* [refpolicy] [gpg patch 1/1] Extend the Gnupg domain to allow key signing (with seahorse).
@ 2009-11-01 20:47 Dominick Grift
2009-11-01 21:00 ` Dominick Grift
0 siblings, 1 reply; 2+ messages in thread
From: Dominick Grift @ 2009-11-01 20:47 UTC (permalink / raw)
To: refpolicy
When we sign a Gnupg key in atleast Seahorse, the gpg_t domain wants to transition to the gpg_agent_t domain.
The gpg_pinentry_t domain also has to be able to prompt for the key passphrase.
Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 9d162a8... 009274d... M policy/modules/apps/gpg.te
policy/modules/apps/gpg.te | 46 ++++++++++++++++++++++++++++++++++++++++---
1 files changed, 42 insertions(+), 4 deletions(-)
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
index 9d162a8..009274d 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -53,6 +53,10 @@ typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t }
application_domain(gpg_pinentry_t, pinentry_exec_t)
ubac_constrained(gpg_pinentry_t)
+type gpg_pinentry_tmpfs_t;
+files_tmpfs_file(gpg_pinentry_tmpfs_t)
+ubac_constrained(gpg_pinentry_tmpfs_t)
+
########################################
#
# GPG local policy
@@ -69,6 +73,8 @@ manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+
# transition from the gpg domain to the helper domain
domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
@@ -190,6 +196,7 @@ files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
# allow gpg to connect to the gpg agent
stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+corecmd_read_bin_symlinks(gpg_agent_t)
corecmd_search_bin(gpg_agent_t)
domain_use_interactive_fds(gpg_agent_t)
@@ -227,9 +234,15 @@ tunable_policy(`use_samba_home_dirs',`
# Pinentry local policy
#
+allow gpg_pinentry_t self:process { getcap getsched signal };
+allow gpg_pinentry_t self:unix_dgram_socket create;
allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
+manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
+
# we need to allow gpg-agent to call pinentry so it can get the passphrase
# from the user.
domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
@@ -237,6 +250,10 @@ domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
# read /proc/meminfo
kernel_read_system_state(gpg_pinentry_t)
+dev_read_urand(gpg_pinentry_t)
+
+fs_getattr_tmpfs(gpg_pinentry_t)
+
files_read_usr_files(gpg_pinentry_t)
# read /etc/X11/qtrc
files_read_etc_files(gpg_pinentry_t)
@@ -244,15 +261,36 @@ files_read_etc_files(gpg_pinentry_t)
miscfiles_read_fonts(gpg_pinentry_t)
miscfiles_read_localization(gpg_pinentry_t)
-# for .Xauthority
-userdom_read_user_home_content_files(gpg_pinentry_t)
+userdom_manage_user_tmp_dirs(gpg_pinentry_t)
+userdom_write_user_tmp_sockets(gpg_pinentry_t)
+userdom_manage_user_home_content_files(gpg_pinentry_t)
+userdom_signull_unpriv_users(gpg_pinentry_t)
+userdom_stream_connect(gpg_pinentry_t)
tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(gpg_pinentry_t)
+ fs_manage_nfs_dirs(gpg_pinentry_t)
+ fs_manage_nfs_files(gpg_pinentry_t)
+ fs_manage_nfs_named_sockets(gpg_pinentry_t)
')
tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(gpg_pinentry_t)
+ fs_manage_cifs_dirs(gpg_pinentry_t)
+ fs_manage_cifs_files(gpg_pinentry_t)
+ fs_manage_cifs_named_sockets(gpg_pinentry_t)
+')
+
+optional_policy(`
+ dbus_session_bus_client(gpg_pinentry_t)
+ dbus_system_bus_client(gpg_pinentry_t)
+')
+
+optional_policy(`
+ gnome_manage_config(gpg_pinentry_t)
+')
+
+optional_policy(`
+ pulseaudio_domtrans(gpg_pinentry_t)
+ pulseaudio_stream_connect(gpg_pinentry_t)
')
optional_policy(`
--
1.6.5.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20091101/420a6e2b/attachment.bin
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [refpolicy] [gpg patch 1/1] Extend the Gnupg domain to allow key signing (with seahorse).
2009-11-01 20:47 [refpolicy] [gpg patch 1/1] Extend the Gnupg domain to allow key signing (with seahorse) Dominick Grift
@ 2009-11-01 21:00 ` Dominick Grift
0 siblings, 0 replies; 2+ messages in thread
From: Dominick Grift @ 2009-11-01 21:00 UTC (permalink / raw)
To: refpolicy
On Sun, 2009-11-01 at 21:47 +0100, Dominick Grift wrote:
Forget this patch i screwed up the use_samba/nfs_homedirs booleans by
adding policy for tmp objects.
Also what is really annoying is that it needs to manage generic home
files.
