[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
Date:	Sun, 30 Apr 2017 09:41:02
Message-Id:	`1493544712.68b598ef6438c11db428e893825e494d76f3fac1.perfinion@gentoo`

1

commit:     68b598ef6438c11db428e893825e494d76f3fac1

2

Author:     Jason Zaman <jason <AT> perfinion <DOT> com>

3

AuthorDate: Sun Apr 16 06:38:47 2017 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Sun Apr 30 09:31:52 2017 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=68b598ef

7

8

gpg dirmngr: create and connect to socket

9

10

 policy/modules/contrib/dirmngr.fc |  2 ++

11

 policy/modules/contrib/dirmngr.if | 22 +++++++++++++++++++++

12

 policy/modules/contrib/dirmngr.te | 13 +++++++++++++

13

 policy/modules/contrib/gpg.if     | 41 +++++++++++++++++++++++++++++++++++++++

14

 policy/modules/contrib/gpg.te     |  1 +

15

 5 files changed, 79 insertions(+)

16

17

diff --git a/policy/modules/contrib/dirmngr.fc b/policy/modules/contrib/dirmngr.fc

18

index a0f261c9..a9cf15a8 100644

19

--- a/policy/modules/contrib/dirmngr.fc

20

+++ b/policy/modules/contrib/dirmngr.fc

21

@@ -12,3 +12,5 @@

22

 /run/dirmngr\.pid	--	gen_context(system_u:object_r:dirmngr_var_run_t,s0)

23

24

 /run/dirmngr(/.*)?	gen_context(system_u:object_r:dirmngr_var_run_t,s0)

25

+

26

+/run/user/%{USERID}/gnupg/S.dirmngr	-s	gen_context(system_u:object_r:dirmngr_tmp_t,s0)

27

28

diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if

29

index 2f6875a6..989af34a 100644

30

--- a/policy/modules/contrib/dirmngr.if

31

+++ b/policy/modules/contrib/dirmngr.if

32

@@ -71,6 +71,28 @@ interface(`dirmngr_exec',`

33

34

 ########################################

35

 ## <summary>

36

+##	Connect to dirmngr socket

37

+## </summary>

38

+## <param name="domain">

39

+##	<summary>

40

+##	Domain allowed access.

41

+##	</summary>

42

+## </param>

43

+#

44

+interface(`dirmngr_stream_connect',`

45

+	gen_require(`

46

+		type dirmngr_t, dirmngr_tmp_t;

47

+	')

48

+

49

+	gpg_search_agent_tmp_dirs($1)

50

+	allow $1 dirmngr_tmp_t:sock_file write_sock_file_perms;

51

+	allow $1 dirmngr_t:unix_stream_socket connectto;

52

+	userdom_search_user_runtime($1)

53

+	userdom_search_user_home_dirs($1)

54

+')

55

+

56

+########################################

57

+## <summary>

58

 ##	All of the rules required to

59

 ##	administrate an dirmngr environment.

60

 ## </summary>

61

62

diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te

63

index 23f40456..8e4a1a89 100644

64

--- a/policy/modules/contrib/dirmngr.te

65

+++ b/policy/modules/contrib/dirmngr.te

66

@@ -18,6 +18,9 @@ init_script_file(dirmngr_initrc_exec_t)

67

 type dirmngr_log_t;

68

 logging_log_file(dirmngr_log_t)

69

70

+type dirmngr_tmp_t;

71

+userdom_user_tmp_file(dirmngr_tmp_t)

72

+

73

 type dirmngr_var_lib_t;

74

 files_type(dirmngr_var_lib_t)

75

76

@@ -46,6 +49,8 @@ manage_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t)

77

 manage_lnk_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t)

78

 files_var_lib_filetrans(dirmngr_t, dirmngr_var_lib_t, dir)

79

80

+manage_sock_files_pattern(dirmngr_t, dirmngr_tmp_t, dirmngr_tmp_t)

81

+

82

 manage_dirs_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)

83

 manage_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)

84

 manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)

85

@@ -56,3 +61,11 @@ kernel_read_crypto_sysctls(dirmngr_t)

86

 files_read_etc_files(dirmngr_t)

87

88

 miscfiles_read_localization(dirmngr_t)

89

+

90

+userdom_search_user_home_dirs(dirmngr_t)

91

+userdom_search_user_runtime(dirmngr_t)

92

+userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)

93

+

94

+optional_policy(`

95

+	gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)

96

+')

97

98

diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if

99

index efffff87..d34cfbc0 100644

100

--- a/policy/modules/contrib/gpg.if

101

+++ b/policy/modules/contrib/gpg.if

102

@@ -216,6 +216,47 @@ interface(`gpg_stream_connect_agent',`

103

104

 ########################################

105

 ## <summary>

106

+##	Search gpg agent dirs.

