From: guido@trentalancia.com (Guido Trentalancia) Date: Wed, 24 May 2017 19:46:39 +0200 Subject: [refpolicy] [PATCH v3] gpg: manage user runtime socket files and directories In-Reply-To: References: <1495383664.21167.2.camel@trentalancia.com> <1495574513.16791.0.camel@trentalancia.com> <1495643527.13711.6.camel@trentalancia.com> Message-ID: <1495647999.7185.6.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com However, I must say that I think the dirmngr policy should be in the gpg module ! Having the dirmngr policy in a separate module is wrong. I hope this helps... Guido On Thu, 25/05/2017 at 01.37 +0800, Jason Zaman wrote: > NACK to this whole thing. Why are you just redoing what I already did > like a week ago? Dirmngr already has a policy separate from gpg and > what you're doing will just conflict with it.? > I've been too busy to fix and resend my patch. If you really want > this in at least take that version and fix what the comments were > instead of doing it again badly :P > > -- Jason > > On May 25, 2017 00:32, "Guido Trentalancia via refpolicy" oss.tresys.com> wrote: > > Update the gpg module so that it can correctly manage socket files > > and directories in the user runtime directories. > > > > Update the gpg module in order to support dirmngr (gpg version 2). > > > > Some other minor gpg fixes are also included in this patch. > > > > This is the third version (v3) of this patch. Since version 2, it > > features some improvements thanks to feedback received from > > Christopher PeBenito. > > > > Signed-off-by: Guido Trentalancia > > --- > > ?policy/modules/contrib/gpg.fc |? ? 4 +- > > ?policy/modules/contrib/gpg.if |? ?22 ++++++++++++ > > ?policy/modules/contrib/gpg.te |? ?76 > > +++++++++++++++++++++++++++++++++++++++++- > > ?3 files changed, 100 insertions(+), 2 deletions(-) > > > > --- a/policy/modules/contrib/gpg.fc? ? ?2017-03-29 > > 17:58:00.281386397 +0200 > > +++ b/policy/modules/contrib/gpg.fc? ? ?2017-05-24 > > 18:18:33.792680617 +0200 > > @@ -1,8 +1,10 @@ > > ?HOME_DIR/\.gnupg(/.+)?? ? ? ? ? ? ? ? ? ? ? ? > > ?gen_context(system_u:object_r:gpg_secret_t,s0) > > ?HOME_DIR/\.gnupg/log-socket? ? ? ? ? ? -s? ? ? > > gen_context(system_u:object_r:gpg_agent_tmp_t,s0) > > +HOME_DIR/\.gnupg/S\.dirmngr? ? ? ? ? ? -s? ? ? > > gen_context(system_u:object_r:gpg_dirmngr_tmp_t,s0) > > ?HOME_DIR/\.gnupg/S\.gpg-agent.*? ? ? ? ? ? ? ? -s? ? ? > > gen_context(system_u:object_r:gpg_agent_tmp_t,s0) > > ?HOME_DIR/\.gnupg/S\.scdaemon? ? ? ? ? ?-s? ? ? > > gen_context(system_u:object_r:gpg_agent_tmp_t,s0) > > > > +/usr/bin/dirmngr.*? ? ? ? ? ? ? ? ? ? ?--? ? ? > > gen_context(system_u:object_r:gpg_dirmngr_exec_t,s0) > > ?/usr/bin/gpg(2)?? ? ? ? ? ? ? ? ? ? ? ?--? ? ? > > gen_context(system_u:object_r:gpg_exec_t,s0) > > ?/usr/bin/gpgsm? ? ? ? ? ? ? ? ? ? ? ? ?--? ? ? > > gen_context(system_u:object_r:gpg_exec_t,s0) > > ?/usr/bin/gpg-agent? ? ? ? ? ? ? ? ? ? ?--? ? ? > > gen_context(system_u:object_r:gpg_agent_exec_t,s0) > > @@ -11,4 +13,4 @@ HOME_DIR/\.gnupg/S\.scdaemon? ? ? ? ? -s? ? ? > > gen_con > > ?/usr/lib/gnupg/.*? ? ? ? ? ? ? ? ? ? ? --? ? ? > > gen_context(system_u:object_r:gpg_exec_t,s0) > > ?/usr/lib/gnupg/gpgkeys.*? ? ? ? ? ? ? ?--? ? ? > > gen_context(system_u:object_r:gpg_helper_exec_t,s0) > > > > -/run/user/%{USERID}/gnupg(/.*)?? ? ? ? ? ? ? ? ? ? ? ? > > gen_context(system_u:object_r:gpg_agent_tmp_t,s0) > > +/run/user/%{USERID}/gnupg(/.*)?? ? ? ? ? ? ? ? ? ? ? ? > > gen_context(system_u:object_r:gpg_runtime_t,s0) > > --- a/policy/modules/contrib/gpg.if? ? ?2017-03-29 > > 17:58:00.282386397 +0200 > > +++ b/policy/modules/contrib/gpg.if? ? ?2017-05-24 > > 16:57:35.837700478 +0200 > > @@ -214,6 +214,28 @@ interface(`gpg_stream_connect_agent',` > > ? ? ? ? userdom_search_user_home_dirs($1) > > ?') > > > > +###################################### > > +## > > +##? ? ?Connect to gpg dirmngr socket > > +## > > +## > > +##? ? ? > > +##? ? ?Domain allowed access. > > +##? ? ? > > +## > > +# > > +interface(`gpg_stream_connect_dirmngr',` > > +? ? ? ?gen_require(` > > +? ? ? ? ? ? ? ?type gpg_dirmngr_t, gpg_dirmngr_tmp_t; > > +? ? ? ? ? ? ? ?type gpg_secret_t; > > +? ? ? ?') > > + > > +? ? ? ?stream_connect_pattern($1, gpg_dirmngr_tmp_t, > > gpg_dirmngr_tmp_t, gpg_dirmngr_t) > > +? ? ? ?allow $1 gpg_secret_t:dir search_dir_perms; > > +? ? ? ?userdom_search_user_runtime($1) > > +? ? ? ?userdom_search_user_home_dirs($1) > > +') > > + > > ?