refpolicy: patch for gpg-agent

refpolicy: patch for gpg-agent

[Václav Ovsík]

[-- Attachment #1: Type: text/plain, Size: 743 bytes --]

Hi,
I'm running HEAD refpolicy on Debian Sid, but this patch is not
Debian-specific this time.
Having a copy of my std bash profile on the testing machine with
a snippet (from gpg-agent man page):

    if test -f $HOME/.gpg-agent-info \
	     && kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info` 2>/dev/null
    then
	. $HOME/.gpg-agent-info
	export GPG_AGENT_INFO
	export SSH_AUTH_SOCK
	export SSH_AGENT_PID
    else
	eval `gpg-agent --daemon --write-env-file`
    fi

I got a number of denials for this snippet of commands.

1. Found a typo for permissions to create socket in the /tmp.
2. Added permission to send signal 0 by the user (see above).
3. Added permissions for writing agent info file into users home
   directory.

Regards
-- 
Zito

[-- Attachment #2: gpg.patch --]
[-- Type: text/x-diff, Size: 1631 bytes --]

Index: policy/modules/apps/gpg.if
===================================================================
--- policy/modules/apps/gpg.if	(revision 2617)
+++ policy/modules/apps/gpg.if	(working copy)
@@ -212,6 +212,12 @@
 	manage_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
 	manage_lnk_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
 
+	# write ~/.gpg-agent-info (gpg-agent --write-env-file option)
+	allow $1_gpg_agent_t { $1_home_dir_t $1_home_t }:dir add_entry_dir_perms;
+	type_transition $1_gpg_agent_t $1_home_dir_t:file $1_home_t;
+	allow $1_gpg_agent_t $1_home_t:file create_file_perms;
+	allow $1_gpg_agent_t $1_home_t:file write_file_perms;
+
 	# allow gpg to connect to the gpg agent
 	stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t)
 
@@ -219,11 +225,11 @@
 	ps_process_pattern($2,$1_gpg_agent_t)
 
 	# Allow the user shell to signal the gpg-agent program.
-	allow $2 $1_gpg_agent_t:process { signal sigkill };
+	allow $2 $1_gpg_agent_t:process { signal sigkill signull };
 
-	manage_dirs_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
-	manage_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
-	manage_sock_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
+	manage_dirs_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
+	manage_files_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
+	manage_sock_files_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
 	files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
 
 	# Transition from the user domain to the derived domain.

Re: refpolicy: patch for gpg-agent

[Christopher J. PeBenito]

On Wed, 2008-02-20 at 18:03 +0100, Václav Ovsík wrote:
> I'm running HEAD refpolicy on Debian Sid, but this patch is not
> Debian-specific this time.
> Having a copy of my std bash profile on the testing machine with
> a snippet (from gpg-agent man page):
> 
>     if test -f $HOME/.gpg-agent-info \
>              && kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info`
> 2>/dev/null
>     then
>         . $HOME/.gpg-agent-info
>         export GPG_AGENT_INFO
>         export SSH_AUTH_SOCK
>         export SSH_AGENT_PID
>     else
>         eval `gpg-agent --daemon --write-env-file`
>     fi
> 
> I got a number of denials for this snippet of commands.
> 
> 1. Found a typo for permissions to create socket in the /tmp.
> 2. Added permission to send signal 0 by the user (see above).
> 3. Added permissions for writing agent info file into users home
>    directory.


> 
> Index: policy/modules/apps/gpg.if
> ===================================================================
> --- policy/modules/apps/gpg.if  (revision 2617)
> +++ policy/modules/apps/gpg.if  (working copy)
> @@ -212,6 +212,12 @@
>         manage_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
>         manage_lnk_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
>  
> +       # write ~/.gpg-agent-info (gpg-agent --write-env-file option)
> +       allow $1_gpg_agent_t { $1_home_dir_t $1_home_t }:dir add_entry_dir_perms;
> +       type_transition $1_gpg_agent_t $1_home_dir_t:file $1_home_t;
> +       allow $1_gpg_agent_t $1_home_t:file create_file_perms;
> +       allow $1_gpg_agent_t $1_home_t:file write_file_perms;

I'm a little hesitant to add this unconditionally, I don't think we want
gpg-agent to write out to general home dir content.  Perhaps we should
have a tunable, or a specific type for this.

>         # allow gpg to connect to the gpg agent
>         stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t)
>  
> @@ -219,11 +225,11 @@
>         ps_process_pattern($2,$1_gpg_agent_t)
>  
>         # Allow the user shell to signal the gpg-agent program.
> -       allow $2 $1_gpg_agent_t:process { signal sigkill };
> +       allow $2 $1_gpg_agent_t:process { signal sigkill signull };
>  
> -       manage_dirs_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
> -       manage_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
> -       manage_sock_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
> +       manage_dirs_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
> +       manage_files_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
> +       manage_sock_files_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
>         files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })

This isn't a typo, the user domain should still be able to manage
gpg-agent's tmp files.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: refpolicy: patch for gpg-agent

[Václav Ovsík]

[-- Attachment #1: Type: text/plain, Size: 4662 bytes --]

Hi,
sorry for a delay...

