[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
Date:	Thu, 25 May 2017 17:08:44
Message-Id:	`1495731839.e8b9afa5c6358e954388e5568f739a75d26f2e72.perfinion@gentoo`

1

commit:     e8b9afa5c6358e954388e5568f739a75d26f2e72

2

Author:     Jason Zaman <jason <AT> perfinion <DOT> com>

3

AuthorDate: Sun Apr 16 06:38:47 2017 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Thu May 25 17:03:59 2017 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e8b9afa5

7

8

gpg dirmngr: create and connect to socket

9

10

 policy/modules/contrib/dirmngr.fc |  2 ++

11

 policy/modules/contrib/dirmngr.if | 25 +++++++++++++++++++++++++

12

 policy/modules/contrib/dirmngr.te | 13 +++++++++++++

13

 policy/modules/contrib/gpg.if     | 38 ++++++++++++++++++++++++++++++++++++++

14

 policy/modules/contrib/gpg.te     |  1 +

15

 5 files changed, 79 insertions(+)

16

17

diff --git a/policy/modules/contrib/dirmngr.fc b/policy/modules/contrib/dirmngr.fc

18

index a0f261c9..a9cf15a8 100644

19

--- a/policy/modules/contrib/dirmngr.fc

20

+++ b/policy/modules/contrib/dirmngr.fc

21

@@ -12,3 +12,5 @@

22

 /run/dirmngr\.pid	--	gen_context(system_u:object_r:dirmngr_var_run_t,s0)

23

24

 /run/dirmngr(/.*)?	gen_context(system_u:object_r:dirmngr_var_run_t,s0)

25

+

26

+/run/user/%{USERID}/gnupg/S.dirmngr	-s	gen_context(system_u:object_r:dirmngr_tmp_t,s0)

27

28

diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if

29

index 2f6875a6..07af5063 100644

30

--- a/policy/modules/contrib/dirmngr.if

31

+++ b/policy/modules/contrib/dirmngr.if

32

@@ -18,6 +18,7 @@

33

 interface(`dirmngr_role',`

34

 	gen_require(`

35

 		type dirmngr_t, dirmngr_exec_t;

36

+		type dirmngr_tmp_t;

37

')

38

39

 	role $1 types dirmngr_t;

40

@@ -29,6 +30,8 @@ interface(`dirmngr_role',`

41

42

 	allow dirmngr_t $2:fd use;

43

 	allow dirmngr_t $2:fifo_file { read write };

44

+

45

+	allow $2 dirmngr_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };

46

')

47

48

 ########################################

49

@@ -71,6 +74,28 @@ interface(`dirmngr_exec',`

50

51

 ########################################

52

 ## <summary>

53

+##	Connect to dirmngr socket

54

+## </summary>

55

+## <param name="domain">

56

+##	<summary>

57

+##	Domain allowed access.

58

+##	</summary>

59

+## </param>

60

+#

61

+interface(`dirmngr_stream_connect',`

62

+	gen_require(`

63

+		type dirmngr_t, dirmngr_tmp_t;

64

+	')

65

+

66

+	gpg_search_agent_tmp_dirs($1)

67

+	allow $1 dirmngr_tmp_t:sock_file rw_sock_file_perms;

68

+	allow $1 dirmngr_t:unix_stream_socket connectto;

69

+	userdom_search_user_runtime($1)

70

+	userdom_search_user_home_dirs($1)

71

+')

72

+

73

+########################################

74

+## <summary>

75

 ##	All of the rules required to

76

 ##	administrate an dirmngr environment.

77

 ## </summary>

78

79

diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te

80

index 23f40456..8e4a1a89 100644

81

--- a/policy/modules/contrib/dirmngr.te

82

+++ b/policy/modules/contrib/dirmngr.te

83

@@ -18,6 +18,9 @@ init_script_file(dirmngr_initrc_exec_t)

84

 type dirmngr_log_t;

85

 logging_log_file(dirmngr_log_t)

86

87

+type dirmngr_tmp_t;

88

+userdom_user_tmp_file(dirmngr_tmp_t)

89

+

90

 type dirmngr_var_lib_t;

91

 files_type(dirmngr_var_lib_t)

92

93

@@ -46,6 +49,8 @@ manage_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t)

94

 manage_lnk_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t)

95

 files_var_lib_filetrans(dirmngr_t, dirmngr_var_lib_t, dir)

96

97

+manage_sock_files_pattern(dirmngr_t, dirmngr_tmp_t, dirmngr_tmp_t)

98

+

99

 manage_dirs_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)

100

 manage_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)

101

 manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)

