18,6 +18,7 @@ > interface(`dirmngr_role',` > gen_require(` > type dirmngr_t, dirmngr_exec_t; > + type dirmngr_tmp_t; > ') > > role $1 types dirmngr_t; > @@ -29,6 +30,8 @@ interface(`dirmngr_role',` > > allow dirmngr_t $2:fd use; > allow dirmngr_t $2:fifo_file { read write }; > + > + allow $2 dirmngr_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; > ') > > ######################################## > @@ -71,6 +74,28 @@ interface(`dirmngr_exec',` > > ######################################## > ## > +## Connect to dirmngr socket > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`dirmngr_stream_connect',` > + gen_require(` > + type dirmngr_t, dirmngr_tmp_t; > + ') > + > + gpg_search_agent_tmp_dirs($1) > + allow $1 dirmngr_tmp_t:sock_file rw_sock_file_perms; > + allow $1 dirmngr_t:unix_stream_socket connectto; > + userdom_search_user_runtime($1) > + userdom_search_user_home_dirs($1) > +') > + > +######################################## > +## > ## All of the rules required to > ## administrate an dirmngr environment. > ## > diff --git a/dirmngr.te b/dirmngr.te > index 23f4045..8e4a1a8 100644 > --- a/dirmngr.te > +++ b/dirmngr.te > @@ -18,6 +18,9 @@ init_script_file(dirmngr_initrc_exec_t) > type dirmngr_log_t; > logging_log_file(dirmngr_log_t) > > +type dirmngr_tmp_t; > +userdom_user_tmp_file(dirmngr_tmp_t) > + > type dirmngr_var_lib_t; > files_type(dirmngr_var_lib_t) > > @@ -46,6 +49,8 @@ manage_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t) > manage_lnk_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t) > files_var_lib_filetrans(dirmngr_t, dirmngr_var_lib_t, dir) > > +manage_sock_files_pattern(dirmngr_t, dirmngr_tmp_t, dirmngr_tmp_t) > + > manage_dirs_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) > manage_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) > manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) > @@ -56,3 +61,11 @@ kernel_read_crypto_sysctls(dirmngr_t) > files_read_etc_files(dirmngr_t) > > miscfiles_read_localization(dirmngr_t) > + > +userdom_search_user_home_dirs(dirmngr_t) > +userdom_search_user_runtime(dirmngr_t) > +userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir) > + > +optional_policy(` > + gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file) > +') > diff --git a/gpg.if b/gpg.if > index efffff8..4480f9c 100644 > --- a/gpg.if > +++ b/gpg.if > @@ -216,6 +216,44 @@ interface(`gpg_stream_connect_agent',` > > ######################################## > ## > +## Search gpg agent dirs. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`gpg_search_agent_tmp_dirs',` > + gen_require(` > + type gpg_agent_tmp_t; > + ') > + > + allow $1 gpg_agent_tmp_t:dir search_dir_perms; > +') > + > +######################################## > +## > +## filetrans in gpg_agent_tmp_t dirs > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`gpg_agent_tmp_filetrans',` > + gen_require(` > + type gpg_agent_t, gpg_agent_tmp_t; > + type gpg_secret_t; > + ') > + > + filetrans_pattern($1, gpg_agent_tmp_t, $2, $3, $4) > + userdom_search_user_runtime($1) > +') > + > +######################################## > +## > ## Send messages to and from gpg > ## pinentry over DBUS. > ## > diff --git a/gpg.te b/gpg.te > index d6239c5..0ddbc18 100644 > --- a/gpg.te > +++ b/gpg.te > @@ -140,6 +140,7 @@ tunable_policy(`use_samba_home_dirs',` > > optional_policy(` > dirmngr_domtrans(gpg_t) > + dirmngr_stream_connect(gpg_t) > ') Merged. -- Chris PeBenito