On Tue, Mar 04, 2008 at 02:51:41PM -0500, Christopher J. PeBenito wrote:
> On Wed, 2008-02-20 at 18:03 +0100, Václav Ovsík wrote:
> > I'm running HEAD refpolicy on Debian Sid, but this patch is not
> > Debian-specific this time.
> > Having a copy of my std bash profile on the testing machine with
> > a snippet (from gpg-agent man page):
> > 
> >     if test -f $HOME/.gpg-agent-info \
> >              && kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info`
> > 2>/dev/null
> >     then
> >         . $HOME/.gpg-agent-info
> >         export GPG_AGENT_INFO
> >         export SSH_AUTH_SOCK
> >         export SSH_AGENT_PID
> >     else
> >         eval `gpg-agent --daemon --write-env-file`
> >     fi
> > 
> > I got a number of denials for this snippet of commands.
> > 
> > 1. Found a typo for permissions to create socket in the /tmp.
> > 2. Added permission to send signal 0 by the user (see above).
> > 3. Added permissions for writing agent info file into users home
> >    directory.
> 
> 
> > 
> > Index: policy/modules/apps/gpg.if
> > ===================================================================
> > --- policy/modules/apps/gpg.if  (revision 2617)
> > +++ policy/modules/apps/gpg.if  (working copy)
> > @@ -212,6 +212,12 @@
> >         manage_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
> >         manage_lnk_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
> >  
> > +       # write ~/.gpg-agent-info (gpg-agent --write-env-file option)
> > +       allow $1_gpg_agent_t { $1_home_dir_t $1_home_t }:dir add_entry_dir_perms;
> > +       type_transition $1_gpg_agent_t $1_home_dir_t:file $1_home_t;
> > +       allow $1_gpg_agent_t $1_home_t:file create_file_perms;
> > +       allow $1_gpg_agent_t $1_home_t:file write_file_perms;
> 
> I'm a little hesitant to add this unconditionally, I don't think we want
> gpg-agent to write out to general home dir content.  Perhaps we should
> have a tunable, or a specific type for this.

I added this rules, so an example from gpg-agent manpage can work
out-of-the-box. Adding a tunable (with the default to disallow) will not
satisfy this. Maybe the later - specific type, but what security risk
poses this rules?
I thought, that domain X_gpg_agent_t is very trusted domain, that
manages my secret keys and should be shielded against the world around
and not the opposite.


> >         # allow gpg to connect to the gpg agent
> >         stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t)
> >  
> > @@ -219,11 +225,11 @@
> >         ps_process_pattern($2,$1_gpg_agent_t)
> >  
> >         # Allow the user shell to signal the gpg-agent program.
> > -       allow $2 $1_gpg_agent_t:process { signal sigkill };
> > +       allow $2 $1_gpg_agent_t:process { signal sigkill signull };
> >  
> > -       manage_dirs_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
> > -       manage_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
> > -       manage_sock_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
> > +       manage_dirs_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
> > +       manage_files_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
> > +       manage_sock_files_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
> >         files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
> 
> This isn't a typo, the user domain should still be able to manage
> gpg-agent's tmp files.

Yes, you are right. I looked at ssh-agent rules just and considered it
more or less equivalent to gpg-agent. Gpg-agent should do clean-up of
its socket, but maybe some crash.

Ok, what about ssh-agent? Shoul be these rules for userdomain added for
it too?

zito@sid:/tmp$ rm -rf ssh-*

audit(1206101398.028:16): avc:  denied  { write } for  pid=2155 comm="rm" name="ssh-IgYHrr2122" dev=sda1 ino=49168 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:sshd_tmp_t:s0 tclass=dir
audit(1206101398.028:17): avc:  denied  { remove_name } for  pid=2155 comm="rm" name="agent.2122" dev=sda1 ino=49169 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:sshd_tmp_t:s0 tclass=dir
audit(1206101398.028:18): avc:  denied  { unlink } for  pid=2155 comm="rm" name="agent.2122" dev=sda1 ino=49169 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:sshd_tmp_t:s0 tclass=sock_file
audit(1206101398.028:19): avc:  denied  { rmdir } for  pid=2155 comm="rm" name="ssh-IgYHrr2122" dev=sda1 ino=49168 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:sshd_tmp_t:s0 tclass=dir


Thanks for suggestions.
Regards
-- 
Zito

[-- Attachment #2: gpg-agent --]
[-- Type: text/plain, Size: 1796 bytes --]

Index: policy/modules/apps/gpg.if
===================================================================
--- policy/modules/apps/gpg.if.orig	2008-03-20 12:00:48.000000000 +0100
+++ policy/modules/apps/gpg.if	2008-03-21 13:18:29.000000000 +0100
@@ -212,6 +212,12 @@
 	manage_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
 	manage_lnk_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
 
+	# write ~/.gpg-agent-info (gpg-agent --write-env-file option)
+	allow $1_gpg_agent_t { $1_home_dir_t $1_home_t }:dir add_entry_dir_perms;
+	type_transition $1_gpg_agent_t $1_home_dir_t:file $1_home_t;
+	allow $1_gpg_agent_t $1_home_t:file create_file_perms;
+	allow $1_gpg_agent_t $1_home_t:file write_file_perms;
+
 	# allow gpg to connect to the gpg agent
 	stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t)
 
@@ -219,11 +225,18 @@
 	ps_process_pattern($2,$1_gpg_agent_t)
 
 	# Allow the user shell to signal the gpg-agent program.
-	allow $2 $1_gpg_agent_t:process { signal sigkill };
+	allow $2 $1_gpg_agent_t:process { signal sigkill signull };
 
+	# Allow the user to manage gpg-agent tmp files (socket)
 	manage_dirs_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
 	manage_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
 	manage_sock_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
+
+	# Allow the gpg-agent to manage its tmp files (socket)
+	manage_dirs_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
+	manage_files_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
+	manage_sock_files_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
+
 	files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
 
 	# Transition from the user domain to the derived domain.

Re: refpolicy: patch for gpg-agent

[Christopher J. PeBenito]

