From: dac.override@gmail.com (Dominick Grift) Date: Wed, 24 May 2017 19:49:48 +0200 Subject: [refpolicy] [PATCH v3] gpg: manage user runtime socket files and directories In-Reply-To: <1495647999.7185.6.camel@trentalancia.com> References: <1495383664.21167.2.camel@trentalancia.com> <1495574513.16791.0.camel@trentalancia.com> <1495643527.13711.6.camel@trentalancia.com> <1495647999.7185.6.camel@trentalancia.com> Message-ID: <20170524174948.GC8657@julius.enp8s0.d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, May 24, 2017 at 07:46:39PM +0200, Guido Trentalancia via refpolicy wrote: > However, I must say that I think the dirmngr policy should be in the > gpg module ! > > Having the dirmngr policy in a separate module is wrong. I have a tendency to agree. I am pro-modular but dirmngr is part of the gnupg package, so if you install gpg then you most likely have dirmngr as well > > I hope this helps... > > Guido > > On Thu, 25/05/2017 at 01.37 +0800, Jason Zaman wrote: > > NACK to this whole thing. Why are you just redoing what I already did > > like a week ago? Dirmngr already has a policy separate from gpg and > > what you're doing will just conflict with it.? > > I've been too busy to fix and resend my patch. If you really want > > this in at least take that version and fix what the comments were > > instead of doing it again badly :P > > > > -- Jason > > > > On May 25, 2017 00:32, "Guido Trentalancia via refpolicy" > oss.tresys.com> wrote: > > > Update the gpg module so that it can correctly manage socket files > > > and directories in the user runtime directories. > > > > > > Update the gpg module in order to support dirmngr (gpg version 2). > > > > > > Some other minor gpg fixes are also included in this patch. > > > > > > This is the third version (v3) of this patch. Since version 2, it > > > features some improvements thanks to feedback received from > > > Christopher PeBenito. > > > > > > Signed-off-by: Guido Trentalancia > > > --- > > > ?policy/modules/contrib/gpg.fc |? ? 4 +- > > > ?policy/modules/contrib/gpg.if |? ?22 ++++++++++++ > > > ?policy/modules/contrib/gpg.te |? ?76 > > > +++++++++++++++++++++++++++++++++++++++++- > > > ?3 files changed, 100 insertions(+), 2 deletions(-) > > > > > > --- a/policy/modules/contrib/gpg.fc? ? ?2017-03-29 > > > 17:58:00.281386397 +0200 > > > +++ b/policy/modules/contrib/gpg.fc? ? ?2017-05-24 > > > 18:18:33.792680617 +0200 > > > @@ -1,8 +1,10 @@ > > > ?HOME_DIR/\.gnupg(/.+)?? ? ? ? ? ? ? ? ? ? ? ? > > > ?gen_context(system_u:object_r:gpg_secret_t,s0) > > > ?HOME_DIR/\.gnupg/log-socket? ? ? ? ? ? -s? ? ? > > > gen_context(system_u:object_r:gpg_agent_tmp_t,s0) > > > +HOME_DIR/\.gnupg/S\.dirmngr? ? ? ? ? ? -s? ? ? > > > gen_context(system_u:object_r:gpg_dirmngr_tmp_t,s0) > > > ?HOME_DIR/\.gnupg/S\.gpg-agent.*? ? ? ? ? ? ? ? -s? ? ? > > > gen_context(system_u:object_r:gpg_agent_tmp_t,s0) > > > ?HOME_DIR/\.gnupg/S\.scdaemon? ? ? ? ? ?-s? ? ? > > > gen_context(system_u:object_r:gpg_agent_tmp_t,s0) > > > > > > +/usr/bin/dirmngr.*? ? ? ? ? ? ? ? ? ? ?--? ? ? > > > gen_context(system_u:object_r:gpg_dirmngr_exec_t,s0) > > > ?/usr/bin/gpg(2)?? ? ? ? ? ? ? ? ? ? ? ?--? ? ? > > > gen_context(system_u:object_r:gpg_exec_t,s0) > > > ?/usr/bin/gpgsm? ? ? ? ? ? ? ? ? ? ? ? ?