---
gssproxy.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/gssproxy.te b/gssproxy.te
index c1dcc55..dc7f0e6 100644
--- a/gssproxy.te
+++ b/gssproxy.te
@@ -63,4 +63,5 @@ optional_policy(`
kerberos_manage_host_rcache(gssproxy_t)
kerberos_read_keytab(gssproxy_t)
kerberos_use(gssproxy_t)
+ kerberos_tmp_filetrans_host_rcache(gssproxy_t, file, "nfs_0")
')
--
2.13.6
commit 1b9cd3bd9c44732bdf756301408582bcfe9073c9
("gpg: manage user runtime socket files and directories")
changed /run/user/%{USERID}/gnupg/ to gpg_runtime_t, so the filetrans
for gpg_agent_tmp_t needs updating.
---
dirmngr.te | 3 +++
gpg.if | 19 +++++++++++++++++++
2 files changed, 22 insertions(+)
diff --git a/dirmngr.te b/dirmngr.te
index 8f4cb99..75833a4 100644
--- a/dirmngr.te
+++ b/dirmngr.te
@@ -69,6 +69,7 @@ dev_read_rand(dirmngr_t)
sysnet_dns_name_resolve(dirmngr_t)
corenet_tcp_connect_pgpkeyserver_port(dirmngr_t)
+corenet_udp_bind_generic_node(dirmngr_t)
files_read_etc_files(dirmngr_t)
@@ -81,5 +82,7 @@ userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
optional_policy(`
gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
+ gpg_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
+ gpg_stream_connect_agent(dirmngr_t)
')
diff --git a/gpg.if b/gpg.if
index 6266019..359560f 100644
--- a/gpg.if
+++ b/gpg.if
@@ -239,6 +239,25 @@ interface(`gpg_agent_tmp_filetrans',`
########################################
## <summary>
+## filetrans in gpg_runtime_t dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_runtime_filetrans',`
+ gen_require(`
+ type gpg_runtime_t;
+ ')
+
+ filetrans_pattern($1, gpg_runtime_t, $2, $3, $4)
+ userdom_search_user_runtime($1)
+')
+
+########################################
+## <summary>
## filetrans in gpg_secret_t dirs
## </summary>
## <param name="domain">
--
2.13.6
---
gpg.te | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/gpg.te b/gpg.te
index 619fdb4..0ad774e 100644
--- a/gpg.te
+++ b/gpg.te
@@ -14,6 +14,14 @@ policy_module(gpg, 2.12.3)
## </desc>
gen_tunable(gpg_agent_env_file, false)
+## <desc>
+## <p>
+## Determine whether GPG agent can use OpenPGP
+## cards or Yubikeys over USB
+## </p>
+## </desc>
+gen_tunable(gpg_agent_use_card, false)
+
attribute_role gpg_roles;
roleattribute system_r gpg_roles;
@@ -274,6 +282,11 @@ tunable_policy(`gpg_agent_env_file',`
userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
')
+tunable_policy(`gpg_agent_use_card',`
+ dev_read_sysfs(gpg_agent_t)
+ dev_rw_generic_usb_dev(gpg_agent_t)
+')
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(gpg_agent_t)
fs_manage_nfs_files(gpg_agent_t)
--
2.13.6
---
cachefilesd.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cachefilesd.te b/cachefilesd.te
index d225d74..d09ac56 100644
--- a/cachefilesd.te
+++ b/cachefilesd.te
@@ -13,7 +13,7 @@ type cachefilesd_initrc_exec_t;
init_script_file(cachefilesd_initrc_exec_t)
type cachefilesd_cache_t;
-files_type(cachefilesd_cache_t)
+files_mountpoint(cachefilesd_cache_t)