On Fri, 2008-03-21 at 14:03 +0100, Václav Ovsík wrote:
> On Tue, Mar 04, 2008 at 02:51:41PM -0500, Christopher J. PeBenito wrote:
> > On Wed, 2008-02-20 at 18:03 +0100, Václav Ovsík wrote:
> > > I'm running HEAD refpolicy on Debian Sid, but this patch is not
> > > Debian-specific this time.
> > > Having a copy of my std bash profile on the testing machine with
> > > a snippet (from gpg-agent man page):
> > > 
> > >     if test -f $HOME/.gpg-agent-info \
> > >              && kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info`
> > > 2>/dev/null
> > >     then
> > >         . $HOME/.gpg-agent-info
> > >         export GPG_AGENT_INFO
> > >         export SSH_AUTH_SOCK
> > >         export SSH_AGENT_PID
> > >     else
> > >         eval `gpg-agent --daemon --write-env-file`
> > >     fi
> > > 
> > > I got a number of denials for this snippet of commands.
> > > 
> > > 1. Found a typo for permissions to create socket in the /tmp.
> > > 2. Added permission to send signal 0 by the user (see above).
> > > 3. Added permissions for writing agent info file into users home
> > >    directory.
> > > 
> > > Index: policy/modules/apps/gpg.if
> > > ===================================================================
> > > --- policy/modules/apps/gpg.if  (revision 2617)
> > > +++ policy/modules/apps/gpg.if  (working copy)
> > > @@ -212,6 +212,12 @@
> > >         manage_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
> > >         manage_lnk_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
> > >  
> > > +       # write ~/.gpg-agent-info (gpg-agent --write-env-file option)
> > > +       allow $1_gpg_agent_t { $1_home_dir_t $1_home_t }:dir add_entry_dir_perms;
> > > +       type_transition $1_gpg_agent_t $1_home_dir_t:file $1_home_t;
> > > +       allow $1_gpg_agent_t $1_home_t:file create_file_perms;
> > > +       allow $1_gpg_agent_t $1_home_t:file write_file_perms;
> > 
> > I'm a little hesitant to add this unconditionally, I don't think we want
> > gpg-agent to write out to general home dir content.  Perhaps we should
> > have a tunable, or a specific type for this.
> 
> I added this rules, so an example from gpg-agent manpage can work
> out-of-the-box. Adding a tunable (with the default to disallow) will not
> satisfy this. Maybe the later - specific type, but what security risk
> poses this rules?
> I thought, that domain X_gpg_agent_t is very trusted domain, that
> manages my secret keys and should be shielded against the world around
> and not the opposite.

Its trusted for handling keys, not trusted for handling general content
in the user's home directory.  Remember that if the rules are made
conditional, theres nothing stopping distros from making the tunable
default to true.

> Ok, what about ssh-agent? Shoul be these rules for userdomain added for
> it too?
> 
> zito@sid:/tmp$ rm -rf ssh-*
> 
> audit(1206101398.028:16): avc:  denied  { write } for  pid=2155 comm="rm" name="ssh-IgYHrr2122" dev=sda1 ino=49168 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:sshd_tmp_t:s0 tclass=dir
> audit(1206101398.028:17): avc:  denied  { remove_name } for  pid=2155 comm="rm" name="agent.2122" dev=sda1 ino=49169 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:sshd_tmp_t:s0 tclass=dir
> audit(1206101398.028:18): avc:  denied  { unlink } for  pid=2155 comm="rm" name="agent.2122" dev=sda1 ino=49169 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:sshd_tmp_t:s0 tclass=sock_file
> audit(1206101398.028:19): avc:  denied  { rmdir } for  pid=2155 comm="rm" name="ssh-IgYHrr2122" dev=sda1 ino=49168 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:sshd_tmp_t:s0 tclass=dir

Yes, it seems reasonable to me.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: refpolicy: patch for gpg-agent

[Václav Ovsík]

[-- Attachment #1: Type: text/plain, Size: 5458 bytes --]

Hi,
after a longer period of inactivity I'm back with a new try :)

