1 |
commit: df8fecccf2694a0351ce8bdb03e1a0abc7845984 |
2 |
Author: Jason Zaman <jason <AT> perfinion <DOT> com> |
3 |
AuthorDate: Thu Mar 30 04:58:28 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Apr 30 09:31:51 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=df8feccc |
7 |
|
8 |
dirmngr: add to roles and allow gpg to domtrans |
9 |
|
10 |
policy/modules/contrib/dirmngr.if | 69 +++++++++++++++++++++++++++++++++++++++ |
11 |
policy/modules/contrib/gpg.te | 4 +++ |
12 |
2 files changed, 73 insertions(+) |
13 |
|
14 |
diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if |
15 |
index 4cd2810e..2f6875a6 100644 |
16 |
--- a/policy/modules/contrib/dirmngr.if |
17 |
+++ b/policy/modules/contrib/dirmngr.if |
18 |
@@ -1,5 +1,74 @@ |
19 |
## <summary>Server for managing and downloading certificate revocation lists.</summary> |
20 |
|
21 |
+############################################################ |
22 |
+## <summary> |
23 |
+## Role access for dirmngr. |
24 |
+## </summary> |
25 |
+## <param name="role"> |
26 |
+## <summary> |
27 |
+## Role allowed access. |
28 |
+## </summary> |
29 |
+## </param> |
30 |
+## <param name="domain"> |
31 |
+## <summary> |
32 |
+## User domain for the role. |
33 |
+## </summary> |
34 |
+## </param> |
35 |
+# |
36 |
+interface(`dirmngr_role',` |
37 |
+ gen_require(` |
38 |
+ type dirmngr_t, dirmngr_exec_t; |
39 |
+ ') |
40 |
+ |
41 |
+ role $1 types dirmngr_t; |
42 |
+ |
43 |
+ domtrans_pattern($2, dirmngr_exec_t, dirmngr_t) |
44 |
+ |
45 |
+ allow $2 dirmngr_t:process { ptrace signal_perms }; |
46 |
+ ps_process_pattern($2, dirmngr_t) |
47 |
+ |
48 |
+ allow dirmngr_t $2:fd use; |
49 |
+ allow dirmngr_t $2:fifo_file { read write }; |
50 |
+') |
51 |
+ |
52 |
+######################################## |
53 |
+## <summary> |
54 |
+## Execute dirmngr in the dirmngr domain. |
55 |
+## </summary> |
56 |
+## <param name="domain"> |
57 |
+## <summary> |
58 |
+## Domain allowed to transition. |
59 |
+## </summary> |
60 |
+## </param> |
61 |
+# |
62 |
+interface(`dirmngr_domtrans',` |
63 |
+ gen_require(` |
64 |
+ type dirmngr_t, dirmngr_exec_t; |
65 |
+ ') |
66 |
+ |
67 |
+ corecmd_search_bin($1) |
68 |
+ domtrans_pattern($1, dirmngr_exec_t, dirmngr_t) |
69 |
+') |
70 |
+ |
71 |
+######################################## |
72 |
+## <summary> |
73 |
+## Execute the dirmngr in the caller domain. |
74 |
+## </summary> |
75 |
+## <param name="domain"> |
76 |
+## <summary> |
77 |
+## Domain allowed access. |
78 |
+## </summary> |
79 |
+## </param> |
80 |
+# |
81 |
+interface(`dirmngr_exec',` |
82 |
+ gen_require(` |
83 |
+ type dirmngr_exec_t; |
84 |
+ ') |
85 |
+ |
86 |
+ corecmd_search_bin($1) |
87 |
+ can_exec($1, dirmngr_exec_t) |
88 |
+') |
89 |
+ |
90 |
######################################## |
91 |
## <summary> |
92 |
## All of the rules required to |
93 |
|
94 |
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te |
95 |
index c145fb4c..1b8448c7 100644 |
96 |
--- a/policy/modules/contrib/gpg.te |
97 |
+++ b/policy/modules/contrib/gpg.te |
98 |
@@ -139,6 +139,10 @@ tunable_policy(`use_samba_home_dirs',` |
99 |
') |
100 |
|
101 |
optional_policy(` |
102 |
+ dirmngr_domtrans(gpg_t) |
103 |
+') |
104 |
+ |
105 |
+optional_policy(` |
106 |
evolution_read_orbit_tmp_files(gpg_t) |
107 |
') |