From: jason@perfinion.com (Jason Zaman)
Date: Fri, 26 May 2017 23:57:58 +0800
Subject: [refpolicy] [PATCH 3/6] dirmngr: fcontext for ~/.gnupg/crls.d/
In-Reply-To: <20170526155801.5441-1-jason@perfinion.com>
References: <20170526155801.5441-1-jason@perfinion.com>
Message-ID: <20170526155801.5441-3-jason@perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
---
dirmngr.fc | 2 ++
dirmngr.te | 7 +++++++
gpg.if | 20 ++++++++++++++++++++
3 files changed, 29 insertions(+)
diff --git a/dirmngr.fc b/dirmngr.fc
index a9cf15a..60f19f4 100644
--- a/dirmngr.fc
+++ b/dirmngr.fc
@@ -1,3 +1,5 @@
+HOME_DIR/\.gnupg/crls\.d(/.+)? gen_context(system_u:object_r:dirmngr_home_t,s0)
+
/etc/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_conf_t,s0)
/etc/rc\.d/init\.d/dirmngr -- gen_context(system_u:object_r:dirmngr_initrc_exec_t,s0)
diff --git a/dirmngr.te b/dirmngr.te
index 8e4a1a8..17cce56 100644
--- a/dirmngr.te
+++ b/dirmngr.te
@@ -27,6 +27,9 @@ files_type(dirmngr_var_lib_t)
type dirmngr_var_run_t;
files_pid_file(dirmngr_var_run_t)
+type dirmngr_home_t;
+userdom_user_home_content(dirmngr_home_t)
+
########################################
#
# Local policy
@@ -37,6 +40,8 @@ allow dirmngr_t self:fifo_file rw_file_perms;
allow dirmngr_t dirmngr_conf_t:dir list_dir_perms;
allow dirmngr_t dirmngr_conf_t:file read_file_perms;
allow dirmngr_t dirmngr_conf_t:lnk_file read_lnk_file_perms;
+allow dirmngr_t dirmngr_home_t:dir list_dir_perms;
+allow dirmngr_t dirmngr_home_t:file read_file_perms;
manage_dirs_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t)
append_files_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t)
@@ -61,6 +66,7 @@ kernel_read_crypto_sysctls(dirmngr_t)
files_read_etc_files(dirmngr_t)
miscfiles_read_localization(dirmngr_t)
+miscfiles_read_generic_certs(dirmngr_t)
userdom_search_user_home_dirs(dirmngr_t)
userdom_search_user_runtime(dirmngr_t)
@@ -68,4 +74,5 @@ userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
optional_policy(`
gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
+ gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
')
diff --git a/gpg.if b/gpg.if
index 4480f9c..e5a1275 100644
--- a/gpg.if
+++ b/gpg.if
@@ -254,6 +254,26 @@ interface(`gpg_agent_tmp_filetrans',`
########################################
##
+## filetrans in gpg_secret_t dirs
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gpg_secret_filetrans',`
+ gen_require(`
+ type gpg_secret_t;
+ ')
+
+ filetrans_pattern($1, gpg_secret_t, $2, $3, $4)
+ allow $1 gpg_secret_t:dir search_dir_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+##
## Send messages to and from gpg
## pinentry over DBUS.
##
--
2.13.0