102

@@ -56,3 +61,11 @@ kernel_read_crypto_sysctls(dirmngr_t)

103

 files_read_etc_files(dirmngr_t)

104

105

 miscfiles_read_localization(dirmngr_t)

106

+

107

+userdom_search_user_home_dirs(dirmngr_t)

108

+userdom_search_user_runtime(dirmngr_t)

109

+userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)

110

+

111

+optional_policy(`

112

+	gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)

113

+')

114

115

diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if

116

index efffff87..4480f9c6 100644

117

--- a/policy/modules/contrib/gpg.if

118

+++ b/policy/modules/contrib/gpg.if

119

@@ -216,6 +216,44 @@ interface(`gpg_stream_connect_agent',`

120

121

 ########################################

122

 ## <summary>

123

+##	Search gpg agent dirs.

124

+## </summary>

125

+## <param name="domain">

126

+##	<summary>

127

+##	Domain allowed access.

128

+##	</summary>

129

+## </param>

130

+#

131

+interface(`gpg_search_agent_tmp_dirs',`

132

+	gen_require(`

133

+		type gpg_agent_tmp_t;

134

+	')

135

+

136

+	allow $1 gpg_agent_tmp_t:dir search_dir_perms;

137

+')

138

+

139

+########################################

140

+## <summary>

141

+##	filetrans in gpg_agent_tmp_t dirs

142

+## </summary>

143

+## <param name="domain">

144

+##	<summary>

145

+##	Domain allowed access.

146

+##	</summary>

147

+## </param>

148

+#

149

+interface(`gpg_agent_tmp_filetrans',`

150

+	gen_require(`

151

+		type gpg_agent_t, gpg_agent_tmp_t;

152

+		type gpg_secret_t;

153

+	')

154

+

155

+	filetrans_pattern($1, gpg_agent_tmp_t, $2, $3, $4)

156

+	userdom_search_user_runtime($1)

157

+')

158

+

159

+########################################

160

+## <summary>

161

 ##	Send messages to and from gpg

162

 ##	pinentry over DBUS.

163

 ## </summary>

164

165

diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te

166

index 1b8448c7..140d8d94 100644

167

--- a/policy/modules/contrib/gpg.te

168

+++ b/policy/modules/contrib/gpg.te

169

@@ -140,6 +140,7 @@ tunable_policy(`use_samba_home_dirs',`

170

171

 optional_policy(`

172

 	dirmngr_domtrans(gpg_t)

173

+	dirmngr_stream_connect(gpg_t)

174

')