On Wed, Mar 26, 2008 at 11:11:12AM -0400, Christopher J. PeBenito wrote:
> On Fri, 2008-03-21 at 14:03 +0100, Václav Ovsík wrote:
> > On Tue, Mar 04, 2008 at 02:51:41PM -0500, Christopher J. PeBenito wrote:
> > > On Wed, 2008-02-20 at 18:03 +0100, Václav Ovsík wrote:
> > > > I'm running HEAD refpolicy on Debian Sid, but this patch is not
> > > > Debian-specific this time.
> > > > Having a copy of my std bash profile on the testing machine with
> > > > a snippet (from gpg-agent man page):
> > > > 
> > > >     if test -f $HOME/.gpg-agent-info \
> > > >              && kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info`
> > > > 2>/dev/null
> > > >     then
> > > >         . $HOME/.gpg-agent-info
> > > >         export GPG_AGENT_INFO
> > > >         export SSH_AUTH_SOCK
> > > >         export SSH_AGENT_PID
> > > >     else
> > > >         eval `gpg-agent --daemon --write-env-file`
> > > >     fi
> > > > 
> > > > I got a number of denials for this snippet of commands.
> > > > 
> > > > 1. Found a typo for permissions to create socket in the /tmp.
> > > > 2. Added permission to send signal 0 by the user (see above).
> > > > 3. Added permissions for writing agent info file into users home
> > > >    directory.
> > > > 
> > > > Index: policy/modules/apps/gpg.if
> > > > ===================================================================
> > > > --- policy/modules/apps/gpg.if  (revision 2617)
> > > > +++ policy/modules/apps/gpg.if  (working copy)
> > > > @@ -212,6 +212,12 @@
> > > >         manage_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
> > > >         manage_lnk_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
> > > >  
> > > > +       # write ~/.gpg-agent-info (gpg-agent --write-env-file option)
> > > > +       allow $1_gpg_agent_t { $1_home_dir_t $1_home_t }:dir add_entry_dir_perms;
> > > > +       type_transition $1_gpg_agent_t $1_home_dir_t:file $1_home_t;
> > > > +       allow $1_gpg_agent_t $1_home_t:file create_file_perms;
> > > > +       allow $1_gpg_agent_t $1_home_t:file write_file_perms;
> > > 
> > > I'm a little hesitant to add this unconditionally, I don't think we want
> > > gpg-agent to write out to general home dir content.  Perhaps we should
> > > have a tunable, or a specific type for this.
> > 
> > I added this rules, so an example from gpg-agent manpage can work
> > out-of-the-box. Adding a tunable (with the default to disallow) will not
> > satisfy this. Maybe the later - specific type, but what security risk
> > poses this rules?
> > I thought, that domain X_gpg_agent_t is very trusted domain, that
> > manages my secret keys and should be shielded against the world around
> > and not the opposite.
> 
> Its trusted for handling keys, not trusted for handling general content
> in the user's home directory.  Remember that if the rules are made
> conditional, theres nothing stopping distros from making the tunable
> default to true.
> 
> > Ok, what about ssh-agent? Shoul be these rules for userdomain added for
> > it too?
> > 
> > zito@sid:/tmp$ rm -rf ssh-*
> > 
> > audit(1206101398.028:16): avc:  denied  { write } for  pid=2155 comm="rm" name="ssh-IgYHrr2122" dev=sda1 ino=49168 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:sshd_tmp_t:s0 tclass=dir
> > audit(1206101398.028:17): avc:  denied  { remove_name } for  pid=2155 comm="rm" name="agent.2122" dev=sda1 ino=49169 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:sshd_tmp_t:s0 tclass=dir
> > audit(1206101398.028:18): avc:  denied  { unlink } for  pid=2155 comm="rm" name="agent.2122" dev=sda1 ino=49169 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:sshd_tmp_t:s0 tclass=sock_file
> > audit(1206101398.028:19): avc:  denied  { rmdir } for  pid=2155 comm="rm" name="ssh-IgYHrr2122" dev=sda1 ino=49168 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:sshd_tmp_t:s0 tclass=dir
> 
> Yes, it seems reasonable to me.
> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150


Another patch is attached with the specific type for home file
(<ROLE>_gpg_agent_home_t). I hope, this is better than general write
permission from the previous patch and without administrative overhead
of tunable.

Allowed rules for userdomain on gpg-agent tmp files (socket) are
contained, but I'm not completely certain this is needed. Gpg-agent
creates socket while starting and cleans it up when exits. The socket
file remains in /tmp only when gpg-agent is killed by SIGKILL, and there
is probably no need to remove this stuff by the userdomain either.
Tmpreaper/tmpwatch cron job should do cleanup. Although I hope including
these rules for userdomain is harmless.

Concerning SSH...
After some investigation I found, that it is a bit more complicated.
When I ssh into the host with agent forwarded, than socket is created by
sshd and it has a context:

zito@bobek:~$ ssh -A sid  
zito@sid:~$ ls -lZa $SSH_AUTH_SOCK 
srwxr-xr-x 1 zito zito system_u:object_r:sshd_tmp_t:s0 0 Apr 15 14:34 /tmp/ssh-afqvGT1954/agent.1954

The socket of ssh agent started localy has context:

zito@sid:~$ eval `ssh-agent`
Agent pid 2097
zito@sid:~$ ls -laZ $SSH_AUTH_SOCK
srw------- 1 zito zito staff_u:object_r:staff_ssh_agent_tmp_t:s0 0 Apr 15 14:48 /tmp/ssh-LgmzMU2096/agent.2096


If you consider the userdomain rules needless, than gpg-agent-nouser is
attached as addon patch.

Best Regards
-- 
Zito

[-- Attachment #2: gpg-agent --]
[-- Type: text/plain, Size: 2295 bytes --]

---
 policy/modules/apps/gpg.if |   19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

Index: policy/modules/apps/gpg.if
===================================================================
--- policy/modules/apps/gpg.if.orig	2008-04-09 18:05:09.000000000 +0200
+++ policy/modules/apps/gpg.if	2008-04-09 18:29:28.000000000 +0200
@@ -56,6 +56,9 @@
 	type $1_gpg_agent_tmp_t;
 	files_tmp_file($1_gpg_agent_tmp_t)
 
+	type $1_gpg_agent_home_t;
+	userdom_user_home_content($1,$1_gpg_agent_home_t)
+
 	type $1_gpg_secret_t;
 	userdom_user_home_content($1,$1_gpg_secret_t)
 
@@ -212,6 +215,14 @@
 	manage_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
 	manage_lnk_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
 
+	# write ~/.gpg-agent-info or a similar to the users home dir or subdir
+	# (gpg-agent --write-env-file option)
+	userdom_user_home_dir_filetrans($1,$1_gpg_agent_t,$1_gpg_agent_home_t,file)
+	userdom_user_home_content_filetrans($1,$1_gpg_agent_t,$1_gpg_agent_home_t,file)
+	allow $1_gpg_agent_t $1_gpg_agent_home_t : file { create_file_perms write_file_perms };
+	# the user can manage the gpg-agent-info file
+	allow $2 $1_gpg_agent_home_t:file manage_file_perms;
+
 	# allow gpg to connect to the gpg agent
 	stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t)
 
@@ -219,11 +230,18 @@
 	ps_process_pattern($2,$1_gpg_agent_t)
 
 	# Allow the user shell to signal the gpg-agent program.
-	allow $2 $1_gpg_agent_t:process { signal sigkill };
+	allow $2 $1_gpg_agent_t:process { signal sigkill signull };
 
