From: guido@trentalancia.com (Guido Trentalancia) Date: Mon, 05 Jun 2017 16:42:24 +0200 Subject: [refpolicy] [PATCH v5] gpg: manage user runtime socket files and directories In-Reply-To: <31ab8383-a031-fe23-0425-46c903791bd0@ieee.org> References: <1495383664.21167.2.camel@trentalancia.com> <1495574513.16791.0.camel@trentalancia.com> <1495643527.13711.6.camel@trentalancia.com> <1495649158.7185.8.camel@trentalancia.com> <31ab8383-a031-fe23-0425-46c903791bd0@ieee.org> Message-ID: <1496673744.4528.0.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Update the gpg module so that it can correctly manage socket files and directories in the user runtime directories. Some other minor gpg fixes are also included in this patch. This is the fifth version (v5) of this patch and it features some improvements thanks to feedback received from Christopher PeBenito. The dirmngr policy introduced in version 3 has now been removed because dirmngr is handled in a separate module (although this approach is probably wrong, it should be part of the gpg module). Signed-off-by: Guido Trentalancia --- policy/modules/contrib/gpg.fc | 2 +- policy/modules/contrib/gpg.te | 23 ++++++++++++++++------- 2 files changed, 17 insertions(+), 8 deletions(-) --- a/policy/modules/contrib/gpg.fc 2017-03-29 17:58:00.281386397 +0200 +++ b/policy/modules/contrib/gpg.fc 2017-06-05 16:33:38.335731893 +0200 @@ -11,4 +11,4 @@ HOME_DIR/\.gnupg/S\.scdaemon -s gen_con /usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) -/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_agent_tmp_t,s0) +/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_runtime_t,s0) --- a/policy/modules/contrib/gpg.te 2017-04-26 17:47:20.555423022 +0200 +++ b/policy/modules/contrib/gpg.te 2017-06-05 16:34:55.706731576 +0200 @@ -29,6 +29,9 @@ type gpg_exec_t; userdom_user_application_domain(gpg_t, gpg_exec_t) role gpg_roles types gpg_t; +type gpg_runtime_t; +files_pid_file(gpg_runtime_t) + type gpg_agent_t; type gpg_agent_exec_t; userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t) @@ -72,8 +75,12 @@ dontaudit gpg_t self:netlink_audit_socke allow gpg_t self:fifo_file rw_fifo_file_perms; allow gpg_t self:tcp_socket { accept listen }; +manage_dirs_pattern(gpg_t, gpg_runtime_t, gpg_runtime_t) +userdom_user_runtime_filetrans(gpg_t, gpg_runtime_t, dir, "gnupg") + manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) +manage_sock_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file }) manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t) @@ -124,6 +131,7 @@ miscfiles_read_localization(gpg_t) userdom_use_user_terminals(gpg_t) +userdom_manage_user_tmp_dirs(gpg_t) userdom_manage_user_tmp_files(gpg_t) userdom_manage_user_home_content_files(gpg_t) userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) @@ -215,17 +223,16 @@ manage_sock_files_pattern(gpg_agent_t, g manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) +manage_dirs_pattern(gpg_agent_t, gpg_runtime_t, gpg_runtime_t) +userdom_user_runtime_filetrans(gpg_agent_t, gpg_runtime_t, dir, "gnupg") + manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) -filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket") -filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent") -filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.browser") -filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.extra") -filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh") -filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.scdaemon") +filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file) +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file) domtrans_pattern(gpg_agent_t, gpg_pinentry_exec_t, gpg_pinentry_t) @@ -250,7 +257,7 @@ miscfiles_read_localization(gpg_agent_t) userdom_use_user_terminals(gpg_agent_t) userdom_search_user_home_dirs(gpg_agent_t) userdom_search_user_runtime(gpg_agent_t) -userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, dir) +userdom_user_runtime_filetrans(gpg_agent_t, gpg_agent_tmp_t, { dir file sock_file }) ifdef(`hide_broken_symptoms',` userdom_dontaudit_read_user_tmp_files(gpg_agent_t) @@ -310,6 +317,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_p can_exec(gpg_pinentry_t, gpg_pinentry_exec_t) +kernel_dontaudit_search_sysctl(gpg_pinentry_t) kernel_read_system_state(gpg_pinentry_t) corecmd_exec_shell(gpg_pinentry_t) @@ -327,6 +335,7 @@ domain_use_interactive_fds(gpg_pinentry_ files_read_usr_files(gpg_pinentry_t) +fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t) fs_dontaudit_list_inotifyfs(gpg_pinentry_t) auth_use_nsswitch(gpg_pinentry_t) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170605/9170ca9e/attachment.bin