From: guido@trentalancia.com (Guido Trentalancia) Date: Tue, 23 May 2017 16:59:10 +0200 Subject: [refpolicy] [PATCH] gpg: manage user runtime socket files and directories In-Reply-To: <20170523064331.GA23273@julius.enp8s0.d30> References: <1495383664.21167.2.camel@trentalancia.com> <1F5CB8FD-2213-4ADC-B078-EDD507FA9500@trentalancia.com> <20170523064331.GA23273@julius.enp8s0.d30> Message-ID: <1495551550.6640.1.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 23/05/2017 at 08.43 +0200, Dominick Grift via refpolicy wrote: > On Tue, May 23, 2017 at 03:04:52AM +0200, Guido Trentalancia via > refpolicy wrote: > > Hello and thanks for getting back...? > > > > On the 23rd of May 2017 01:24:59 CEST, Chris PeBenito > e.org> wrote: > > > On 05/21/2017 12:21 PM, Guido Trentalancia via refpolicy wrote: > > > > Update the gpg module so that it can correctly manage socket > > > > files > > > > and directories in the user runtime directories. > > > > > > > > Some other minor fixes are also included in this patch. > > > > > > > > Signed-off-by: Guido Trentalancia > > > > --- > > > > ?policy/modules/contrib/gpg.te |???10 +++++++++- > > > > ?1 file changed, 9 insertions(+), 1 deletion(-) > > > > > > > > --- a/policy/modules/contrib/gpg.te 2017-04-26 > > > > 17:47:20.555423022 > > > > > > +0200 > > > > +++ b/policy/modules/contrib/gpg.te 2017-05-21 > > > > 18:13:36.728343506 > > > > > > +0200 > > > > @@ -124,6 +124,8 @@ miscfiles_read_localization(gpg_t) > > > > > > > > ?userdom_use_user_terminals(gpg_t) > > > > > > > > +userdom_manage_user_runtime_dirs(gpg_t) > > > > +userdom_manage_user_tmp_dirs(gpg_t) > > > > ?userdom_manage_user_tmp_files(gpg_t) > > > > ?userdom_manage_user_home_content_files(gpg_t) > > > > ?userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) > > > > @@ -247,10 +249,14 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t) > > > > > > > > ?miscfiles_read_localization(gpg_agent_t) > > > > > > > > +userdom_manage_user_runtime_dirs(gpg_agent_t) > > > > +userdom_manage_user_tmp_dirs(gpg_agent_t) > > > > +userdom_manage_user_tmp_files(gpg_agent_t) > > > > > > It's not clear whats going on here, but perhaps these make more > > > sense > > > as? > > > a new gpg_runtime_t? > > > > The agent should be able to create a gnupg directory in > > /var/run/user/USERID/ and manage socket files in that directory...? > > the agent can't create USERID because its parent is owned by root and > gpg-agent does not have permission to add directory entries to > /var/run/user. systemd-logind , or some other privileged process, > creates USERID generally on behalf of the user Yes, of course. I said it should be able to create a "gnupg" directory there, not the /var/run/user/USERID directory itself. > also the sockets should not go to /var/run/user/USERID/ , but instead > should go to /var/run/user/USERID/gnupg/ and gnupg can be creeted > with an automatic type transition Once again, of course, this is exactly what the patch does and what I meant. See below for the file transition interface... > > > > > > ?userdom_use_user_terminals(gpg_agent_t) > > > > ?userdom_search_user_home_dirs(gpg_agent_t) > > > > ?userdom_search_user_runtime(gpg_agent_t) > > > > -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, > > > > dir) > > > > +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { > > > > dir > > > > > > file sock_file }) > > > > > > > > ?ifdef(`hide_broken_symptoms',` > > > > ? userdom_dontaudit_read_user_tmp_files(gpg_agent_t) > > > > @@ -310,6 +316,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p > > > > > > > > ?can_exec(gpg_pinentry_t, gpg_pinentry_exec_t) > > > > > > > > +kernel_dontaudit_search_sysctl(gpg_pinentry_t) > > > > ?kernel_read_system_state(gpg_pinentry_t) > > > > > > > > ?corecmd_exec_shell(gpg_pinentry_t) > > > > @@ -327,6 +334,7 @@ domain_use_interactive_fds(gpg_pinentry_ > > > > > > > > ?files_read_usr_files(gpg_pinentry_t) > > > > > > > > +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t) > > > > ?fs_dontaudit_list_inotifyfs(gpg_pinentry_t) > > > > > > > > ?auth_use_nsswitch(gpg_pinentry_t)