From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [gpg patch 1/1] Extend the Gnupg domain to allow key signing (with seahorse).
Date: Sun, 1 Nov 2009 21:47:58 +0100 [thread overview]
Message-ID: <20091101204755.GA6075@notebook3.grift.internal> (raw)
When we sign a Gnupg key in atleast Seahorse, the gpg_t domain wants to transition to the gpg_agent_t domain.
The gpg_pinentry_t domain also has to be able to prompt for the key passphrase.
Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 9d162a8... 009274d... M policy/modules/apps/gpg.te
policy/modules/apps/gpg.te | 46 ++++++++++++++++++++++++++++++++++++++++---
1 files changed, 42 insertions(+), 4 deletions(-)
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
index 9d162a8..009274d 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -53,6 +53,10 @@ typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t }
application_domain(gpg_pinentry_t, pinentry_exec_t)
ubac_constrained(gpg_pinentry_t)
+type gpg_pinentry_tmpfs_t;
+files_tmpfs_file(gpg_pinentry_tmpfs_t)
+ubac_constrained(gpg_pinentry_tmpfs_t)
+
########################################
#
# GPG local policy
@@ -69,6 +73,8 @@ manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+
# transition from the gpg domain to the helper domain
domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
@@ -190,6 +196,7 @@ files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
# allow gpg to connect to the gpg agent
stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+corecmd_read_bin_symlinks(gpg_agent_t)
corecmd_search_bin(gpg_agent_t)
domain_use_interactive_fds(gpg_agent_t)
@@ -227,9 +234,15 @@ tunable_policy(`use_samba_home_dirs',`
# Pinentry local policy
#
+allow gpg_pinentry_t self:process { getcap getsched signal };
+allow gpg_pinentry_t self:unix_dgram_socket create;
allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
+manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
+
# we need to allow gpg-agent to call pinentry so it can get the passphrase
# from the user.
domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
@@ -237,6 +250,10 @@ domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
# read /proc/meminfo
kernel_read_system_state(gpg_pinentry_t)
+dev_read_urand(gpg_pinentry_t)
+
+fs_getattr_tmpfs(gpg_pinentry_t)
+
files_read_usr_files(gpg_pinentry_t)
# read /etc/X11/qtrc
files_read_etc_files(gpg_pinentry_t)
@@ -244,15 +261,36 @@ files_read_etc_files(gpg_pinentry_t)
miscfiles_read_fonts(gpg_pinentry_t)
miscfiles_read_localization(gpg_pinentry_t)
-# for .Xauthority
-userdom_read_user_home_content_files(gpg_pinentry_t)
+userdom_manage_user_tmp_dirs(gpg_pinentry_t)
+userdom_write_user_tmp_sockets(gpg_pinentry_t)
+userdom_manage_user_home_content_files(gpg_pinentry_t)
+userdom_signull_unpriv_users(gpg_pinentry_t)
+userdom_stream_connect(gpg_pinentry_t)
tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(gpg_pinentry_t)
+ fs_manage_nfs_dirs(gpg_pinentry_t)
+ fs_manage_nfs_files(gpg_pinentry_t)
+ fs_manage_nfs_named_sockets(gpg_pinentry_t)
')
tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(gpg_pinentry_t)
+ fs_manage_cifs_dirs(gpg_pinentry_t)
+ fs_manage_cifs_files(gpg_pinentry_t)
+ fs_manage_cifs_named_sockets(gpg_pinentry_t)
+')
+
+optional_policy(`
+ dbus_session_bus_client(gpg_pinentry_t)
+ dbus_system_bus_client(gpg_pinentry_t)
+')
+
+optional_policy(`
+ gnome_manage_config(gpg_pinentry_t)
+')
+
+optional_policy(`
+ pulseaudio_domtrans(gpg_pinentry_t)
+ pulseaudio_stream_connect(gpg_pinentry_t)
')
optional_policy(`
--
1.6.5.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20091101/420a6e2b/attachment.bin
next reply other threads:[~2009-11-01 20:47 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-01 20:47 Dominick Grift [this message]
2009-11-01 21:00 ` [refpolicy] [gpg patch 1/1] Extend the Gnupg domain to allow key signing (with seahorse) Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091101204755.GA6075@notebook3.grift.internal \
--to=domg472@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.