type cachefilesd_var_run_t;
files_pid_file(cachefilesd_var_run_t)
--
2.13.6
---
dbus.te | 1 +
dirmngr.te | 1 +
gnome.te | 2 ++
gpg.te | 2 ++
pulseaudio.te | 1 +
5 files changed, 7 insertions(+)
diff --git a/dbus.te b/dbus.te
index 05c4652..8c9288b 100644
--- a/dbus.te
+++ b/dbus.te
@@ -49,6 +49,7 @@ init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus")
type session_dbusd_runtime_t;
files_pid_file(session_dbusd_runtime_t)
+userdom_user_runtime_content(session_dbusd_runtime_t)
ifdef(`enable_mcs',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
diff --git a/dirmngr.te b/dirmngr.te
index 75833a4..fa5898e 100644
--- a/dirmngr.te
+++ b/dirmngr.te
@@ -20,6 +20,7 @@ logging_log_file(dirmngr_log_t)
type dirmngr_tmp_t;
userdom_user_tmp_file(dirmngr_tmp_t)
+userdom_user_runtime_content(dirmngr_tmp_t)
type dirmngr_var_lib_t;
files_type(dirmngr_var_lib_t)
diff --git a/gnome.te b/gnome.te
index d87daab..b816175 100644
--- a/gnome.te
+++ b/gnome.te
@@ -45,9 +45,11 @@ userdom_user_home_content(gnome_keyring_home_t)
type gnome_keyring_tmp_t;
userdom_user_tmp_file(gnome_keyring_tmp_t)
+userdom_user_runtime_content(gnome_keyring_tmp_t)
type gstreamer_orcexec_t;
application_executable_file(gstreamer_orcexec_t)
+userdom_user_runtime_content(gstreamer_orcexec_t)
##############################
#
diff --git a/gpg.te b/gpg.te
index 0ad774e..6fc19ca 100644
--- a/gpg.te
+++ b/gpg.te
@@ -39,6 +39,7 @@ role gpg_roles types gpg_t;
type gpg_runtime_t;
files_pid_file(gpg_runtime_t)
+userdom_user_runtime_content(gpg_runtime_t)
type gpg_agent_t;
type gpg_agent_exec_t;
@@ -47,6 +48,7 @@ role gpg_agent_roles types gpg_agent_t;
type gpg_agent_tmp_t;
userdom_user_tmp_file(gpg_agent_tmp_t)
+userdom_user_runtime_content(gpg_agent_tmp_t)
type gpg_secret_t;
userdom_user_home_content(gpg_secret_t)
diff --git a/pulseaudio.te b/pulseaudio.te
index 441d058..8c8e21e 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
@@ -29,6 +29,7 @@ userdom_user_home_content(pulseaudio_home_t)
type pulseaudio_tmp_t;
userdom_user_tmp_file(pulseaudio_tmp_t)
+userdom_user_runtime_content(pulseaudio_tmp_t)
type pulseaudio_tmpfs_t;
userdom_user_tmpfs_file(pulseaudio_tmpfs_t)
--
2.13.6
On 12/13/2017 01:17 PM, Jason Zaman wrote:
> ---
> gssproxy.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/gssproxy.te b/gssproxy.te
> index c1dcc55..dc7f0e6 100644
> --- a/gssproxy.te
> +++ b/gssproxy.te
> @@ -63,4 +63,5 @@ optional_policy(`
> kerberos_manage_host_rcache(gssproxy_t)
> kerberos_read_keytab(gssproxy_t)
> kerberos_use(gssproxy_t)
> + kerberos_tmp_filetrans_host_rcache(gssproxy_t, file, "nfs_0")
> ')
Is there a reason it has to be limited to only nfs_0? I didn't notice
any type transition conflicts.
--
Chris PeBenito
On 12/13/2017 01:17 PM, Jason Zaman wrote:
> commit 1b9cd3bd9c44732bdf756301408582bcfe9073c9
> ("gpg: manage user runtime socket files and directories")
> changed /run/user/%{USERID}/gnupg/ to gpg_runtime_t, so the filetrans
> for gpg_agent_tmp_t needs updating.
