From: jason@perfinion.com (Jason Zaman)
Date: Fri, 26 May 2017 23:57:56 +0800
Subject: [refpolicy] [PATCH 1/6] dirmngr: add to roles and allow gpg to
	domtrans
Message-ID: <20170526155801.5441-1-jason@perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

---
 dirmngr.if | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 gpg.te     |  4 ++++
 2 files changed, 73 insertions(+)

diff --git a/dirmngr.if b/dirmngr.if
index 4cd2810..2f6875a 100644
--- a/dirmngr.if
+++ b/dirmngr.if
@@ -1,5 +1,74 @@
 ## <summary>Server for managing and downloading certificate revocation lists.</summary>
 
+############################################################
+## <summary>
+##	Role access for dirmngr.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+#
+interface(`dirmngr_role',`
+	gen_require(`
+		type dirmngr_t, dirmngr_exec_t;
+	')
+
+	role $1 types dirmngr_t;
+
+	domtrans_pattern($2, dirmngr_exec_t, dirmngr_t)
+
+	allow $2 dirmngr_t:process { ptrace signal_perms };
+	ps_process_pattern($2, dirmngr_t)
+
+	allow dirmngr_t $2:fd use;
+	allow dirmngr_t $2:fifo_file { read write };
+')
+
+########################################
+## <summary>
+##	Execute dirmngr in the dirmngr domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`dirmngr_domtrans',`
+	gen_require(`
+		type dirmngr_t, dirmngr_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, dirmngr_exec_t, dirmngr_t)
+')
+
+########################################
+## <summary>
+##	Execute the dirmngr in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dirmngr_exec',`
+	gen_require(`
+		type dirmngr_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, dirmngr_exec_t)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
diff --git a/gpg.te b/gpg.te
index 5e87028..d6239c5 100644
--- a/gpg.te
+++ b/gpg.te
@@ -139,6 +139,10 @@ tunable_policy(`use_samba_home_dirs',`
 ')
 
 optional_policy(`
+	dirmngr_domtrans(gpg_t)
+')
+
+optional_policy(`
 	evolution_read_orbit_tmp_files(gpg_t)
 ')
 
-- 
2.13.0