+	# Allow the user to manage gpg-agent tmp files (socket)
 	manage_dirs_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
 	manage_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
 	manage_sock_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
+
+	# Allow the gpg-agent to manage its tmp files (socket)
+	manage_dirs_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
+	manage_files_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
+	manage_sock_files_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
+
 	files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
 
 	# Transition from the user domain to the derived domain.

[-- Attachment #3: gpg-agent-nouser --]
[-- Type: text/plain, Size: 895 bytes --]

Index: refpolicy-svn/policy/modules/apps/gpg.if
===================================================================
--- refpolicy-svn.orig/policy/modules/apps/gpg.if	2008-04-15 14:55:36.000000000 +0200
+++ refpolicy-svn/policy/modules/apps/gpg.if	2008-04-15 14:56:00.000000000 +0200
@@ -232,11 +232,6 @@
 	# Allow the user shell to signal the gpg-agent program.
 	allow $2 $1_gpg_agent_t:process { signal sigkill signull };
 
-	# Allow the user to manage gpg-agent tmp files (socket)
-	manage_dirs_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
-	manage_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
-	manage_sock_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
-
 	# Allow the gpg-agent to manage its tmp files (socket)
 	manage_dirs_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
 	manage_files_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)

Re: refpolicy: patch for gpg-agent

[Václav Ovsík]

[-- Attachment #1: Type: text/plain, Size: 321 bytes --]

On Tue, Apr 15, 2008 at 03:26:02PM +0200, Václav Ovsík wrote:
...
> Another patch is attached with the specific type for home file
> (<ROLE>_gpg_agent_home_t). I hope, this is better than general write
...

I forgot file context... The attached patch adds one for fixed
filename `.gpg-agent-info'.

Best Regards
-- 
Zito

[-- Attachment #2: gpg-agent-fc --]
[-- Type: text/plain, Size: 559 bytes --]

Index: policy/modules/apps/gpg.fc
===================================================================
--- policy/modules/apps/gpg.fc.orig	2008-04-24 09:03:05.000000000 +0200
+++ policy/modules/apps/gpg.fc	2008-04-24 09:05:22.000000000 +0200
@@ -1,4 +1,5 @@
 HOME_DIR/\.gnupg(/.+)?		gen_context(system_u:object_r:ROLE_gpg_secret_t,s0)
+HOME_DIR/\.gpg-agent-info	gen_context(system_u:object_r:ROLE_gpg_agent_home_t,s0)
 
 /usr/bin/gpg(2)?	--	gen_context(system_u:object_r:gpg_exec_t,s0)
 /usr/bin/gpg-agent	--	gen_context(system_u:object_r:gpg_agent_exec_t,s0)

Re: refpolicy: patch for gpg-agent

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 982 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Václav Ovsík wrote:
> On Tue, Apr 15, 2008 at 03:26:02PM +0200, Václav Ovsík wrote:
> ...
>> Another patch is attached with the specific type for home file
>> (<ROLE>_gpg_agent_home_t). I hope, this is better than general write
> ...
> 
> I forgot file context... The attached patch adds one for fixed
> filename `.gpg-agent-info'.
> 
> Best Regards
> 
Current Fedora allows gpg_t to manage files in the homedirs, since it
needs to be able to read/write files in the homedir.  No reason to
isolate it.

The reason for this patch being large is that Fedora no longer separates
homedir labeling via Prefix, since this concept will not work in a
distributed homedir environment.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkgQ0KsACgkQrlYvE4MpobM2nACgyRQmsFLZI5YtoCQrrzkEwCww
22QAoLtrkiJd6DJ+CfoS4M989pRr33y7
=/Sa0
-----END PGP SIGNATURE-----

[-- Attachment #2: apps_gpg.patch --]
[-- Type: text/plain, Size: 19138 bytes --]

From:  dwalsh@redhat.com
To: cpebenito@tresys.com
CC: selinux@tycho.nsa.gov
Subject: [PATCH] refpolicy: apps_gpg changes
--text follows this line--
--- nsaserefpolicy/policy/modules/apps/gpg.fc	2007-10-12 08:56:02.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/apps/gpg.fc	2008-04-21 11:02:48.167478000 -0400
@@ -1,9 +1,9 @@
-HOME_DIR/\.gnupg(/.+)?		gen_context(system_u:object_r:ROLE_gpg_secret_t,s0)
+HOME_DIR/\.gnupg(/.+)?		gen_context(system_u:object_r:user_gpg_secret_t,s0)
 
-/usr/bin/gpg(2)?	--	gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/bin/gpg2?		--	gen_context(system_u:object_r:gpg_exec_t,s0)
 /usr/bin/gpg-agent	--	gen_context(system_u:object_r:gpg_agent_exec_t,s0)
 /usr/bin/kgpg		--	gen_context(system_u:object_r:gpg_exec_t,s0)
 /usr/bin/pinentry.*	--	gen_context(system_u:object_r:pinentry_exec_t,s0)
 
-/usr/lib/gnupg/.*	--	gen_context(system_u:object_r:gpg_exec_t,s0)
-/usr/lib/gnupg/gpgkeys.* --	gen_context(system_u:object_r:gpg_helper_exec_t,s0)
+/usr/lib(64)?/gnupg/.*	--	gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/lib(64)?/gnupg/gpgkeys.* --	gen_context(system_u:object_r:gpg_helper_exec_t,s0)
--- nsaserefpolicy/policy/modules/apps/gpg.if	2007-07-23 10:20:12.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/apps/gpg.if	2008-04-21 11:02:48.173471000 -0400
@@ -38,6 +38,10 @@
 	gen_require(`
 		type gpg_exec_t, gpg_helper_exec_t;
 		type gpg_agent_exec_t, pinentry_exec_t;
+		type gpg_t, gpg_helper_t;
+		type gpg_agent_t, gpg_pinentry_t;
+		type user_gpg_agent_tmp_t;
+		type user_gpg_secret_t;
 	')
 