107

+## </summary>

108

+## <param name="domain">

109

+##	<summary>

110

+##	Domain allowed access.

111

+##	</summary>

112

+## </param>

113

+#

114

+interface(`gpg_search_agent_tmp_dirs',`

115

+	gen_require(`

116

+		type gpg_agent_tmp_t;

117

+	')

118

+

119

+	allow $1 gpg_agent_tmp_t:dir search_dir_perms;

120

+')

121

+

122

+########################################

123

+## <summary>

124

+##	filetrans in gpg_agent_tmp_t dirs

125

+## </summary>

126

+## <param name="domain">

127

+##	<summary>

128

+##	Domain allowed access.

129

+##	</summary>

130

+## </param>

131

+#

132

+interface(`gpg_agent_tmp_filetrans',`

133

+	gen_require(`

134

+		type gpg_agent_t, gpg_agent_tmp_t;

135

+		type gpg_secret_t;

136

+	')

137

+

138

+	filetrans_pattern($1, gpg_agent_tmp_t, $2, $3, $4)

139

+	stream_connect_pattern($1, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)

140

+	allow $1 gpg_secret_t:dir search_dir_perms;

141

+	userdom_search_user_runtime($1)

142

+	userdom_search_user_home_dirs($1)

143

+')

144

+

145

+########################################

146

+## <summary>

147

 ##	Send messages to and from gpg

148

 ##	pinentry over DBUS.

149

 ## </summary>

150

151

diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te

152

index 1b8448c7..140d8d94 100644

153

--- a/policy/modules/contrib/gpg.te

154

+++ b/policy/modules/contrib/gpg.te

155

@@ -140,6 +140,7 @@ tunable_policy(`use_samba_home_dirs',`

156

157

 optional_policy(`

158

 	dirmngr_domtrans(gpg_t)

159

+	dirmngr_stream_connect(gpg_t)

160

')

