1 |
commit: 91bc9686ff5065f7cdcce4ec14ac9d6dd89b769d |
2 |
Author: Jason Zaman <jason <AT> perfinion <DOT> com> |
3 |
AuthorDate: Sun May 7 13:42:53 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu May 25 17:03:59 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=91bc9686 |
7 |
|
8 |
dirmngr: fcontext for ~/.gnupg/crls.d/ |
9 |
|
10 |
policy/modules/contrib/dirmngr.fc | 2 ++ |
11 |
policy/modules/contrib/dirmngr.te | 7 +++++++ |
12 |
policy/modules/contrib/gpg.if | 20 ++++++++++++++++++++ |
13 |
3 files changed, 29 insertions(+) |
14 |
|
15 |
diff --git a/policy/modules/contrib/dirmngr.fc b/policy/modules/contrib/dirmngr.fc |
16 |
index a9cf15a8..60f19f47 100644 |
17 |
--- a/policy/modules/contrib/dirmngr.fc |
18 |
+++ b/policy/modules/contrib/dirmngr.fc |
19 |
@@ -1,3 +1,5 @@ |
20 |
+HOME_DIR/\.gnupg/crls\.d(/.+)? gen_context(system_u:object_r:dirmngr_home_t,s0) |
21 |
+ |
22 |
/etc/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_conf_t,s0) |
23 |
|
24 |
/etc/rc\.d/init\.d/dirmngr -- gen_context(system_u:object_r:dirmngr_initrc_exec_t,s0) |
25 |
|
26 |
diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te |
27 |
index 8e4a1a89..17cce56a 100644 |
28 |
--- a/policy/modules/contrib/dirmngr.te |
29 |
+++ b/policy/modules/contrib/dirmngr.te |
30 |
@@ -27,6 +27,9 @@ files_type(dirmngr_var_lib_t) |
31 |
type dirmngr_var_run_t; |
32 |
files_pid_file(dirmngr_var_run_t) |
33 |
|
34 |
+type dirmngr_home_t; |
35 |
+userdom_user_home_content(dirmngr_home_t) |
36 |
+ |
37 |
######################################## |
38 |
# |
39 |
# Local policy |
40 |
@@ -37,6 +40,8 @@ allow dirmngr_t self:fifo_file rw_file_perms; |
41 |
allow dirmngr_t dirmngr_conf_t:dir list_dir_perms; |
42 |
allow dirmngr_t dirmngr_conf_t:file read_file_perms; |
43 |
allow dirmngr_t dirmngr_conf_t:lnk_file read_lnk_file_perms; |
44 |
+allow dirmngr_t dirmngr_home_t:dir list_dir_perms; |
45 |
+allow dirmngr_t dirmngr_home_t:file read_file_perms; |
46 |
|
47 |
manage_dirs_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t) |
48 |
append_files_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t) |
49 |
@@ -61,6 +66,7 @@ kernel_read_crypto_sysctls(dirmngr_t) |
50 |
files_read_etc_files(dirmngr_t) |
51 |
|
52 |
miscfiles_read_localization(dirmngr_t) |
53 |
+miscfiles_read_generic_certs(dirmngr_t) |
54 |
|
55 |
userdom_search_user_home_dirs(dirmngr_t) |
56 |
userdom_search_user_runtime(dirmngr_t) |
57 |
@@ -68,4 +74,5 @@ userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir) |
58 |
|
59 |
optional_policy(` |
60 |
gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file) |
61 |
+ gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir) |
62 |
') |
63 |
|
64 |
diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if |
65 |
index 4480f9c6..e5a12750 100644 |
66 |
--- a/policy/modules/contrib/gpg.if |
67 |
+++ b/policy/modules/contrib/gpg.if |
68 |
@@ -254,6 +254,26 @@ interface(`gpg_agent_tmp_filetrans',` |
69 |
|
70 |
######################################## |
71 |
## <summary> |
72 |
+## filetrans in gpg_secret_t dirs |
73 |
+## </summary> |
74 |
+## <param name="domain"> |
75 |
+## <summary> |
76 |
+## Domain allowed access. |
77 |
+## </summary> |
78 |
+## </param> |
79 |
+# |
80 |
+interface(`gpg_secret_filetrans',` |
81 |
+ gen_require(` |
82 |
+ type gpg_secret_t; |
83 |
+ ') |
84 |
+ |
85 |
+ filetrans_pattern($1, gpg_secret_t, $2, $3, $4) |
86 |
+ allow $1 gpg_secret_t:dir search_dir_perms; |
87 |
+ userdom_search_user_home_dirs($1) |
88 |
+') |
89 |
+ |
90 |
+######################################## |
91 |
+## <summary> |
92 |
## Send messages to and from gpg |
93 |
## pinentry over DBUS. |
94 |
## </summary> |