From: guido@trentalancia.com (Guido Trentalancia) Date: Tue, 23 May 2017 17:12:09 +0200 Subject: [refpolicy] [PATCH] gpg: manage user runtime socket files and directories In-Reply-To: <20170523070600.GB23273@julius.enp8s0.d30> References: <1495383664.21167.2.camel@trentalancia.com> <1F5CB8FD-2213-4ADC-B078-EDD507FA9500@trentalancia.com> <20170523070600.GB23273@julius.enp8s0.d30> Message-ID: <1495552329.6640.3.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 23/05/2017 at 09.06 +0200, Dominick Grift via refpolicy wrote: > On Tue, May 23, 2017 at 03:04:52AM +0200, Guido Trentalancia via > refpolicy wrote: > > Hello and thanks for getting back...? > > > > On the 23rd of May 2017 01:24:59 CEST, Chris PeBenito > e.org> wrote: > > > On 05/21/2017 12:21 PM, Guido Trentalancia via refpolicy wrote: > > > > Update the gpg module so that it can correctly manage socket > > > > files > > > > and directories in the user runtime directories. > > > > > > > > Some other minor fixes are also included in this patch. > > > > > > > > Signed-off-by: Guido Trentalancia > > > > --- > > > > ?policy/modules/contrib/gpg.te |???10 +++++++++- > > > > ?1 file changed, 9 insertions(+), 1 deletion(-) > > > > > > > > --- a/policy/modules/contrib/gpg.te 2017-04-26 > > > > 17:47:20.555423022 > > > > > > +0200 > > > > +++ b/policy/modules/contrib/gpg.te 2017-05-21 > > > > 18:13:36.728343506 > > > > > > +0200 > > > > @@ -124,6 +124,8 @@ miscfiles_read_localization(gpg_t) > > > > > > > > ?userdom_use_user_terminals(gpg_t) > > > > > > > > +userdom_manage_user_runtime_dirs(gpg_t) > > gpg_t cannot create user runtime dirs because that requires root > access This is not necessarily true. Perhaps you are referring to your system or some specific distribution, but it is not true in general. There is nothing that dictates that a user runtime directory can only be created by root. > > > > +userdom_manage_user_tmp_dirs(gpg_t) > > gpg_t shouldnt have to create generic user tmp dirs. Usually temporary files are created within a temporary directory. I cannot see a risk with allowing gpg_t to create temporary directories in addition to temporary files. > > > > ?userdom_manage_user_tmp_files(gpg_t) > > > > ?userdom_manage_user_home_content_files(gpg_t) > > > > ?userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) > > > > @@ -247,10 +249,14 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t) > > > > > > > > ?miscfiles_read_localization(gpg_agent_t) > > > > > > > > +userdom_manage_user_runtime_dirs(gpg_agent_t) > > gpg_agent_t cannot create user_runtime dirs because that requires > root access This is not necessarily true (see above). > > > > +userdom_manage_user_tmp_dirs(gpg_agent_t) > > > > +userdom_manage_user_tmp_files(gpg_agent_t) > > gpg-agent shouldnt have to create generic user tmp dirs and files At the moment this might be true, however there is no specific risk associated with those two permissions, that are very general and widely used, so I would prefer to leave them there. > > > > > > It's not clear whats going on here, but perhaps these make more > > > sense > > > as? > > > a new gpg_runtime_t? > > > > The agent should be able to create a gnupg directory in > > /var/run/user/USERID/ and manage socket files in that directory...? > > Yes, so create a gpg_runtime_t type and allow gpg_t, gpg_agent_t, > scdaemon, dirmngr to create XDG_RUNTIME_DIR/gnupg with a automatic > type transtion from user_tmp_t(?) to gpg_runtime_t At the moment, I see no benefit in distinguishing between a temporary file and a "runtime" file, so I would prefer to leave the transition to gpg_agent_tmp_t and avoid creating a new file type. > > > > ?userdom_use_user_terminals(gpg_agent_t) > > > > ?userdom_search_user_home_dirs(gpg_agent_t) > > > > ?userdom_search_user_runtime(gpg_agent_t) > > > > -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, > > > > dir) > > > > +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { > > > > dir > > > > > > file sock_file }) > > This would need to be revisited then because gpg_agent_t needs to be > able to create XDG_RUNTIME_DIR/gnupg with type gpg_runtime_t (use a > name-based automatic type transition for that because "gnupg" is > predictable > > here is my XDG_RUNTIME_DIR/gnupg to give an impression of some of the > possibilities: > > ls -alZ $XDG_RUNTIME_DIR/gnupg > total 0 > drwx------. 