From: dac.override@gmail.com (Dominick Grift) Date: Mon, 5 Jun 2017 09:35:11 +0200 Subject: [refpolicy] [PATCH v4] gpg: manage user runtime socket files and directories In-Reply-To: <31ab8383-a031-fe23-0425-46c903791bd0@ieee.org> References: <1495383664.21167.2.camel@trentalancia.com> <1495574513.16791.0.camel@trentalancia.com> <1495643527.13711.6.camel@trentalancia.com> <1495649158.7185.8.camel@trentalancia.com> <31ab8383-a031-fe23-0425-46c903791bd0@ieee.org> Message-ID: <20170605073511.GA22448@julius.enp8s0.d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sun, Jun 04, 2017 at 08:42:18PM -0400, Chris PeBenito via refpolicy wrote: > On 05/24/2017 02:05 PM, Guido Trentalancia via refpolicy wrote: > > Update the gpg module so that it can correctly manage socket files > > and directories in the user runtime directories. > > > > Some other minor gpg fixes are also included in this patch. > > > > This is the fourth version (v4) of this patch and it features some > > improvements thanks to feedback received from Christopher PeBenito. > > > > The dirmngr policy introduced in version 3 has now been removed > > because someone else was already working on it (I was not aware of > > it). > > > > Signed-off-by: Guido Trentalancia > > --- > > policy/modules/contrib/gpg.fc | 2 +- > > policy/modules/contrib/gpg.te | 21 ++++++++++++++++++++- > > 2 files changed, 21 insertions(+), 2 deletions(-) > > > > --- a/policy/modules/contrib/gpg.fc 2017-03-29 17:58:00.281386397 +0200 > > +++ b/policy/modules/contrib/gpg.fc 2017-05-24 19:47:04.943660156 +0200 > > @@ -11,4 +11,4 @@ HOME_DIR/\.gnupg/S\.scdaemon -s gen_con > > /usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) > > /usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) > > > > -/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_agent_tmp_t,s0) > > +/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_runtime_t,s0) > > --- a/policy/modules/contrib/gpg.te 2017-04-26 17:47:20.555423022 +0200 > > +++ b/policy/modules/contrib/gpg.te 2017-05-24 19:47:39.484660015 +0200 > > @@ -29,6 +29,9 @@ type gpg_exec_t; > > userdom_user_application_domain(gpg_t, gpg_exec_t) > > role gpg_roles types gpg_t; > > > > +type gpg_runtime_t; > > +files_pid_file(gpg_runtime_t) > > + > > type gpg_agent_t; > > type gpg_agent_exec_t; > > userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t) > > @@ -72,8 +75,12 @@ dontaudit gpg_t self:netlink_audit_socke > > allow gpg_t self:fifo_file rw_fifo_file_perms; > > allow gpg_t self:tcp_socket { accept listen }; > > > > +manage_dirs_pattern(gpg_t, gpg_runtime_t, gpg_runtime_t) > > +userdom_user_runtime_filetrans(gpg_t, gpg_runtime_t, dir, "gnupg") > > + > > manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) > > manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) > > +manage_sock_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) > > files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file }) > > > > manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t) > > @@ -124,6 +131,7 @@ miscfiles_read_localization(gpg_t) > > > > userdom_use_user_terminals(gpg_t) > > > > +userdom_manage_user_tmp_dirs(gpg_t) > > userdom_manage_user_tmp_files(gpg_t) > > userdom_manage_user_home_content_files(gpg_t) > > userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) > > @@ -215,6 +223,9 @@ manage_sock_files_pattern(gpg_agent_t, g > > manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) > > manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) > > > > +manage_dirs_pattern(gpg_agent_t, gpg_runtime_t, gpg_runtime_t) > > +userdom_user_runtime_filetrans(gpg_agent_t, gpg_runtime_t, dir, "gnupg") > > + > > manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) > > manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) > > manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) > > @@ -226,6 +237,12 @@ filetrans_pattern(gpg_agent_t, gpg_secre > > filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.extra") > > filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh") > > filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.scdaemon") > > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "log-socket") > > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent") > > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.browser") > > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.extra") > > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh") > > +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.scdaemon") > > My only question is with these name transitions. Yes, there already are > several, but are there any sock_files that are not gpg_agent_tmp_t? If > not, then I see no value with doing anything but having two transitions, > on gpg_secret_t and gpg_runtime_t, without specifying any names. not sure scdaemon is targeted but s.scdaemon is owned by scdaemon, I am not aware of any "log-socket" there is also a S.dirmngr socket but that is not handled in the gpg module i suppose even then though there may be no need for name-based type transitions. I use name-based type transitions excessively for unconfined users, since they go nowhere ever, and since i still want the labels in /home consistently i am forced to use them where possible > > > > domtrans_pattern(gpg_agent_t, gpg_pinentry_exec_t, gpg_pinentry_t) > > > > @@ -250,7 +267,7 @@ miscfiles_read_localization(gpg_agent_t) > > userdom_use_user_terminals(gpg_agent_t) > > userdom_search_user_home_dirs(gpg_agent_t) > > userdom_search_user_runtime(gpg_agent_t) > > -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir) > > +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir file sock_file }) > > > > ifdef(`hide_broken_symptoms',` > > userdom_dontaudit_read_user_tmp_files(gpg_agent_t) > > @@ -310,6 +327,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p > > > > can_exec(gpg_pinentry_t, gpg_pinentry_exec_t) > > > > +kernel_dontaudit_search_sysctl(gpg_pinentry_t) > > kernel_read_system_state(gpg_pinentry_t) > > > > corecmd_exec_shell(gpg_pinentry_t) > > @@ -327,6 +345,7 @@ domain_use_interactive_fds(gpg_pinentry_ > > > > files_read_usr_files(gpg_pinentry_t) > > > > +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t) > > fs_dontaudit_list_inotifyfs(gpg_pinentry_t) > > > > auth_use_nsswitch(gpg_pinentry_t) > > -- > Chris PeBenito > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170605/68075ee4/attachment.bin