From: dac.override@gmail.com (Dominick Grift) Date: Tue, 23 May 2017 09:06:00 +0200 Subject: [refpolicy] [PATCH] gpg: manage user runtime socket files and directories In-Reply-To: <1F5CB8FD-2213-4ADC-B078-EDD507FA9500@trentalancia.com> References: <1495383664.21167.2.camel@trentalancia.com> <1F5CB8FD-2213-4ADC-B078-EDD507FA9500@trentalancia.com> Message-ID: <20170523070600.GB23273@julius.enp8s0.d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, May 23, 2017 at 03:04:52AM +0200, Guido Trentalancia via refpolicy wrote: > Hello and thanks for getting back... > > On the 23rd of May 2017 01:24:59 CEST, Chris PeBenito wrote: > >On 05/21/2017 12:21 PM, Guido Trentalancia via refpolicy wrote: > >> Update the gpg module so that it can correctly manage socket files > >> and directories in the user runtime directories. > >> > >> Some other minor fixes are also included in this patch. > >> > >> Signed-off-by: Guido Trentalancia > >> --- > >> policy/modules/contrib/gpg.te | 10 +++++++++- > >> 1 file changed, 9 insertions(+), 1 deletion(-) > >> > >> --- a/policy/modules/contrib/gpg.te 2017-04-26 17:47:20.555423022 > >+0200 > >> +++ b/policy/modules/contrib/gpg.te 2017-05-21 18:13:36.728343506 > >+0200 > >> @@ -124,6 +124,8 @@ miscfiles_read_localization(gpg_t) > >> > >> userdom_use_user_terminals(gpg_t) > >> > >> +userdom_manage_user_runtime_dirs(gpg_t) gpg_t cannot create user runtime dirs because that requires root access > >> +userdom_manage_user_tmp_dirs(gpg_t) gpg_t shouldnt have to create generic user tmp dirs. > >> userdom_manage_user_tmp_files(gpg_t) > >> userdom_manage_user_home_content_files(gpg_t) > >> userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) > >> @@ -247,10 +249,14 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t) > >> > >> miscfiles_read_localization(gpg_agent_t) > >> > >> +userdom_manage_user_runtime_dirs(gpg_agent_t) gpg_agent_t cannot create user_runtime dirs because that requires root access > >> +userdom_manage_user_tmp_dirs(gpg_agent_t) > >> +userdom_manage_user_tmp_files(gpg_agent_t) gpg-agent shouldnt have to create generic user tmp dirs and files > > > >It's not clear whats going on here, but perhaps these make more sense > >as > >a new gpg_runtime_t? > > The agent should be able to create a gnupg directory in /var/run/user/USERID/ and manage socket files in that directory... Yes, so create a gpg_runtime_t type and allow gpg_t, gpg_agent_t, scdaemon, dirmngr to create XDG_RUNTIME_DIR/gnupg with a automatic type transtion from user_tmp_t(?) to gpg_runtime_t > > >> userdom_use_user_terminals(gpg_agent_t) > >> userdom_search_user_home_dirs(gpg_agent_t) > >> userdom_search_user_runtime(gpg_agent_t) > >> -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir) > >> +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir > >file sock_file }) This would need to be revisited then because gpg_agent_t needs to be able to create XDG_RUNTIME_DIR/gnupg with type gpg_runtime_t (use a name-based automatic type transition for that because "gnupg" is predictable here is my XDG_RUNTIME_DIR/gnupg to give an impression of some of the possibilities: ls -alZ $XDG_RUNTIME_DIR/gnupg total 0 drwx------. 2 kcinimod kcinimod wheel.id:wheel.role:gpg.tmpfs.user_tmpfs_file:s0 140 May 23 07:28 . drwx------. 7 kcinimod kcinimod sys.id:sys.role:fs.tmpfs.fs:s0 240 May 22 21:50 .. srwx------. 1 kcinimod kcinimod wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0 0 May 23 08:43 S.gpg-agent srwx------. 