 	########################################
@@ -45,275 +49,62 @@
 	# Declarations
 	#
 
-	type $1_gpg_t;
-	application_domain($1_gpg_t,gpg_exec_t)
-	role $3 types $1_gpg_t;
-
-	type $1_gpg_agent_t;
-	application_domain($1_gpg_agent_t,gpg_agent_exec_t)
-	role $3 types $1_gpg_agent_t;
-
-	type $1_gpg_agent_tmp_t;
-	files_tmp_file($1_gpg_agent_tmp_t)
-
-	type $1_gpg_secret_t;
-	userdom_user_home_content($1,$1_gpg_secret_t)
-
-	type $1_gpg_helper_t;
-	application_domain($1_gpg_helper_t,gpg_helper_exec_t)
-	role $3 types $1_gpg_helper_t;
-
-	type $1_gpg_pinentry_t;
-	application_domain($1_gpg_pinentry_t,pinentry_exec_t)
-	role $3 types $1_gpg_pinentry_t;
+	typealias gpg_t alias $1_gpg_t;
+	role $3 types gpg_t;
 
-	########################################
-	#
-	# GPG local policy
-	#
-
-	allow $1_gpg_t self:capability { ipc_lock setuid };
-	allow { $2 $1_gpg_t } $1_gpg_t:process signal;
-	# setrlimit is for ulimit -c 0
-	allow $1_gpg_t self:process { setrlimit setcap setpgid };
-
-	allow $1_gpg_t self:fifo_file rw_fifo_file_perms;
-	allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
-
-	# transition from the gpg domain to the helper domain
-	domtrans_pattern($1_gpg_t,gpg_helper_exec_t,$1_gpg_helper_t)
-
-	manage_files_pattern($1_gpg_t,$1_gpg_secret_t,$1_gpg_secret_t)
-	manage_lnk_files_pattern($1_gpg_t,$1_gpg_secret_t,$1_gpg_secret_t)
-	allow $1_gpg_t $1_gpg_secret_t:dir create_dir_perms;
- 	userdom_user_home_dir_filetrans($1, $1_gpg_t, $1_gpg_secret_t, dir)
-
-	# transition from the userdomain to the derived domain
-	domtrans_pattern($2,gpg_exec_t,$1_gpg_t)
-
-	# allow ps to show gpg
-	ps_process_pattern($2,$1_gpg_t)
-
-	corenet_all_recvfrom_unlabeled($1_gpg_t)
-	corenet_all_recvfrom_netlabel($1_gpg_t)
-	corenet_tcp_sendrecv_all_if($1_gpg_t)
-	corenet_udp_sendrecv_all_if($1_gpg_t)
-	corenet_tcp_sendrecv_all_nodes($1_gpg_t)
-	corenet_udp_sendrecv_all_nodes($1_gpg_t)
-	corenet_tcp_sendrecv_all_ports($1_gpg_t)
-	corenet_udp_sendrecv_all_ports($1_gpg_t)
-	corenet_tcp_connect_all_ports($1_gpg_t)
-	corenet_sendrecv_all_client_packets($1_gpg_t)
-
-	dev_read_rand($1_gpg_t)
-	dev_read_urand($1_gpg_t)
-
-	fs_getattr_xattr_fs($1_gpg_t)
-
-	domain_use_interactive_fds($1_gpg_t)
-
-	files_read_etc_files($1_gpg_t)
-	files_read_usr_files($1_gpg_t)
-	files_dontaudit_search_var($1_gpg_t)
-
-	libs_use_shared_libs($1_gpg_t)
-	libs_use_ld_so($1_gpg_t)
-
-	miscfiles_read_localization($1_gpg_t)
-
-	logging_send_syslog_msg($1_gpg_t)
-
-	sysnet_read_config($1_gpg_t)
-
-	userdom_use_user_terminals($1,$1_gpg_t)
+	typealias gpg_agent_t alias  $1_gpg_agent_t;
+	role $3 types gpg_agent_t;
 
-	optional_policy(`
-		nis_use_ypbind($1_gpg_t)
-	')
-
-	ifdef(`TODO',`
-	# Read content to encrypt/decrypt/sign
-	read_content($1_gpg_t, $1)
-
-	# Write content to encrypt/decrypt/sign
-	write_trusted($1_gpg_t, $1)
-	') dnl end TODO
-
-	########################################
-	#
-	# GPG helper local policy
-	#
-
-	# for helper programs (which automatically fetch keys)
-	# Note: this is only tested with the hkp interface. If you use eg the 
-	# mail interface you will likely need additional permissions.
-
-	allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
-	allow $1_gpg_helper_t self:tcp_socket { connect connected_socket_perms };
-	allow $1_gpg_helper_t self:udp_socket { connect connected_socket_perms };
-
-	# communicate with the user 
-	allow $1_gpg_helper_t $2:fd use;
-	allow $1_gpg_helper_t $2:fifo_file write;
+	typealias gpg_helper_t alias  $1_gpg_helper_t;
+	role $3 types gpg_helper_t;
 
-	dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
+	typealias gpg_pinentry_t alias $1_gpg_pinentry_t;
+	role $3 types gpg_pinentry_t;
 
