From: pebenito@ieee.org (Chris PeBenito)
Date: Thu, 11 May 2017 19:29:07 -0400
Subject: [refpolicy] [PATCH 1/6] dirmngr: add to roles and allow gpg to
domtrans
In-Reply-To: <20170507174343.30160-1-jason@perfinion.com>
References: <20170507174343.30160-1-jason@perfinion.com>
Message-ID: <2cbec465-611d-a888-281d-58be744e4a00@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On 05/07/2017 01:43 PM, Jason Zaman wrote:
> ---
> dirmngr.if | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> gpg.te | 4 ++++
> 2 files changed, 73 insertions(+)
>
> diff --git a/dirmngr.if b/dirmngr.if
> index 4cd2810..2f6875a 100644
> --- a/dirmngr.if
> +++ b/dirmngr.if
> @@ -1,5 +1,74 @@
> ## Server for managing and downloading certificate revocation lists.
>
> +############################################################
> +##
> +## Role access for dirmngr.
> +##
> +##
> +##
> +## Role allowed access.
> +##
> +##
> +##
> +##
> +## User domain for the role.
> +##
> +##
> +#
> +interface(`dirmngr_role',`
> + gen_require(`
> + type dirmngr_t, dirmngr_exec_t;
> + ')
> +
> + role $1 types dirmngr_t;
> +
> + domtrans_pattern($2, dirmngr_exec_t, dirmngr_t)
> +
> + allow $2 dirmngr_t:process { ptrace signal_perms };
> + ps_process_pattern($2, dirmngr_t)
> +
> + allow dirmngr_t $2:fd use;
> + allow dirmngr_t $2:fifo_file { read write };
Why are these here explicitly? They should be in domtrans_pattern.
> +')
> +
> +########################################
> +##
> +## Execute dirmngr in the dirmngr domain.
> +##
> +##
> +##
> +## Domain allowed to transition.
> +##
> +##
> +#
> +interface(`dirmngr_domtrans',`
> + gen_require(`
> + type dirmngr_t, dirmngr_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, dirmngr_exec_t, dirmngr_t)
> +')
> +
> +########################################
> +##
> +## Execute the dirmngr in the caller domain.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`dirmngr_exec',`
> + gen_require(`
> + type dirmngr_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + can_exec($1, dirmngr_exec_t)
> +')
> +
> ########################################
> ##
> ## All of the rules required to
> diff --git a/gpg.te b/gpg.te
> index 5e87028..d6239c5 100644
> --- a/gpg.te
> +++ b/gpg.te
> @@ -139,6 +139,10 @@ tunable_policy(`use_samba_home_dirs',`
> ')
>
> optional_policy(`
> + dirmngr_domtrans(gpg_t)
> +')
> +
> +optional_policy(`
> evolution_read_orbit_tmp_files(gpg_t)
> ')
>
>
--
Chris PeBenito