--? ? ? > > > gen_context(system_u:object_r:gpg_exec_t,s0) > > > ?/usr/bin/gpg-agent? ? ? ? ? ? ? ? ? ? ?--? ? ? > > > gen_context(system_u:object_r:gpg_agent_exec_t,s0) > > > @@ -11,4 +13,4 @@ HOME_DIR/\.gnupg/S\.scdaemon? ? ? ? ? -s? ? ? > > > gen_con > > > ?/usr/lib/gnupg/.*? ? ? ? ? ? ? ? ? ? ? --? ? ? > > > gen_context(system_u:object_r:gpg_exec_t,s0) > > > ?/usr/lib/gnupg/gpgkeys.*? ? ? ? ? ? ? ?--? ? ? > > > gen_context(system_u:object_r:gpg_helper_exec_t,s0) > > > > > > -/run/user/%{USERID}/gnupg(/.*)?? ? ? ? ? ? ? ? ? ? ? ? > > > gen_context(system_u:object_r:gpg_agent_tmp_t,s0) > > > +/run/user/%{USERID}/gnupg(/.*)?? ? ? ? ? ? ? ? ? ? ? ? > > > gen_context(system_u:object_r:gpg_runtime_t,s0) > > > --- a/policy/modules/contrib/gpg.if? ? ?2017-03-29 > > > 17:58:00.282386397 +0200 > > > +++ b/policy/modules/contrib/gpg.if? ? ?2017-05-24 > > > 16:57:35.837700478 +0200 > > > @@ -214,6 +214,28 @@ interface(`gpg_stream_connect_agent',` > > > ? ? ? ? userdom_search_user_home_dirs($1) > > > ?') > > > > > > +###################################### > > > +## > > > +##? ? ?Connect to gpg dirmngr socket > > > +## > > > +## > > > +##? ? ? > > > +##? ? ?Domain allowed access. > > > +##? ? ? > > > +## > > > +# > > > +interface(`gpg_stream_connect_dirmngr',` > > > +? ? ? ?gen_require(` > > > +? ? ? ? ? ? ? ?type gpg_dirmngr_t, gpg_dirmngr_tmp_t; > > > +? ? ? ? ? ? ? ?type gpg_secret_t; > > > +? ? ? ?') > > > + > > > +? ? ? ?stream_connect_pattern($1, gpg_dirmngr_tmp_t, > > > gpg_dirmngr_tmp_t, gpg_dirmngr_t) > > > +? ? ? ?allow $1 gpg_secret_t:dir search_dir_perms; > > > +? ? ? ?userdom_search_user_runtime($1) > > > +? ? ? ?userdom_search_user_home_dirs($1) > > > +') > > > + > > > ?######################################## > > > ?## > > > ?##? ? ?Send messages to and from gpg > > > --- a/policy/modules/contrib/gpg.te? ? ?2017-04-26 > > > 17:47:20.555423022 +0200 > > > +++ b/policy/modules/contrib/gpg.te? ? ?2017-05-24 > > > 18:21:19.538679939 +0200 > > > @@ -19,6 +19,8 @@ roleattribute system_r gpg_roles; > > > > > > ?attribute_role gpg_agent_roles; > > > > > > +attribute_role gpg_dirmngr_roles; > > > + > > > ?attribute_role gpg_helper_roles; > > > ?roleattribute system_r gpg_helper_roles; > > > > > > @@ -29,6 +31,9 @@ type gpg_exec_t; > > > ?userdom_user_application_domain(gpg_t, gpg_exec_t) > > > ?role gpg_roles types gpg_t; > > > > > > +type gpg_runtime_t; > > > +files_pid_file(gpg_runtime_t) > > > + > > > ?type gpg_agent_t; > > > ?type gpg_agent_exec_t; > > > ?userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t) > > > @@ -37,6 +42,14 @@ role gpg_agent_roles types gpg_agent_t; > > > ?type gpg_agent_tmp_t; > > > ?userdom_user_tmp_file(gpg_agent_tmp_t) > > > > > > +type gpg_dirmngr_t; > > > +type gpg_dirmngr_exec_t; > > > +userdom_user_application_domain(gpg_dirmngr_t, gpg_dirmngr_exec_t) > > > +role gpg_dirmngr_roles types gpg_dirmngr_t; > > > + > > > +type gpg_dirmngr_tmp_t; > > > +userdom_user_tmp_file(gpg_dirmngr_tmp_t) > > > + > > > ?type gpg_secret_t; > > > ?userdom_user_home_content(gpg_secret_t) > > > > > > @@ -72,10 +85,19 @@ dontaudit gpg_t self:netlink_audit_socke > > > ?allow gpg_t self:fifo_file rw_fifo_file_perms; > > > ?allow gpg_t self:tcp_socket { accept listen }; > > > > > > +manage_dirs_pattern(gpg_t, gpg_runtime_t, gpg_runtime_t) > > > +userdom_user_runtime_filetrans(gpg_t, gpg_runtime_t, dir, "gnupg") > > > + > > > ?manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) > > > ?manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) > > > +manage_sock_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) > > > ?files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file }) > > > > > > +manage_dirs_pattern(gpg_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t) > > > +manage_files_pattern(gpg_t, gpg_dirmngr_tmp_t, gpg_dirmngr_tmp_t) > > > +manage_sock_files_pattern(gpg_t, gpg_dirmngr_tmp_t, > > > gpg_dirmngr_tmp_t) > > > +manage_sock_files_pattern(gpg_t, gpg_dirmngr_tmp_t, > > > gpg_dirmngr_tmp_t) > > > + > > > ?manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t) > > > ?manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) > > > ?manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) > > > @@ -83,8 +105,10 @@ manage_lnk_files_pattern(gpg_t, gpg_secr > > > ?userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir) > > > > > > ?gpg_stream_connect_agent(gpg_t) > > > +gpg_stream_connect_dirmngr(gpg_t) > > > > > > ?domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) > > > +domtrans_pattern(gpg_t, gpg_dirmngr_exec_t, gpg_dirmngr_t) > > > ?domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) > > > > > > ?kernel_read_crypto_sysctls(gpg_t) > > > @@ -124,6 +148,7 @@ miscfiles_read_localization(gpg_t) > > > > > > ?userdom_use_user_terminals(gpg_t) > > > > > > +userdom_manage_user_tmp_dirs(gpg_t) > > > ?userdom_manage_user_tmp_files(gpg_t) > > > ?userdom_manage_user_home_content_files(gpg_t) > > > ?userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) > > > @@ -215,6 +240,9 @@ manage_sock_files_pattern(gpg_agent_t, g > > > ?manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) > > > ?manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) > > > > > > +manage_dirs_pattern(gpg_agent_t, gpg_runtime_t, gpg_runtime_t) > > > +userdom_user_runtime_filetrans(gpg_agent_t, gpg_runtime_t, dir, > > > "gnupg") > > > + > > > ?manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) > > > ?manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, > > > gpg_agent_tmp_t) > > > ?manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, > > > gpg_agent_tmp_t) > > > @@ -226,6 +254,12 @@ filetrans_pattern(gpg_agent_t, gpg_secre > > > ?filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, > > > sock_file, "S.gpg-agent.extra") > > > ?filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, > > > sock_file, "S.gpg-agent.ssh") > > > ?filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, > > > sock_file, "S.scdaemon") > > > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, > > > sock_file, "log-socket") > > > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, > > > sock_file, "S.gpg-agent") > > > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, > > > sock_file, "S.gpg-agent.browser") > > > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, > > > sock_file, "S.gpg-agent.extra") > > > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, > > > sock_file, "S.gpg-agent.ssh") > > > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, > > > sock_file, "S.scdaemon") > > > > > > ?domtrans_pattern(gpg_agent_t, gpg_pinentry_exec_t, gpg_pinentry_t) > > > > > > @@ -250,7 +284,7 @@ miscfiles_read_localization(gpg_agent_t) > > > ?userdom_use_user_terminals(gpg_agent_t) > > > ?userdom_search_user_home_dirs(gpg_agent_t) > > > ?userdom_search_user_runtime(gpg_agent_t) > > > -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir) > > > +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir > > > file sock_file }) > > > > > > ?ifdef(`hide_broken_symptoms',` > > > ? ? ? ? userdom_dontaudit_read_user_tmp_files(gpg_agent_t) > > > @@ -291,6 +325,44 @@ optional_policy(` > > > ? ? ? ? xserver_read_user_xauth(gpg_agent_t) > > > ?') > > > > > > +####################################### > > > +# > > > +# Dirmngr local policy > > > +# > > > + > > > +allow gpg_dirmngr_t gpg_secret_t:file read_file_perms; > > > + > > > +manage_dirs_pattern(gpg_dirmngr_t, gpg_runtime_t, gpg_runtime_t) > > > +userdom_user_runtime_filetrans(gpg_dirmngr_t, gpg_runtime_t, dir, > > > "gnupg") > > > + > > > +manage_dirs_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t, > > > gpg_dirmngr_tmp_t) > > > +manage_files_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t, > > > gpg_dirmngr_tmp_t) > > > +manage_sock_files_pattern(gpg_dirmngr_t, gpg_dirmngr_tmp_t, > > > gpg_dirmngr_tmp_t) > > > +filetrans_pattern(gpg_dirmngr_t, gpg_runtime_t, gpg_dirmngr_tmp_t, > > > sock_file, "S.dirmngr") > > > + > > > +corenet_sendrecv_pgpkeyserver_client_packets(gpg_dirmngr_t) > > > +corenet_tcp_connect_pgpkeyserver_port(gpg_dirmngr_t) > > > +corenet_tcp_sendrecv_pgpkeyserver_port(gpg_dirmngr_t) > > > + > > > +corenet_udp_bind_all_unreserved_ports(gpg_dirmngr_t) > > > +corenet_udp_bind_generic_node(gpg_dirmngr_t) > > > + > > > +dev_read_rand(gpg_dirmngr_t) > > > +dev_read_urand(gpg_dirmngr_t) > > > + > > > +files_read_etc_files(gpg_dirmngr_t) > > > +files_read_usr_files(gpg_dirmngr_t) > > > + > > > +miscfiles_read_all_certs(gpg_dirmngr_t) > > > +miscfiles_read_localization(gpg_dirmngr_t) > > > + > > > +sysnet_dns_name_resolve(gpg_dirmngr_t) > > > + > > > +userdom_search_user_home_dirs(gpg_dirmngr_t) > > > + > > > +userdom_search_user_runtime(gpg_dirmngr_t) > > > +userdom_user_runtime_filetrans(gpg_dirmngr_t, gpg_dirmngr_tmp_t, { > > > dir file sock_file }) > > > + > > > ?############################## > > > ?# > > > ?# Pinentry local policy > > > @@ -310,6 +382,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p > > > > > > ?can_exec(gpg_pinentry_t, gpg_pinentry_exec_t) > > > > > > +kernel_dontaudit_search_sysctl(gpg_pinentry_t) > > > ?kernel_read_system_state(gpg_pinentry_t) > > > > > > ?corecmd_exec_shell(gpg_pinentry_t) > > > @@ -327,6 +400,7 @@ domain_use_interactive_fds(gpg_pinentry_ > > > > > > ?files_read_usr_files(gpg_pinentry_t) > > > > > > +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t) > > > ?fs_dontaudit_list_inotifyfs(gpg_pinentry_t) > > > > > > ?auth_use_nsswitch(gpg_pinentry_t) > > > _______________________________________________ > > > refpolicy mailing list > > > refpolicy at oss.tresys.com > > > http://oss.tresys.com/mailman/listinfo/refpolicy > > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170524/1dab7062/attachment.bin