> ---
> dirmngr.te | 3 +++
> gpg.if | 19 +++++++++++++++++++
> 2 files changed, 22 insertions(+)
>
> diff --git a/dirmngr.te b/dirmngr.te
> index 8f4cb99..75833a4 100644
> --- a/dirmngr.te
> +++ b/dirmngr.te
> @@ -69,6 +69,7 @@ dev_read_rand(dirmngr_t)
> sysnet_dns_name_resolve(dirmngr_t)
>
> corenet_tcp_connect_pgpkeyserver_port(dirmngr_t)
> +corenet_udp_bind_generic_node(dirmngr_t)
>
> files_read_etc_files(dirmngr_t)
>
> @@ -81,5 +82,7 @@ userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
>
> optional_policy(`
> gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
> + gpg_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
> gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
> + gpg_stream_connect_agent(dirmngr_t)
> ')
> diff --git a/gpg.if b/gpg.if
> index 6266019..359560f 100644
> --- a/gpg.if
> +++ b/gpg.if
> @@ -239,6 +239,25 @@ interface(`gpg_agent_tmp_filetrans',`
>
> ########################################
> ## <summary>
> +## filetrans in gpg_runtime_t dirs
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gpg_runtime_filetrans',`
> + gen_require(`
> + type gpg_runtime_t;
> + ')
> +
> + filetrans_pattern($1, gpg_runtime_t, $2, $3, $4)
> + userdom_search_user_runtime($1)
> +')
> +
> +########################################
> +## <summary>
> ## filetrans in gpg_secret_t dirs
> ## </summary>
> ## <param name="domain">
Merged.
--
Chris PeBenito
On 12/13/2017 01:17 PM, Jason Zaman wrote:
> ---
> gpg.te | 13 +++++++++++++
> 1 file changed, 13 insertions(+)
>
> diff --git a/gpg.te b/gpg.te
> index 619fdb4..0ad774e 100644
> --- a/gpg.te
> +++ b/gpg.te
> @@ -14,6 +14,14 @@ policy_module(gpg, 2.12.3)
> ## </desc>
> gen_tunable(gpg_agent_env_file, false)
>
> +## <desc>
> +## <p>
> +## Determine whether GPG agent can use OpenPGP
> +## cards or Yubikeys over USB
> +## </p>
> +## </desc>
> +gen_tunable(gpg_agent_use_card, false)
> +
> attribute_role gpg_roles;
> roleattribute system_r gpg_roles;
>
> @@ -274,6 +282,11 @@ tunable_policy(`gpg_agent_env_file',`
> userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
> ')
>
> +tunable_policy(`gpg_agent_use_card',`
> + dev_read_sysfs(gpg_agent_t)
> + dev_rw_generic_usb_dev(gpg_agent_t)
> +')
> +
> tunable_policy(`use_nfs_home_dirs',`
> fs_manage_nfs_dirs(gpg_agent_t)
> fs_manage_nfs_files(gpg_agent_t)
Merged.
--
Chris PeBenito
On 12/13/2017 01:17 PM, Jason Zaman wrote:
> ---
> cachefilesd.te | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/cachefilesd.te b/cachefilesd.te
> index d225d74..d09ac56 100644
> --- a/cachefilesd.te
> +++ b/cachefilesd.te
> @@ -13,7 +13,7 @@ type cachefilesd_initrc_exec_t;
> init_script_file(cachefilesd_initrc_exec_t)
>
> type cachefilesd_cache_t;
> -files_type(cachefilesd_cache_t)
> +files_mountpoint(cachefilesd_cache_t)
>
> type cachefilesd_var_run_t;
> files_pid_file(cachefilesd_var_run_t)
Merged.