175

176

 optional_policy(`

1	commit: e8b9afa5c6358e954388e5568f739a75d26f2e72
2	Author: Jason Zaman <jason <AT> perfinion <DOT> com>
3	AuthorDate: Sun Apr 16 06:38:47 2017 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Thu May 25 17:03:59 2017 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e8b9afa5
7
8	gpg dirmngr: create and connect to socket
9
10	policy/modules/contrib/dirmngr.fc \| 2 ++
11	policy/modules/contrib/dirmngr.if \| 25 +++++++++++++++++++++++++
12	policy/modules/contrib/dirmngr.te \| 13 +++++++++++++
13	policy/modules/contrib/gpg.if \| 38 ++++++++++++++++++++++++++++++++++++++
14	policy/modules/contrib/gpg.te \| 1 +
15	5 files changed, 79 insertions(+)
16
17	diff --git a/policy/modules/contrib/dirmngr.fc b/policy/modules/contrib/dirmngr.fc
18	index a0f261c9..a9cf15a8 100644
19	--- a/policy/modules/contrib/dirmngr.fc
20	+++ b/policy/modules/contrib/dirmngr.fc
21	@@ -12,3 +12,5 @@
22	/run/dirmngr\.pid -- gen_context(system_u:object_r:dirmngr_var_run_t,s0)
23
24	/run/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_run_t,s0)
25	+
26	+/run/user/%{USERID}/gnupg/S.dirmngr -s gen_context(system_u:object_r:dirmngr_tmp_t,s0)
27
28	diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if
29	index 2f6875a6..07af5063 100644
30	--- a/policy/modules/contrib/dirmngr.if
31	+++ b/policy/modules/contrib/dirmngr.if
32	@@ -18,6 +18,7 @@
33	interface(`dirmngr_role',`
34	gen_require(`
35	type dirmngr_t, dirmngr_exec_t;
36	+ type dirmngr_tmp_t;
37	')
38
39	role $1 types dirmngr_t;
40	@@ -29,6 +30,8 @@ interface(`dirmngr_role',`
41
42	allow dirmngr_t $2:fd use;
43	allow dirmngr_t $2:fifo_file { read write };
44	+
45	+ allow $2 dirmngr_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
46	')
47
48	########################################
49	@@ -71,6 +74,28 @@ interface(`dirmngr_exec',`
50
51	########################################
52	## <summary>
53	+## Connect to dirmngr socket
54	+## </summary>
55	+## <param name="domain">
56	+## <summary>
57	+## Domain allowed access.
58	+## </summary>
59	+## </param>
60	+#
61	+interface(`dirmngr_stream_connect',`
62	+ gen_require(`
63	+ type dirmngr_t, dirmngr_tmp_t;
64	+ ')
65	+
66	+ gpg_search_agent_tmp_dirs($1)
67	+ allow $1 dirmngr_tmp_t:sock_file rw_sock_file_perms;
68	+ allow $1 dirmngr_t:unix_stream_socket connectto;
69	+ userdom_search_user_runtime($1)
70	+ userdom_search_user_home_dirs($1)
71	+')
72	+
73	+########################################
74	+## <summary>
75	## All of the rules required to
76	## administrate an dirmngr environment.
77	## </summary>
78
79	diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te
80	index 23f40456..8e4a1a89 100644
81	--- a/policy/modules/contrib/dirmngr.te
82	+++ b/policy/modules/contrib/dirmngr.te
83	@@ -18,6 +18,9 @@ init_script_file(dirmngr_initrc_exec_t)
84	type dirmngr_log_t;
85	logging_log_file(dirmngr_log_t)
86
87	+type dirmngr_tmp_t;
88	+userdom_user_tmp_file(dirmngr_tmp_t)
89	+
90	type dirmngr_var_lib_t;
91	files_type(dirmngr_var_lib_t)
92
93	@@ -46,6 +49,8 @@ manage_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t)
94	manage_lnk_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t)
95	files_var_lib_filetrans(dirmngr_t, dirmngr_var_lib_t, dir)
96
97	+manage_sock_files_pattern(dirmngr_t, dirmngr_tmp_t, dirmngr_tmp_t)
98	+
99	manage_dirs_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
100	manage_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
101	manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
102	@@ -56,3 +61,11 @@ kernel_read_crypto_sysctls(dirmngr_t)
103	files_read_etc_files(dirmngr_t)
104
105	miscfiles_read_localization(dirmngr_t)
106	+
107	+userdom_search_user_home_dirs(dirmngr_t)
108	+userdom_search_user_runtime(dirmngr_t)
109	+userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
110	+
111	+optional_policy(`
112	+ gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
113	+')
114
115	diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
116	index efffff87..4480f9c6 100644
117	--- a/policy/modules/contrib/gpg.if
118	+++ b/policy/modules/contrib/gpg.if
119	@@ -216,6 +216,44 @@ interface(`gpg_stream_connect_agent',`
120
121	########################################
122	## <summary>
123	+## Search gpg agent dirs.
124	+## </summary>
125	+## <param name="domain">
126	+## <summary>
127	+## Domain allowed access.
128	+## </summary>
129	+## </param>
130	+#
131	+interface(`gpg_search_agent_tmp_dirs',`
132	+ gen_require(`
133	+ type gpg_agent_tmp_t;
134	+ ')
135	+
136	+ allow $1 gpg_agent_tmp_t:dir search_dir_perms;
137	+')
138	+
139	+########################################
140	+## <summary>
141	+## filetrans in gpg_agent_tmp_t dirs
142	+## </summary>
143	+## <param name="domain">
144	+## <summary>
145	+## Domain allowed access.
146	+## </summary>
147	+## </param>
148	+#
149	+interface(`gpg_agent_tmp_filetrans',`
150	+ gen_require(`
151	+ type gpg_agent_t, gpg_agent_tmp_t;
152	+ type gpg_secret_t;
153	+ ')
154	+
155	+ filetrans_pattern($1, gpg_agent_tmp_t, $2, $3, $4)
156	+ userdom_search_user_runtime($1)
157	+')
158	+
159	+########################################
160	+## <summary>
161	## Send messages to and from gpg
162	## pinentry over DBUS.
163	## </summary>
164
165	diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
166	index 1b8448c7..140d8d94 100644
167	--- a/policy/modules/contrib/gpg.te
168	+++ b/policy/modules/contrib/gpg.te
169	@@ -140,6 +140,7 @@ tunable_policy(`use_samba_home_dirs',`
170
171	optional_policy(`
172	dirmngr_domtrans(gpg_t)
173	+ dirmngr_stream_connect(gpg_t)
174	')
175
176	optional_policy(`

Gentoo Archives: gentoo-commits