161

162

 optional_policy(`

1	commit: 68b598ef6438c11db428e893825e494d76f3fac1
2	Author: Jason Zaman <jason <AT> perfinion <DOT> com>
3	AuthorDate: Sun Apr 16 06:38:47 2017 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Sun Apr 30 09:31:52 2017 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=68b598ef
7
8	gpg dirmngr: create and connect to socket
9
10	policy/modules/contrib/dirmngr.fc \| 2 ++
11	policy/modules/contrib/dirmngr.if \| 22 +++++++++++++++++++++
12	policy/modules/contrib/dirmngr.te \| 13 +++++++++++++
13	policy/modules/contrib/gpg.if \| 41 +++++++++++++++++++++++++++++++++++++++
14	policy/modules/contrib/gpg.te \| 1 +
15	5 files changed, 79 insertions(+)
16
17	diff --git a/policy/modules/contrib/dirmngr.fc b/policy/modules/contrib/dirmngr.fc
18	index a0f261c9..a9cf15a8 100644
19	--- a/policy/modules/contrib/dirmngr.fc
20	+++ b/policy/modules/contrib/dirmngr.fc
21	@@ -12,3 +12,5 @@
22	/run/dirmngr\.pid -- gen_context(system_u:object_r:dirmngr_var_run_t,s0)
23
24	/run/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_run_t,s0)
25	+
26	+/run/user/%{USERID}/gnupg/S.dirmngr -s gen_context(system_u:object_r:dirmngr_tmp_t,s0)
27
28	diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if
29	index 2f6875a6..989af34a 100644
30	--- a/policy/modules/contrib/dirmngr.if
31	+++ b/policy/modules/contrib/dirmngr.if
32	@@ -71,6 +71,28 @@ interface(`dirmngr_exec',`
33
34	########################################
35	## <summary>
36	+## Connect to dirmngr socket
37	+## </summary>
38	+## <param name="domain">
39	+## <summary>
40	+## Domain allowed access.
41	+## </summary>
42	+## </param>
43	+#
44	+interface(`dirmngr_stream_connect',`
45	+ gen_require(`
46	+ type dirmngr_t, dirmngr_tmp_t;
47	+ ')
48	+
49	+ gpg_search_agent_tmp_dirs($1)
50	+ allow $1 dirmngr_tmp_t:sock_file write_sock_file_perms;
51	+ allow $1 dirmngr_t:unix_stream_socket connectto;
52	+ userdom_search_user_runtime($1)
53	+ userdom_search_user_home_dirs($1)
54	+')
55	+
56	+########################################
57	+## <summary>
58	## All of the rules required to
59	## administrate an dirmngr environment.
60	## </summary>
61
62	diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te
63	index 23f40456..8e4a1a89 100644
64	--- a/policy/modules/contrib/dirmngr.te
65	+++ b/policy/modules/contrib/dirmngr.te
66	@@ -18,6 +18,9 @@ init_script_file(dirmngr_initrc_exec_t)
67	type dirmngr_log_t;
68	logging_log_file(dirmngr_log_t)
69
70	+type dirmngr_tmp_t;
71	+userdom_user_tmp_file(dirmngr_tmp_t)
72	+
73	type dirmngr_var_lib_t;
74	files_type(dirmngr_var_lib_t)
75
76	@@ -46,6 +49,8 @@ manage_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t)
77	manage_lnk_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t)
78	files_var_lib_filetrans(dirmngr_t, dirmngr_var_lib_t, dir)
79
80	+manage_sock_files_pattern(dirmngr_t, dirmngr_tmp_t, dirmngr_tmp_t)
81	+
82	manage_dirs_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
83	manage_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
84	manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
85	@@ -56,3 +61,11 @@ kernel_read_crypto_sysctls(dirmngr_t)
86	files_read_etc_files(dirmngr_t)
87
88	miscfiles_read_localization(dirmngr_t)
89	+
90	+userdom_search_user_home_dirs(dirmngr_t)
91	+userdom_search_user_runtime(dirmngr_t)
92	+userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
93	+
94	+optional_policy(`
95	+ gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
96	+')
97
98	diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
99	index efffff87..d34cfbc0 100644
100	--- a/policy/modules/contrib/gpg.if
101	+++ b/policy/modules/contrib/gpg.if
102	@@ -216,6 +216,47 @@ interface(`gpg_stream_connect_agent',`
103
104	########################################
105	## <summary>
106	+## Search gpg agent dirs.
107	+## </summary>
108	+## <param name="domain">
109	+## <summary>
110	+## Domain allowed access.
111	+## </summary>
112	+## </param>
113	+#
114	+interface(`gpg_search_agent_tmp_dirs',`
115	+ gen_require(`
116	+ type gpg_agent_tmp_t;
117	+ ')
118	+
119	+ allow $1 gpg_agent_tmp_t:dir search_dir_perms;
120	+')
121	+
122	+########################################
123	+## <summary>
124	+## filetrans in gpg_agent_tmp_t dirs
125	+## </summary>
126	+## <param name="domain">
127	+## <summary>
128	+## Domain allowed access.
129	+## </summary>
130	+## </param>
131	+#
132	+interface(`gpg_agent_tmp_filetrans',`
133	+ gen_require(`
134	+ type gpg_agent_t, gpg_agent_tmp_t;
135	+ type gpg_secret_t;
136	+ ')
137	+
138	+ filetrans_pattern($1, gpg_agent_tmp_t, $2, $3, $4)
139	+ stream_connect_pattern($1, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
140	+ allow $1 gpg_secret_t:dir search_dir_perms;
141	+ userdom_search_user_runtime($1)
142	+ userdom_search_user_home_dirs($1)
143	+')
144	+
145	+########################################
146	+## <summary>
147	## Send messages to and from gpg
148	## pinentry over DBUS.
149	## </summary>
150
151	diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
152	index 1b8448c7..140d8d94 100644
153	--- a/policy/modules/contrib/gpg.te
154	+++ b/policy/modules/contrib/gpg.te
155	@@ -140,6 +140,7 @@ tunable_policy(`use_samba_home_dirs',`
156
157	optional_policy(`
158	dirmngr_domtrans(gpg_t)
159	+ dirmngr_stream_connect(gpg_t)
160	')
161
162	optional_policy(`

Gentoo Archives: gentoo-commits