From: dac.override@gmail.com (Dominick Grift)
Date: Mon, 5 Jun 2017 14:49:38 +0200
Subject: [refpolicy] [PATCH v4] gpg: manage user runtime socket files
 and directories
In-Reply-To: <ce138f0a-b474-90bc-b19d-d6710dd590a6@ieee.org>
References: <1495383664.21167.2.camel@trentalancia.com>
	<f345f89d-7ee2-b84e-fcfd-c8f718ab9a50@ieee.org>
	<1495574513.16791.0.camel@trentalancia.com>
	<1495643527.13711.6.camel@trentalancia.com>
	<1495649158.7185.8.camel@trentalancia.com>
	<31ab8383-a031-fe23-0425-46c903791bd0@ieee.org>
	<20170605073511.GA22448@julius.enp8s0.d30>
	<ce138f0a-b474-90bc-b19d-d6710dd590a6@ieee.org>
Message-ID: <20170605124938.GA9899@julius.enp8s0.d30>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, Jun 05, 2017 at 08:13:45AM -0400, Chris PeBenito via refpolicy wrote:
> On 06/05/2017 03:35 AM, Dominick Grift via refpolicy wrote:
> > On Sun, Jun 04, 2017 at 08:42:18PM -0400, Chris PeBenito via refpolicy wrote:
> >> On 05/24/2017 02:05 PM, Guido Trentalancia via refpolicy wrote:
> >>> Update the gpg module so that it can correctly manage socket files
> >>> and directories in the user runtime directories.
> >>>
> >>> Some other minor gpg fixes are also included in this patch.
> >>>
> >>> This is the fourth version (v4) of this patch and it features some
> >>> improvements thanks to feedback received from Christopher PeBenito.
> >>>
> >>> The dirmngr policy introduced in version 3 has now been removed
> >>> because someone else was already working on it (I was not aware of
> >>> it).
> >>>
> >>> Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> >>> ---
> >>>  policy/modules/contrib/gpg.fc |    2 +-
> >>>  policy/modules/contrib/gpg.te |   21 ++++++++++++++++++++-
> >>>  2 files changed, 21 insertions(+), 2 deletions(-)
> >>>
> >>> --- a/policy/modules/contrib/gpg.fc	2017-03-29 17:58:00.281386397 +0200
> >>> +++ b/policy/modules/contrib/gpg.fc	2017-05-24 19:47:04.943660156 +0200
> >>> @@ -11,4 +11,4 @@ HOME_DIR/\.gnupg/S\.scdaemon		-s	gen_con
> >>>  /usr/lib/gnupg/.*			--	gen_context(system_u:object_r:gpg_exec_t,s0)
> >>>  /usr/lib/gnupg/gpgkeys.*		--	gen_context(system_u:object_r:gpg_helper_exec_t,s0)
> >>>
> >>> -/run/user/%{USERID}/gnupg(/.*)?			gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> >>> +/run/user/%{USERID}/gnupg(/.*)?			gen_context(system_u:object_r:gpg_runtime_t,s0)
> >>> --- a/policy/modules/contrib/gpg.te	2017-04-26 17:47:20.555423022 +0200
> >>> +++ b/policy/modules/contrib/gpg.te	2017-05-24 19:47:39.484660015 +0200
> >>> @@ -29,6 +29,9 @@ type gpg_exec_t;
> >>>  userdom_user_application_domain(gpg_t, gpg_exec_t)
> >>>  role gpg_roles types gpg_t;
> >>>
> >>> +type gpg_runtime_t;
> >>> +files_pid_file(gpg_runtime_t)
> >>> +
> >>>  type gpg_agent_t;
> >>>  type gpg_agent_exec_t;
> >>>  userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t)
> >>> @@ -72,8 +75,12 @@ dontaudit gpg_t self:netlink_audit_socke
> >>>  allow gpg_t self:fifo_file rw_fifo_file_perms;
> >>>  allow gpg_t self:tcp_socket { accept listen };
> >>>
> >>> +manage_dirs_pattern(gpg_t, gpg_runtime_t, gpg_runtime_t)
> >>> +userdom_user_runtime_filetrans(gpg_t, gpg_runtime_t, dir, "gnupg")
> >>> +
> >>>  manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> >>>  manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> >>> +manage_sock_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> >>>  files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
> >>>
> >>>  manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
> >>> @@ -124,6 +131,7 @@ miscfiles_read_localization(gpg_t)
> >>>
> >>>  userdom_use_user_terminals(gpg_t)
> >>>
> >>> +userdom_manage_user_tmp_dirs(gpg_t)
> >>>  userdom_manage_user_tmp_files(gpg_t)
> >>>  userdom_manage_user_home_content_files(gpg_t)
> >>>  userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
> >>> @@ -215,6 +223,9 @@ manage_sock_files_pattern(gpg_agent_t, g
> >>>  manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
> >>>  manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
> >>>
> >>> +manage_dirs_pattern(gpg_agent_t, gpg_runtime_t, gpg_runtime_t)
> >>> +userdom_user_runtime_filetrans(gpg_agent_t, gpg_runtime_t, dir, "gnupg")
> >>> +
> >>>  manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> >>>  manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> >>>  manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> >>> @@ -226,6 +237,12 @@ filetrans_pattern(gpg_agent_t, gpg_secre
> >>>  filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.extra")
> >>>  filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh")
> >>>  filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.scdaemon")
> >>> +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "log-socket")
> >>> +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent")
> >>> +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.browser")
> >>> +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.extra")
> >>> +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh")
> >>> +filetrans_pattern(gpg_agent_t, gpg_runtime_t, gpg_agent_tmp_t, sock_file, "S.scdaemon")
> >>
> >> My only question is with these name transitions.  Yes, there already are
> >> several, but are there any sock_files that are not gpg_agent_tmp_t?  If
> >> not, then I see no value with doing anything but having two transitions,
> >> on gpg_secret_t and gpg_runtime_t, without specifying any names.
> >
> > not sure scdaemon is targeted but s.scdaemon is owned by scdaemon, I am not aware of any "log-socket"
> > there is also a S.dirmngr socket but that is not handled in the gpg module i suppose
> >
> > even then though there may be no need for name-based type transitions. I use name-based type transitions excessively for unconfined users, since they go nowhere ever, and since i still want the labels in /home consistently i am forced to use them where possible
> 
> gpg_agent_t isn't unconfined.

I know but i am refering to unconfined users. so if a unconfined user rules gpg-agent then gpg-agent ends up in "unconfined_t" but i still want that socket to be labeled with the private type

> 
> -- 
> Chris PeBenito
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170605/e9471508/attachment.bin