I am also not totally confident this all is correct since some domain
transitions are involved.
If someone is brave enough or feels inspired by the patch below, try to
sign some gpg keys with and without seahorse to see what is required. (i
ran out of keys to sign)
> When we sign a Gnupg key in atleast Seahorse, the gpg_t domain wants to transition to the gpg_agent_t domain.
> The gpg_pinentry_t domain also has to be able to prompt for the key passphrase.
>
> Signed-off-by: Dominick Grift <domg472@gmail.com>
> ---
> :100644 100644 9d162a8... 009274d... M policy/modules/apps/gpg.te
> policy/modules/apps/gpg.te | 46 ++++++++++++++++++++++++++++++++++++++++---
> 1 files changed, 42 insertions(+), 4 deletions(-)
>
> diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
> index 9d162a8..009274d 100644
> --- a/policy/modules/apps/gpg.te
> +++ b/policy/modules/apps/gpg.te
> @@ -53,6 +53,10 @@ typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t }
> application_domain(gpg_pinentry_t, pinentry_exec_t)
> ubac_constrained(gpg_pinentry_t)
>
> +type gpg_pinentry_tmpfs_t;
> +files_tmpfs_file(gpg_pinentry_tmpfs_t)
> +ubac_constrained(gpg_pinentry_tmpfs_t)
> +
> ########################################
> #
> # GPG local policy
> @@ -69,6 +73,8 @@ manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
> files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
>
> +domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
> +
> # transition from the gpg domain to the helper domain
> domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
>
> @@ -190,6 +196,7 @@ files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
> # allow gpg to connect to the gpg agent
> stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
>
> +corecmd_read_bin_symlinks(gpg_agent_t)
> corecmd_search_bin(gpg_agent_t)
>
> domain_use_interactive_fds(gpg_agent_t)
> @@ -227,9 +234,15 @@ tunable_policy(`use_samba_home_dirs',`
> # Pinentry local policy
> #
>
> +allow gpg_pinentry_t self:process { getcap getsched signal };
> +allow gpg_pinentry_t self:unix_dgram_socket create;
> allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
> allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
>
> +manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
> +manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
> +fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
> +
> # we need to allow gpg-agent to call pinentry so it can get the passphrase
> # from the user.
> domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
> @@ -237,6 +250,10 @@ domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
> # read /proc/meminfo
> kernel_read_system_state(gpg_pinentry_t)
>
> +dev_read_urand(gpg_pinentry_t)
> +
> +fs_getattr_tmpfs(gpg_pinentry_t)
> +
> files_read_usr_files(gpg_pinentry_t)
> # read /etc/X11/qtrc
> files_read_etc_files(gpg_pinentry_t)
> @@ -244,15 +261,36 @@ files_read_etc_files(gpg_pinentry_t)
> miscfiles_read_fonts(gpg_pinentry_t)
> miscfiles_read_localization(gpg_pinentry_t)
>
> -# for .Xauthority
> -userdom_read_user_home_content_files(gpg_pinentry_t)
> +userdom_manage_user_tmp_dirs(gpg_pinentry_t)
> +userdom_write_user_tmp_sockets(gpg_pinentry_t)
> +userdom_manage_user_home_content_files(gpg_pinentry_t)
> +userdom_signull_unpriv_users(gpg_pinentry_t)
> +userdom_stream_connect(gpg_pinentry_t)
>
> tunable_policy(`use_nfs_home_dirs',`
> - fs_read_nfs_files(gpg_pinentry_t)
> + fs_manage_nfs_dirs(gpg_pinentry_t)
> + fs_manage_nfs_files(gpg_pinentry_t)
> + fs_manage_nfs_named_sockets(gpg_pinentry_t)
> ')
>
> tunable_policy(`use_samba_home_dirs',`
> - fs_read_cifs_files(gpg_pinentry_t)
> + fs_manage_cifs_dirs(gpg_pinentry_t)
> + fs_manage_cifs_files(gpg_pinentry_t)
> + fs_manage_cifs_named_sockets(gpg_pinentry_t)
> +')
> +
> +optional_policy(`
> + dbus_session_bus_client(gpg_pinentry_t)
> + dbus_system_bus_client(gpg_pinentry_t)
> +')
> +
> +optional_policy(`
> + gnome_manage_config(gpg_pinentry_t)
> +')
> +
> +optional_policy(`
> + pulseaudio_domtrans(gpg_pinentry_t)
> + pulseaudio_stream_connect(gpg_pinentry_t)
> ')
>
> optional_policy(`
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2009-11-01 21:00 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-11-01 20:47 [refpolicy] [gpg patch 1/1] Extend the Gnupg domain to allow key signing (with seahorse) Dominick Grift
2009-11-01 21:00 ` Dominick Grift
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.