2 kcinimod kcinimod > wheel.id:wheel.role:gpg.tmpfs.user_tmpfs_file:s0??????????????140 May > 23 07:28 . > drwx------. 7 kcinimod kcinimod > sys.id:sys.role:fs.tmpfs.fs:s0????????????????????????????????240 May > 22 21:50 .. > srwx------. 1 kcinimod kcinimod > wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0??????0 May > 23 08:43 S.gpg-agent > srwx------. 1 kcinimod kcinimod > wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0??????0 May > 23 07:28 S.gpg-agent.browser > srwx------. 1 kcinimod kcinimod > wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0??????0 May > 23 07:28 S.gpg-agent.extra > srwx------. 1 kcinimod kcinimod > wheel.id:wheel.role:gpg.agent.gpg_tmpfs.user_tmpfs_file:s0??????0 May > 23 07:28 S.gpg-agent.ssh > srwx------. 1 kcinimod kcinimod > wheel.id:wheel.role:gpg.scdaemon.gpg_tmpfs.user_tmpfs_file:s0???0 May > 23 07:28 S.scdaemon > > here are some of the type transitions: > > type_transition wheel_gpg.subj fs.tmpfs.fs:dir > gpg.tmpfs.user_tmpfs_file "gnupg"; > type_transition wheel_gpg.subj fs.tmpfs.fs:file > users.generic_tmpfs.user_tmpfs_file; > type_transition wheel_gpg.subj gpg.home.home_file:dir > gpg.dirmngr.gpg_home.home_file "crls.d"; > type_transition wheel_gpg.subj gpg.home.home_file:dir > gpg.dirmngr.gpg_home.home_file "dirmngr-cache.d"; > type_transition wheel_gpg.subj gpg.home.home_file:file > gpg.dirmngr.gpg_home.home_file "dirmngr.conf"; > type_transition wheel_gpg.subj gpg.home.home_file:sock_file > gpg.dirmngr.gpg_home.home_file "S.dirmngr"; > type_transition wheel_gpg.subj users.home_dir.file:dir > gpg.home.home_file ".gnupg"; > type_transition wheel_gpg_agent.subj fs.tmpfs.fs:dir > gpg.tmpfs.user_tmpfs_file "gnupg"; > type_transition wheel_gpg_agent.subj gpg.home.home_file:dir > gpg.agent.gpg_home.home_file "private-keys-v1.d"; > type_transition wheel_gpg_agent.subj gpg.home.home_file:file > gpg.agent.gpg_home.home_file "gpg-agent.conf"; > type_transition wheel_gpg_agent.subj gpg.home.home_file:file > gpg.agent.gpg_home.home_file "gpg-agent.log"; > type_transition wheel_gpg_agent.subj gpg.home.home_file:file > gpg.agent.gpg_home.home_file "sshcontrol"; > type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file > gpg.agent.gpg_home.home_file "S.gpg-agent"; > type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file > gpg.agent.gpg_home.home_file "S.gpg-agent.browser"; > type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file > gpg.agent.gpg_home.home_file "S.gpg-agent.extra"; > type_transition wheel_gpg_agent.subj gpg.home.home_file:sock_file > gpg.agent.gpg_home.home_file "S.gpg-agent.ssh"; > type_transition wheel_gpg_agent.subj > gpg.tmpfs.user_tmpfs_file:sock_file > gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent"; > type_transition wheel_gpg_agent.subj > gpg.tmpfs.user_tmpfs_file:sock_file > gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent.browser"; > type_transition wheel_gpg_agent.subj > gpg.tmpfs.user_tmpfs_file:sock_file > gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent.extra"; > type_transition wheel_gpg_agent.subj > gpg.tmpfs.user_tmpfs_file:sock_file > gpg.agent.gpg_tmpfs.user_tmpfs_file "S.gpg-agent.ssh"; > type_transition wheel_gpg_agent.subj users.home_dir.file:dir > gpg.home.home_file ".gnupg"; > > > > > > > > > ?ifdef(`hide_broken_symptoms',` > > > > ? userdom_dontaudit_read_user_tmp_files(gpg_agent_t) > > > > @@ -310,6 +316,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p > > > > > > > > ?can_exec(gpg_pinentry_t, gpg_pinentry_exec_t) > > > > > > > > +kernel_dontaudit_search_sysctl(gpg_pinentry_t) > > > > ?kernel_read_system_state(gpg_pinentry_t) > > > > > > > > ?corecmd_exec_shell(gpg_pinentry_t) > > > > @@ -327,6 +334,7 @@ domain_use_interactive_fds(gpg_pinentry_ > > > > > > > > ?files_read_usr_files(gpg_pinentry_t) > > > > > > > > +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t) > > > > ?fs_dontaudit_list_inotifyfs(gpg_pinentry_t) > > > > > > > > ?auth_use_nsswitch(gpg_pinentry_t) Regards, Guido