-	corenet_all_recvfrom_unlabeled($1_gpg_helper_t)
-	corenet_all_recvfrom_netlabel($1_gpg_helper_t)
-	corenet_tcp_sendrecv_all_if($1_gpg_helper_t)
-	corenet_raw_sendrecv_all_if($1_gpg_helper_t)
-	corenet_udp_sendrecv_all_if($1_gpg_helper_t)
-	corenet_tcp_sendrecv_all_nodes($1_gpg_helper_t)
-	corenet_udp_sendrecv_all_nodes($1_gpg_helper_t)
-	corenet_raw_sendrecv_all_nodes($1_gpg_helper_t)
-	corenet_tcp_sendrecv_all_ports($1_gpg_helper_t)
-	corenet_udp_sendrecv_all_ports($1_gpg_helper_t)
-	corenet_tcp_bind_all_nodes($1_gpg_helper_t)
-	corenet_udp_bind_all_nodes($1_gpg_helper_t)
-	corenet_tcp_connect_all_ports($1_gpg_helper_t)
-
-	dev_read_urand($1_gpg_helper_t)
-
-	files_read_etc_files($1_gpg_helper_t)
-	# for nscd
-	files_dontaudit_search_var($1_gpg_helper_t)
-
-	libs_use_ld_so($1_gpg_helper_t)
-	libs_use_shared_libs($1_gpg_helper_t)
-
-	sysnet_read_config($1_gpg_helper_t)
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_dontaudit_rw_nfs_files($1_gpg_helper_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_dontaudit_rw_cifs_files($1_gpg_helper_t)
+	ifelse(`$1',`user',`',`
+		typealias user_gpg_agent_tmp_t alias $1_gpg_agent_tmp_t;
+		typealias user_gpg_secret_t alias $1_gpg_secret_t;
 	')
 
-	optional_policy(`
-		xserver_use_xdm_fds($1_gpg_t)
-		xserver_rw_xdm_pipes($1_gpg_t)
-	')
-
-	########################################
-	#
-	# GPG agent local policy
-	#
+	# transition from the userdomain to the derived domain
+	domtrans_pattern($2,gpg_exec_t,gpg_t)
 
-	# rlimit: gpg-agent wants to prevent coredumps
-	allow $1_gpg_agent_t self:process setrlimit;
+	# Transition from the user domain to the derived domain.
+	domtrans_pattern($2, gpg_agent_exec_t, $1_gpg_agent_t)
 
-	allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
-	allow $1_gpg_agent_t self:fifo_file rw_fifo_file_perms;
+	allow $2 gpg_t:process signal_perms;
 
-	# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
-	manage_dirs_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
-	manage_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
-	manage_lnk_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
+	# Thunderbird leaks descriptors
+	dontaudit gpg_t $2:tcp_socket rw_socket_perms;
+	dontaudit gpg_t $2:udp_socket rw_socket_perms;
+	dontaudit gpg_helper_t $2:tcp_socket rw_socket_perms;
+	dontaudit gpg_helper_t $2:udp_socket rw_socket_perms;
+	#Leaked File Descriptors
+	dontaudit gpg_helper_t $2:unix_stream_socket rw_socket_perms;
+	dontaudit gpg_t $2:unix_stream_socket rw_socket_perms;
 
-	# allow gpg to connect to the gpg agent
-	stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t)
+	# allow ps to show gpg
+	ps_process_pattern($2,gpg_t)
 
 	# allow ps to show gpg-agent
 	ps_process_pattern($2,$1_gpg_agent_t)
 
 	# Allow the user shell to signal the gpg-agent program.
-	allow $2 $1_gpg_agent_t:process { signal sigkill };
-
-	manage_dirs_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
-	manage_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
-	manage_sock_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
-	files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
-
-	# Transition from the user domain to the derived domain.
-	domtrans_pattern($2, gpg_agent_exec_t, $1_gpg_agent_t)
-
-	corecmd_search_bin($1_gpg_agent_t)
-
-	domain_use_interactive_fds($1_gpg_agent_t)
-
-	libs_use_ld_so($1_gpg_agent_t)
-	libs_use_shared_libs($1_gpg_agent_t)
-
-	miscfiles_read_localization($1_gpg_agent_t)
+	allow $2 gpg_agent_t:process signal_perms;
 
+	userdom_use_user_terminals($1,gpg_t)
 	# Write to the user domain tty.
-	userdom_use_user_terminals($1,$1_gpg_agent_t)
-	# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
-	userdom_search_user_home_dirs($1,$1_gpg_agent_t)
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_dirs($1_gpg_agent_t)
-		fs_manage_nfs_files($1_gpg_agent_t)
-		fs_manage_nfs_symlinks($1_gpg_agent_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_dirs($1_gpg_agent_t)
-		fs_manage_cifs_files($1_gpg_agent_t)
-		fs_manage_cifs_symlinks($1_gpg_agent_t)
-	')
-
-	##############################
-	#
-	# Pinentry local policy
-	#
-
-	allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
-	allow $1_gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
-
-	# we need to allow gpg-agent to call pinentry so it can get the passphrase 
-	# from the user.
-	domtrans_pattern($1_gpg_agent_t,pinentry_exec_t,$1_gpg_pinentry_t)
-
-	# read /proc/meminfo
-	kernel_read_system_state($1_gpg_pinentry_t)
-
-	files_read_usr_files($1_gpg_pinentry_t)
-	# read /etc/X11/qtrc
-	files_read_etc_files($1_gpg_pinentry_t)
-
-	libs_use_ld_so($1_gpg_pinentry_t)
-	libs_use_shared_libs($1_gpg_pinentry_t)
-
-	miscfiles_read_fonts($1_gpg_pinentry_t)
-	miscfiles_read_localization($1_gpg_pinentry_t)
-
-	# for .Xauthority
-	userdom_read_user_home_content_files($1,$1_gpg_pinentry_t)
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_read_nfs_files($1_gpg_pinentry_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_read_cifs_files($1_gpg_pinentry_t)
-	')
-
-	optional_policy(`
-		xserver_stream_connect_xdm_xserver($1_gpg_pinentry_t)
-	')
+	userdom_use_user_terminals($1,gpg_agent_t)
 
