From: guido@trentalancia.com (Guido Trentalancia) Date: Wed, 24 May 2017 20:05:58 +0200 Subject: [refpolicy] [PATCH v4] gpg: manage user runtime socket files and directories In-Reply-To: <1495643527.13711.6.camel@trentalancia.com> References: <1495383664.21167.2.camel@trentalancia.com> <1495574513.16791.0.camel@trentalancia.com> <1495643527.13711.6.camel@trentalancia.com> Message-ID: <1495649158.7185.8.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Update the gpg module so that it can correctly manage socket files and directories in the user runtime directories. Some other minor gpg fixes are also included in this patch. This is the fourth version (v4) of this patch and it features some improvements thanks to feedback received from Christopher PeBenito. The dirmngr policy introduced in version 3 has now been removed because someone else was already working on it (I was not aware of it). Signed-off-by: Guido Trentalancia --- policy/modules/contrib/gpg.fc | 2 +- policy/modules/contrib/gpg.te | 21 ++++++++++++++++++++- 2 files changed, 21 insertions(+), 2 deletions(-) --- a/policy/modules/contrib/gpg.fc 2017-03-29 17:58:00.281386397 +0200 +++ b/policy/modules/contrib/gpg.fc 2017-05-24 19:47:04.943660156 +0200 @@ -11,4 +11,4 @@ HOME_DIR/\.gnupg/S\.scdaemon -s gen_con /usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) -/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_agent_tmp_t,s0) +/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_runtime_t,s0) --- a/policy/modules/contrib/gpg.te 2017-04-26 17:47:20.555423022 +0200 +++ b/policy/modules/contrib/gpg.te 2017-05-24 19:47:39.484660015 +0200 @@ -29,6 +29,9 @@ type gpg_exec_t; userdom_user_application_domain(gpg_t, gpg_exec_t) role gpg_roles types gpg_t; +type gpg_runtime_t; +files_pid_file(gpg_runtime_t) + type gpg_agent_t; type gpg_agent_exec_t; userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t) @@ -72,8 +75,12 @@ dontaudit gpg_t self:netlink_audit_socke allow gpg_t self:fifo_file rw_fifo_file_perms; allow gpg_t self:tcp_socket { accept listen }; +manage_dirs_pattern(gpg_t, gpg_runtime_t, gpg_runtime_t) +userdom_user_runtime_filetrans(gpg_t, gpg_runtime_t, dir, "gnupg") + manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) +manage_sock_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file }) manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t) @@ -124,6 +131,7 @@ miscfiles_read_localization(gpg_t) userdom_use_user_terminals(gpg_t) +userdom_manage_user_tmp_dirs(gpg_t) userdom_manage_user_tmp_files(gpg_t) userdom_manage_user_home_content_files(gpg_t) userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) @@ -215,6 +223,9 @@ manage_sock_files_pattern(gpg_agent_t, g manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) +manage_dirs_pattern(gpg_agent_t, gpg_runtime_t, gpg_runtime_t) +userdom_user_runtime_filetrans(gpg_agent_t, gpg_runtime_t, dir, "gnupg") + manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) @@ -226,6 +237,12 @@ filetrans_pattern(gpg_agent_t, gpg_secre filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.extra") filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh") filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.scdaemon") +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "log-socket") +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent") +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.browser") +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.extra") +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh") +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.scdaemon") domtrans_pattern(gpg_agent_t, gpg_pinentry_exec_t, gpg_pinentry_t) @@ -250,7 +267,7 @@ miscfiles_read_localization(gpg_agent_t) userdom_use_user_terminals(gpg_agent_t) userdom_search_user_home_dirs(gpg_agent_t) userdom_search_user_runtime(gpg_agent_t) -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir) +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir file sock_file }) ifdef(`hide_broken_symptoms',` userdom_dontaudit_read_user_tmp_files(gpg_agent_t) @@ -310,6 +327,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p can_exec(gpg_pinentry_t, gpg_pinentry_exec_t) +kernel_dontaudit_search_sysctl(gpg_pinentry_t) kernel_read_system_state(gpg_pinentry_t) corecmd_exec_shell(gpg_pinentry_t) @@ -327,6 +345,7 @@ domain_use_interactive_fds(gpg_pinentry_ files_read_usr_files(gpg_pinentry_t) +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t) fs_dontaudit_list_inotifyfs(gpg_pinentry_t) auth_use_nsswitch(gpg_pinentry_t)