1 kcinimod kcinimod wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0 0 May 23 07:28 S.gpg-agent.browser srwx------. 1 kcinimod kcinimod wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0 0 May 23 07:28 S.gpg-agent.extra srwx------. 1 kcinimod kcinimod wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0 0 May 23 07:28 S.gpg-agent.ssh srwx------. 1 kcinimod kcinimod wheel.id:wheel.role:gpg.scdaemon.gpg_tmpfs.user_tmpfs_file:s0 0 May 23 07:28 S.scdaemon here are some of the type transitions: type_transition wheel_gpg.subj fs.tmpfs.fs:dir gpg.tmpfs.user_tmpfs_file "gnupg"; type_transition wheel_gpg.subj fs.tmpfs.fs:file users.generic_tmpfs.user_tmpfs_file; type_transition wheel_gpg.subj gpg.home.home_file:dir gpg.dirmngr.gpg_home.home_file "crls.d"; type_transition wheel_gpg.subj gpg.home.home_file:dir gpg.dirmngr.gpg_home.home_file "dirmngr-cache.d"; type_transition wheel_gpg.subj gpg.home.home_file:file gpg.dirmngr.gpg_home.home_file "dirmngr.conf"; type_transition wheel_gpg.subj gpg.home.home_file:sock_file gpg.dirmngr.gpg_home.home_file "S.dirmngr"; type_transition wheel_gpg.subj users.home_dir.file:dir gpg.home.home_file ".gnupg"; type_transition wheel_gpg_agent.subj fs.tmpfs.fs:dir gpg.tmpfs.user_tmpfs_file "gnupg"; type_transition wheel_gpg_agent.subj gpg.home.home_file:dir gpg.agent.gpg_home.home_file "private-keys-v1.d"; type_transition wheel_gpg_agent.subj gpg.home.home_file:file gpg.agent.gpg_home.home_file "gpg-agent.conf"; type_transition wheel_gpg_agent.subj gpg.home.home_file:file gpg.agent.gpg_home.home_file "gpg-agent.log"; type_transition wheel_gpg_agent.subj gpg.home.home_file:file gpg.agent.gpg_home.home_file "sshcontrol"; type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file gpg.agent.gpg_home.home_file "S.gpg-agent"; type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file gpg.agent.gpg_home.home_file "S.gpg-agent.browser"; type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file gpg.agent.gpg_home.home_file "S.gpg-agent.extra"; type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file gpg.agent.gpg_home.home_file "S.gpg-agent.ssh"; type_transition wheel_gpg_agent.subj gpg.tmpfs.user_tmpfs_file:sock_file gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent"; type_transition wheel_gpg_agent.subj gpg.tmpfs.user_tmpfs_file:sock_file gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent.browser"; type_transition wheel_gpg_agent.subj gpg.tmpfs.user_tmpfs_file:sock_file gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent.extra"; type_transition wheel_gpg_agent.subj gpg.tmpfs.user_tmpfs_file:sock_file gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent.ssh"; type_transition wheel_gpg_agent.subj users.home_dir.file:dir gpg.home.home_file ".gnupg"; > >> > >> ifdef(`hide_broken_symptoms',` > >> userdom_dontaudit_read_user_tmp_files(gpg_agent_t) > >> @@ -310,6 +316,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p > >> > >> can_exec(gpg_pinentry_t, gpg_pinentry_exec_t) > >> > >> +kernel_dontaudit_search_sysctl(gpg_pinentry_t) > >> kernel_read_system_state(gpg_pinentry_t) > >> > >> corecmd_exec_shell(gpg_pinentry_t) > >> @@ -327,6 +334,7 @@ domain_use_interactive_fds(gpg_pinentry_ > >> > >> files_read_usr_files(gpg_pinentry_t) > >> > >> +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t) > >> fs_dontaudit_list_inotifyfs(gpg_pinentry_t) > >> > >> auth_use_nsswitch(gpg_pinentry_t) > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170523/a3ac592d/attachment.bin