Gentoo Archives: gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
Date:	Thu, 25 May 2017 17:09:16
Message-Id:	`1495731839.91bc9686ff5065f7cdcce4ec14ac9d6dd89b769d.perfinion@gentoo`

1	commit: 91bc9686ff5065f7cdcce4ec14ac9d6dd89b769d
2	Author: Jason Zaman <jason <AT> perfinion <DOT> com>
3	AuthorDate: Sun May 7 13:42:53 2017 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Thu May 25 17:03:59 2017 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=91bc9686
7
8	dirmngr: fcontext for ~/.gnupg/crls.d/
9
10	policy/modules/contrib/dirmngr.fc \| 2 ++
11	policy/modules/contrib/dirmngr.te \| 7 +++++++
12	policy/modules/contrib/gpg.if \| 20 ++++++++++++++++++++
13	3 files changed, 29 insertions(+)
14
15	diff --git a/policy/modules/contrib/dirmngr.fc b/policy/modules/contrib/dirmngr.fc
16	index a9cf15a8..60f19f47 100644
17	--- a/policy/modules/contrib/dirmngr.fc
18	+++ b/policy/modules/contrib/dirmngr.fc
19	@@ -1,3 +1,5 @@
20	+HOME_DIR/\.gnupg/crls\.d(/.+)? gen_context(system_u:object_r:dirmngr_home_t,s0)
21	+
22	/etc/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_conf_t,s0)
23
24	/etc/rc\.d/init\.d/dirmngr -- gen_context(system_u:object_r:dirmngr_initrc_exec_t,s0)
25
26	diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te
27	index 8e4a1a89..17cce56a 100644
28	--- a/policy/modules/contrib/dirmngr.te
29	+++ b/policy/modules/contrib/dirmngr.te
30	@@ -27,6 +27,9 @@ files_type(dirmngr_var_lib_t)
31	type dirmngr_var_run_t;
32	files_pid_file(dirmngr_var_run_t)
33
34	+type dirmngr_home_t;
35	+userdom_user_home_content(dirmngr_home_t)
36	+
37	########################################
38	#
39	# Local policy
40	@@ -37,6 +40,8 @@ allow dirmngr_t self:fifo_file rw_file_perms;
41	allow dirmngr_t dirmngr_conf_t:dir list_dir_perms;
42	allow dirmngr_t dirmngr_conf_t:file read_file_perms;
43	allow dirmngr_t dirmngr_conf_t:lnk_file read_lnk_file_perms;
44	+allow dirmngr_t dirmngr_home_t:dir list_dir_perms;
45	+allow dirmngr_t dirmngr_home_t:file read_file_perms;
46
47	manage_dirs_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t)
48	append_files_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t)
49	@@ -61,6 +66,7 @@ kernel_read_crypto_sysctls(dirmngr_t)
50	files_read_etc_files(dirmngr_t)
51
52	miscfiles_read_localization(dirmngr_t)
53	+miscfiles_read_generic_certs(dirmngr_t)
54
55	userdom_search_user_home_dirs(dirmngr_t)
56	userdom_search_user_runtime(dirmngr_t)
57	@@ -68,4 +74,5 @@ userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
58
59	optional_policy(`
60	gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
61	+ gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
62	')
63
64	diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
65	index 4480f9c6..e5a12750 100644
66	--- a/policy/modules/contrib/gpg.if
67	+++ b/policy/modules/contrib/gpg.if
68	@@ -254,6 +254,26 @@ interface(`gpg_agent_tmp_filetrans',`
69
70	########################################
71	## <summary>
72	+## filetrans in gpg_secret_t dirs
73	+## </summary>
74	+## <param name="domain">
75	+## <summary>
76	+## Domain allowed access.
77	+## </summary>
78	+## </param>
79	+#
80	+interface(`gpg_secret_filetrans',`
81	+ gen_require(`
82	+ type gpg_secret_t;
83	+ ')
84	+
85	+ filetrans_pattern($1, gpg_secret_t, $2, $3, $4)
86	+ allow $1 gpg_secret_t:dir search_dir_perms;
87	+ userdom_search_user_home_dirs($1)
88	+')
89	+
90	+########################################
91	+## <summary>
92	## Send messages to and from gpg
93	## pinentry over DBUS.
94	## </summary>

Report Message

Find on MARC Find on Google Groups