######################################## > > ?## > > ?##? ? ?Send messages to and from gpg > > --- a/policy/modules/contrib/gpg.te? ? ?2017-04-26 > > 17:47:20.555423022 +0200 > > +++ b/policy/modules/contrib/gpg.te? ? ?2017-05-24 > > 18:21:19.538679939 +0200 > > @@ -19,6 +19,8 @@ roleattribute system_r gpg_roles; > > > > ?attribute_role gpg_agent_roles; > > > > +attribute_role gpg_dirmngr_roles; > > + > > ?attribute_role gpg_helper_roles; > > ?roleattribute system_r gpg_helper_roles; > > > > @@ -29,6 +31,9 @@ type gpg_exec_t; > > ?userdom_user_application_domain(gpg_t, gpg_exec_t) > > ?role gpg_roles types gpg_t; > > > > +type gpg_runtime_t; > > +files_pid_file(gpg_runtime_t) > > + > > ?type gpg_agent_t; > > ?type gpg_agent_exec_t; > > ?userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t) > > @@ -37,6 +42,14 @@ role gpg_agent_roles types gpg_agent_t; > > ?type gpg_agent_tmp_t; > > ?userdom_user_tmp_file(gpg_agent_tmp_t) > > > > +type gpg_dirmngr_t; > > +type gpg_dirmngr_exec_t; > > +userdom_user_application_domain(gpg_dirmngr_t, gpg_dirmngr_exec_t) > > +role gpg_dirmngr_roles types gpg_dirmngr_t; > > + > > +type gpg_dirmngr_tmp_t; > > +userdom_user_tmp_file(gpg_dirmngr_tmp_t) > > + > > ?type gpg_secret_t; > > ?userdom_user_home_content(gpg_secret_t) > > > > @@ -72,10 +85,19 @@ dontaudit gpg_t self:netlink_audit_socke > > ?allow gpg_t self:fifo_file rw_fifo_file_perms; > > ?allow gpg_t self:tcp_socket { accept listen }; > > > > +manage_dirs_pattern(gpg_t, gpg_runtime_t, gpg_runtime_t) > > +userdom_user_runtime_filetrans(gpg_t, gpg_runtime_t, dir, "gnupg") > > + > > ?manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) > > ?manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) > > +manage_sock_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) > > ?files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file }) > > > > +manage_dirs_pattern(gpg_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t) > > +manage_files_pattern(gpg_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t) > > +manage_sock_files_pattern(gpg_t, gpg_dirmngr_tmp_t, > > gpg_dirmngr_tmp_t) > > +manage_sock_files_pattern(gpg_t, gpg_dirmngr_tmp_t, > > gpg_dirmngr_tmp_t) > > + > > ?manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t) > > ?manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) > > ?manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) > > @@ -83,8 +105,10 @@ manage_lnk_files_pattern(gpg_t, gpg_secr > > ?userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir) > > > > ?gpg_stream_connect_agent(gpg_t) > > +gpg_stream_connect_dirmngr(gpg_t) > > > > ?domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) > > +domtrans_pattern(gpg_t, gpg_dirmngr_exec_t, gpg_dirmngr_t) > > ?domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) > > > > ?kernel_read_crypto_sysctls(gpg_t) > > @@ -124,6 +148,7 @@ miscfiles_read_localization(gpg_t) > > > > ?userdom_use_user_terminals(gpg_t) > > > > +userdom_manage_user_tmp_dirs(gpg_t) > > ?userdom_manage_user_tmp_files(gpg_t) > > ?userdom_manage_user_home_content_files(gpg_t) > > ?userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) > > @@ -215,6 +240,9 @@ manage_sock_files_pattern(gpg_agent_t, g > > ?manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) > > ?manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) > > > > +manage_dirs_pattern(gpg_agent_t, gpg_runtime_t, gpg_runtime_t) > > +userdom_user_runtime_filetrans(gpg_agent_t, gpg_runtime_t, dir, > > "gnupg") > > + > > ?manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) > > ?manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, > > gpg_agent_tmp_t) > > ?manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, > > gpg_agent_tmp_t) > > @@ -226,6 +254,12 @@ filetrans_pattern(gpg_agent_t, gpg_secre > > ?filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, > > sock_file, "S.gpg-agent.extra") > > ?filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, > > sock_file, "S.gpg-agent.ssh") > > ?filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, > > sock_file, "S.scdaemon") > > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, > > sock_file, "log-socket") > > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, > > sock_file, "S.gpg-agent") > > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, > > sock_file, "S.gpg-agent.browser") > > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, > > sock_file, "S.gpg-agent.extra") > > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, > > sock_file, "S.gpg-agent.ssh") > > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, > > sock_file, "S.scdaemon") > > > > ?domtrans_pattern(gpg_agent_t, gpg_pinentry_exec_t, gpg_pinentry_t) > > > > @@ -250,7 +284,7 @@ miscfiles_read_localization(gpg_agent_t) > > ?userdom_use_user_terminals(gpg_agent_t) > > ?userdom_search_user_home_dirs(gpg_agent_t) > > ?userdom_search_user_runtime(gpg_agent_t) > > -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir) > > +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir > > file sock_file }) > > > > ?ifdef(`hide_broken_symptoms',` > > ? ? ? ? userdom_dontaudit_read_user_tmp_files(gpg_agent_t) > > @@ -291,6 +325,44 @@ optional_policy(` > > ? ? ? ? xserver_read_user_xauth(gpg_agent_t) > > ?') > > > > +####################################### > > +# > > +# Dirmngr local policy > > +# > > + > > +allow gpg_dirmngr_t gpg_secret_t:file read_file_perms; > > + > > +manage_dirs_pattern(gpg_dirmngr_t, gpg_runtime_t, gpg_runtime_t) > > +userdom_user_runtime_filetrans(gpg_dirmngr_t, gpg_runtime_t, dir, > > "gnupg") > > + > > +manage_dirs_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t, > > gpg_dirmngr_tmp_t) > > +manage_files_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t, > > gpg_dirmngr_tmp_t) > > +manage_sock_files_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t, > > gpg_dirmngr_tmp_t) > > +filetrans_pattern(gpg_dirmngr_t, gpg_runtime_t, gpg_dirmngr_tmp_t, > > sock_file, "S.dirmngr") > > + > > +corenet_sendrecv_pgpkeyserver_client_packets(gpg_dirmngr_t) > > +corenet_tcp_connect_pgpkeyserver_port(gpg_dirmngr_t) > > +corenet_tcp_sendrecv_pgpkeyserver_port(gpg_dirmngr_t) > > + > > +corenet_udp_bind_all_unreserved_ports(gpg_dirmngr_t) > > +corenet_udp_bind_generic_node(gpg_dirmngr_t) > > + > > +dev_read_rand(gpg_dirmngr_t) > > +dev_read_urand(gpg_dirmngr_t) > > + > > +files_read_etc_files(gpg_dirmngr_t) > > +files_read_usr_files(gpg_dirmngr_t) > > + > > +miscfiles_read_all_certs(gpg_dirmngr_t) > > +miscfiles_read_localization(gpg_dirmngr_t) > > + > > +sysnet_dns_name_resolve(gpg_dirmngr_t) > > + > > +userdom_search_user_home_dirs(gpg_dirmngr_t) > > + > > +userdom_search_user_runtime(gpg_dirmngr_t) > > +userdom_user_runtime_filetrans(gpg_dirmngr_t, gpg_dirmngr_tmp_t, { > > dir file sock_file }) > > + > > ?############################## > > ?# > > ?# Pinentry local policy > > @@ -310,6 +382,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p > > > > ?can_exec(gpg_pinentry_t, gpg_pinentry_exec_t) > > > > +kernel_dontaudit_search_sysctl(gpg_pinentry_t) > > ?kernel_read_system_state(gpg_pinentry_t) > > > > ?corecmd_exec_shell(gpg_pinentry_t) > > @@ -327,6 +400,7 @@ domain_use_interactive_fds(gpg_pinentry_ > > > > ?files_read_usr_files(gpg_pinentry_t) > > > > +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t) > > ?fs_dontaudit_list_inotifyfs(gpg_pinentry_t) > > > > ?auth_use_nsswitch(gpg_pinentry_t) > > _______________________________________________ > > refpolicy mailing list > > refpolicy at oss.tresys.com > > http://oss.tresys.com/mailman/listinfo/refpolicy > >