Gentoo Archives: gentoo-commits

From: Jason Zaman <perfinion@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
Date: Thu, 25 May 2017 17:09:10
Message-Id: 1495731839.d629bd240173172035ad48db7586e6a163bb8e4b.perfinion@gentoo
1 commit: d629bd240173172035ad48db7586e6a163bb8e4b
2 Author: Jason Zaman <jason <AT> perfinion <DOT> com>
3 AuthorDate: Thu Mar 30 04:58:28 2017 +0000
4 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5 CommitDate: Thu May 25 17:03:59 2017 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d629bd24
7
8 dirmngr: add to roles and allow gpg to domtrans
9
10 policy/modules/contrib/dirmngr.if | 69 +++++++++++++++++++++++++++++++++++++++
11 policy/modules/contrib/gpg.te | 4 +++
12 2 files changed, 73 insertions(+)
13
14 diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if
15 index 4cd2810e..2f6875a6 100644
16 --- a/policy/modules/contrib/dirmngr.if
17 +++ b/policy/modules/contrib/dirmngr.if
18 @@ -1,5 +1,74 @@
19 ## <summary>Server for managing and downloading certificate revocation lists.</summary>
20
21 +############################################################
22 +## <summary>
23 +## Role access for dirmngr.
24 +## </summary>
25 +## <param name="role">
26 +## <summary>
27 +## Role allowed access.
28 +## </summary>
29 +## </param>
30 +## <param name="domain">
31 +## <summary>
32 +## User domain for the role.
33 +## </summary>
34 +## </param>
35 +#
36 +interface(`dirmngr_role',`
37 + gen_require(`
38 + type dirmngr_t, dirmngr_exec_t;
39 + ')
40 +
41 + role $1 types dirmngr_t;
42 +
43 + domtrans_pattern($2, dirmngr_exec_t, dirmngr_t)
44 +
45 + allow $2 dirmngr_t:process { ptrace signal_perms };
46 + ps_process_pattern($2, dirmngr_t)
47 +
48 + allow dirmngr_t $2:fd use;
49 + allow dirmngr_t $2:fifo_file { read write };
50 +')
51 +
52 +########################################
53 +## <summary>
54 +## Execute dirmngr in the dirmngr domain.
55 +## </summary>
56 +## <param name="domain">
57 +## <summary>
58 +## Domain allowed to transition.
59 +## </summary>
60 +## </param>
61 +#
62 +interface(`dirmngr_domtrans',`
63 + gen_require(`
64 + type dirmngr_t, dirmngr_exec_t;
65 + ')
66 +
67 + corecmd_search_bin($1)
68 + domtrans_pattern($1, dirmngr_exec_t, dirmngr_t)
69 +')
70 +
71 +########################################
72 +## <summary>
73 +## Execute the dirmngr in the caller domain.
74 +## </summary>
75 +## <param name="domain">
76 +## <summary>
77 +## Domain allowed access.
78 +## </summary>
79 +## </param>
80 +#
81 +interface(`dirmngr_exec',`
82 + gen_require(`
83 + type dirmngr_exec_t;
84 + ')
85 +
86 + corecmd_search_bin($1)
87 + can_exec($1, dirmngr_exec_t)
88 +')
89 +
90 ########################################
91 ## <summary>
92 ## All of the rules required to
93
94 diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
95 index c145fb4c..1b8448c7 100644
96 --- a/policy/modules/contrib/gpg.te
97 +++ b/policy/modules/contrib/gpg.te
98 @@ -139,6 +139,10 @@ tunable_policy(`use_samba_home_dirs',`
99 ')
100
101 optional_policy(`
102 + dirmngr_domtrans(gpg_t)
103 +')
104 +
105 +optional_policy(`
106 evolution_read_orbit_tmp_files(gpg_t)
107 ')