--
Chris PeBenito
On 12/13/2017 01:17 PM, Jason Zaman wrote:
> ---
> dbus.te | 1 +
> dirmngr.te | 1 +
> gnome.te | 2 ++
> gpg.te | 2 ++
> pulseaudio.te | 1 +
> 5 files changed, 7 insertions(+)
>
> diff --git a/dbus.te b/dbus.te
> index 05c4652..8c9288b 100644
> --- a/dbus.te
> +++ b/dbus.te
> @@ -49,6 +49,7 @@ init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus")
>
> type session_dbusd_runtime_t;
> files_pid_file(session_dbusd_runtime_t)
> +userdom_user_runtime_content(session_dbusd_runtime_t)
>
> ifdef(`enable_mcs',`
> init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
> diff --git a/dirmngr.te b/dirmngr.te
> index 75833a4..fa5898e 100644
> --- a/dirmngr.te
> +++ b/dirmngr.te
> @@ -20,6 +20,7 @@ logging_log_file(dirmngr_log_t)
>
> type dirmngr_tmp_t;
> userdom_user_tmp_file(dirmngr_tmp_t)
> +userdom_user_runtime_content(dirmngr_tmp_t)
>
> type dirmngr_var_lib_t;
> files_type(dirmngr_var_lib_t)
> diff --git a/gnome.te b/gnome.te
> index d87daab..b816175 100644
> --- a/gnome.te
> +++ b/gnome.te
> @@ -45,9 +45,11 @@ userdom_user_home_content(gnome_keyring_home_t)
>
> type gnome_keyring_tmp_t;
> userdom_user_tmp_file(gnome_keyring_tmp_t)
> +userdom_user_runtime_content(gnome_keyring_tmp_t)
>
> type gstreamer_orcexec_t;
> application_executable_file(gstreamer_orcexec_t)
> +userdom_user_runtime_content(gstreamer_orcexec_t)
>
> ##############################
> #
> diff --git a/gpg.te b/gpg.te
> index 0ad774e..6fc19ca 100644
> --- a/gpg.te
> +++ b/gpg.te
> @@ -39,6 +39,7 @@ role gpg_roles types gpg_t;
>
> type gpg_runtime_t;
> files_pid_file(gpg_runtime_t)
> +userdom_user_runtime_content(gpg_runtime_t)
>
> type gpg_agent_t;
> type gpg_agent_exec_t;
> @@ -47,6 +48,7 @@ role gpg_agent_roles types gpg_agent_t;
>
> type gpg_agent_tmp_t;
> userdom_user_tmp_file(gpg_agent_tmp_t)
> +userdom_user_runtime_content(gpg_agent_tmp_t)
>
> type gpg_secret_t;
> userdom_user_home_content(gpg_secret_t)
> diff --git a/pulseaudio.te b/pulseaudio.te
> index 441d058..8c8e21e 100644
> --- a/pulseaudio.te
> +++ b/pulseaudio.te
> @@ -29,6 +29,7 @@ userdom_user_home_content(pulseaudio_home_t)
>
> type pulseaudio_tmp_t;
> userdom_user_tmp_file(pulseaudio_tmp_t)
> +userdom_user_runtime_content(pulseaudio_tmp_t)
>
> type pulseaudio_tmpfs_t;
> userdom_user_tmpfs_file(pulseaudio_tmpfs_t)
Merged.
--
Chris PeBenito
On Wed, Dec 13, 2017 at 06:18:59PM -0500, Chris PeBenito wrote:
> On 12/13/2017 01:17 PM, Jason Zaman wrote:
> > ---
> > gssproxy.te | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/gssproxy.te b/gssproxy.te
> > index c1dcc55..dc7f0e6 100644
> > --- a/gssproxy.te
> > +++ b/gssproxy.te
> > @@ -63,4 +63,5 @@ optional_policy(`
> > kerberos_manage_host_rcache(gssproxy_t)
> > kerberos_read_keytab(gssproxy_t)
> > kerberos_use(gssproxy_t)
> > + kerberos_tmp_filetrans_host_rcache(gssproxy_t, file, "nfs_0")
> > ')
>
> Is there a reason it has to be limited to only nfs_0? I didn't notice
> any type transition conflicts.
No reason other than bad copy paste, i've sent a new version.
-- Jason
>
> --
> Chris PeBenito