From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [gpg patch 1/1] Extend the Gnupg domain to allow key signing (with seahorse).
Date: Sun, 01 Nov 2009 22:00:08 +0100 [thread overview]
Message-ID: <1257109208.6100.5.camel@localhost> (raw)
In-Reply-To: <20091101204755.GA6075@notebook3.grift.internal>
On Sun, 2009-11-01 at 21:47 +0100, Dominick Grift wrote:
Forget this patch i screwed up the use_samba/nfs_homedirs booleans by
adding policy for tmp objects.
Also what is really annoying is that it needs to manage generic home
files.
I am also not totally confident this all is correct since some domain
transitions are involved.
If someone is brave enough or feels inspired by the patch below, try to
sign some gpg keys with and without seahorse to see what is required. (i
ran out of keys to sign)
> When we sign a Gnupg key in atleast Seahorse, the gpg_t domain wants to transition to the gpg_agent_t domain.
> The gpg_pinentry_t domain also has to be able to prompt for the key passphrase.
>
> Signed-off-by: Dominick Grift <domg472@gmail.com>
> ---
> :100644 100644 9d162a8... 009274d... M policy/modules/apps/gpg.te
> policy/modules/apps/gpg.te | 46 ++++++++++++++++++++++++++++++++++++++++---
> 1 files changed, 42 insertions(+), 4 deletions(-)
>
> diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
> index 9d162a8..009274d 100644
> --- a/policy/modules/apps/gpg.te
> +++ b/policy/modules/apps/gpg.te
> @@ -53,6 +53,10 @@ typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t }
> application_domain(gpg_pinentry_t, pinentry_exec_t)
> ubac_constrained(gpg_pinentry_t)
>
> +type gpg_pinentry_tmpfs_t;
> +files_tmpfs_file(gpg_pinentry_tmpfs_t)
> +ubac_constrained(gpg_pinentry_tmpfs_t)
> +
> ########################################
> #
> # GPG local policy
> @@ -69,6 +73,8 @@ manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
>
> +domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
> +
> # transition from the gpg domain to the helper domain
> domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
>
> @@ -190,6 +196,7 @@ files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
> # allow gpg to connect to the gpg agent
> stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
>
> +corecmd_read_bin_symlinks(gpg_agent_t)
> corecmd_search_bin(gpg_agent_t)
>
> domain_use_interactive_fds(gpg_agent_t)
> @@ -227,9 +234,15 @@ tunable_policy(`use_samba_home_dirs',`
> # Pinentry local policy
> #
>
> +allow gpg_pinentry_t self:process { getcap getsched signal };
> +allow gpg_pinentry_t self:unix_dgram_socket create;
> allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
> allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
>
> +manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
> +manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
> +fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
> +
> # we need to allow gpg-agent to call pinentry so it can get the passphrase
> # from the user.
> domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
> @@ -237,6 +250,10 @@ domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
> # read /proc/meminfo
> kernel_read_system_state(gpg_pinentry_t)
>
> +dev_read_urand(gpg_pinentry_t)
> +
> +fs_getattr_tmpfs(gpg_pinentry_t)
> +
> files_read_usr_files(gpg_pinentry_t)
> # read /etc/X11/qtrc
> files_read_etc_files(gpg_pinentry_t)
> @@ -244,15 +261,36 @@ files_read_etc_files(gpg_pinentry_t)
> miscfiles_read_fonts(gpg_pinentry_t)
> miscfiles_read_localization(gpg_pinentry_t)
>
> -# for .Xauthority
> -userdom_read_user_home_content_files(gpg_pinentry_t)
> +userdom_manage_user_tmp_dirs(gpg_pinentry_t)
> +userdom_write_user_tmp_sockets(gpg_pinentry_t)
> +userdom_manage_user_home_content_files(gpg_pinentry_t)
> +userdom_signull_unpriv_users(gpg_pinentry_t)
> +userdom_stream_connect(gpg_pinentry_t)
>
> tunable_policy(`use_nfs_home_dirs',`
> - fs_read_nfs_files(gpg_pinentry_t)
> + fs_manage_nfs_dirs(gpg_pinentry_t)
> + fs_manage_nfs_files(gpg_pinentry_t)
> + fs_manage_nfs_named_sockets(gpg_pinentry_t)
> ')
>
> tunable_policy(`use_samba_home_dirs',`
> - fs_read_cifs_files(gpg_pinentry_t)
> + fs_manage_cifs_dirs(gpg_pinentry_t)
> + fs_manage_cifs_files(gpg_pinentry_t)
> + fs_manage_cifs_named_sockets(gpg_pinentry_t)
> +')
> +
> +optional_policy(`
> + dbus_session_bus_client(gpg_pinentry_t)
> + dbus_system_bus_client(gpg_pinentry_t)
> +')
> +
> +optional_policy(`
> + gnome_manage_config(gpg_pinentry_t)
> +')
> +
> +optional_policy(`
> + pulseaudio_domtrans(gpg_pinentry_t)
> + pulseaudio_stream_connect(gpg_pinentry_t)
> ')
>
> optional_policy(`
prev parent reply other threads:[~2009-11-01 21:00 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-01 20:47 [refpolicy] [gpg patch 1/1] Extend the Gnupg domain to allow key signing (with seahorse) Dominick Grift
2009-11-01 21:00 ` Dominick Grift [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1257109208.6100.5.camel@localhost \
--to=domg472@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.