-	ifdef(`TODO',`
-	allow $1_gpg_pinentry_t tmp_t:dir { getattr search };
-
-	# wants to put some lock files into the user home dir, seems to work fine without
-	dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
-	dontaudit $1_gpg_pinentry_t $1_home_t:file write;
-
-	tunable_policy(`use_nfs_home_dirs',`
-		dontaudit $1_gpg_pinentry_t nfs_t:dir write;
-		dontaudit $1_gpg_pinentry_t nfs_t:file write;
-	')
+	# communicate with the user 
+	allow gpg_helper_t $2:fd use;
+	allow gpg_helper_t $2:fifo_file rw_fifo_file_perms;
 
-	tunable_policy(`use_samba_home_dirs',`
-		dontaudit $1_gpg_pinentry_t cifs_t:dir write;
-		dontaudit $1_gpg_pinentry_t cifs_t:file write;
-	')
+	userdom_manage_user_home_content_files(user, gpg_helper_t)
 
-	dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search };
-	') dnl end TODO
+	manage_dirs_pattern($2,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t)
+	manage_files_pattern($2,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t)
+	manage_sock_files_pattern($2,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t)
 ')
 
 ########################################
--- nsaserefpolicy/policy/modules/apps/gpg.te	2007-12-19 05:32:09.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/apps/gpg.te	2008-04-21 13:02:48.601482000 -0400
@@ -7,15 +7,241 @@
 #
 
 # Type for gpg or pgp executables.
+type gpg_t;
 type gpg_exec_t;
+application_domain(gpg_t,gpg_exec_t)
+
+type gpg_helper_t;
 type gpg_helper_exec_t;
-application_executable_file(gpg_exec_t)
-application_executable_file(gpg_helper_exec_t)
+application_domain(gpg_helper_t,gpg_helper_exec_t)
 
 # Type for the gpg-agent executable.
+type gpg_agent_t;
 type gpg_agent_exec_t;
-application_executable_file(gpg_agent_exec_t)
+application_domain(gpg_agent_t,gpg_agent_exec_t)
 
 # type for the pinentry executable
+type gpg_pinentry_t;
 type pinentry_exec_t;
-application_executable_file(pinentry_exec_t)
+application_domain(gpg_pinentry_t,pinentry_exec_t)
+
+type user_gpg_agent_tmp_t;
+files_tmp_file(user_gpg_agent_tmp_t)
+
+type user_gpg_secret_t;
+userdom_user_home_content(user,user_gpg_secret_t)
+
+########################################
+#
+# GPG local policy
+#
+
+allow gpg_t self:capability { ipc_lock setuid };
+allow gpg_t gpg_t:process signal;
+# setrlimit is for ulimit -c 0
+allow gpg_t self:process { setrlimit getcap setcap setpgid };
+
+allow gpg_t self:fifo_file rw_fifo_file_perms;
+allow gpg_t self:tcp_socket create_stream_socket_perms;
+
+manage_files_pattern(gpg_t,user_gpg_secret_t,user_gpg_secret_t)
+manage_lnk_files_pattern(gpg_t,user_gpg_secret_t,user_gpg_secret_t)
+allow gpg_t user_gpg_secret_t:dir create_dir_perms;
+userdom_user_home_dir_filetrans_user_home_content(user, gpg_t, file)
+userdom_user_home_dir_filetrans(user, gpg_t, user_gpg_secret_t, dir)
+userdom_manage_user_home_content_files(user,gpg_t)
+userdom_manage_user_tmp_files(user,gpg_t)
+userdom_unpriv_users_stream_connect(gpg_t)
+
+# transition from the gpg domain to the helper domain
+domtrans_pattern(gpg_t,gpg_helper_exec_t,gpg_helper_t)
+
+corenet_all_recvfrom_unlabeled(gpg_t)
+corenet_all_recvfrom_netlabel(gpg_t)
+corenet_tcp_sendrecv_all_if(gpg_t)
+corenet_udp_sendrecv_all_if(gpg_t)
+corenet_tcp_sendrecv_all_nodes(gpg_t)
+corenet_udp_sendrecv_all_nodes(gpg_t)
+corenet_tcp_sendrecv_all_ports(gpg_t)
+corenet_udp_sendrecv_all_ports(gpg_t)
+corenet_tcp_connect_all_ports(gpg_t)
+corenet_sendrecv_all_client_packets(gpg_t)
+
+dev_read_rand(gpg_t)
+dev_read_urand(gpg_t)
+
+fs_getattr_xattr_fs(gpg_t)
+fs_list_inotifyfs(gpg_t)
+
+domain_use_interactive_fds(gpg_t)
+
+files_read_etc_files(gpg_t)
+files_read_usr_files(gpg_t)
+files_dontaudit_search_var(gpg_t)
+
+auth_use_nsswitch(gpg_t)
+
+libs_use_shared_libs(gpg_t)
+libs_use_ld_so(gpg_t)
+
+miscfiles_read_localization(gpg_t)
+
+logging_send_syslog_msg(gpg_t)
+
+########################################
+#
+# GPG helper local policy
+#
+
+allow gpg_helper_t self:process { getsched setsched };
+
+# for helper programs (which automatically fetch keys)
+# Note: this is only tested with the hkp interface. If you use eg the 
+# mail interface you will likely need additional permissions.
+
+allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
+allow gpg_helper_t self:tcp_socket { connect connected_socket_perms };
+allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
+
+dontaudit gpg_helper_t user_gpg_secret_t:file read;
+
+corenet_all_recvfrom_unlabeled(gpg_helper_t)
+corenet_all_recvfrom_netlabel(gpg_helper_t)
+corenet_tcp_sendrecv_all_if(gpg_helper_t)
+corenet_raw_sendrecv_all_if(gpg_helper_t)
+corenet_udp_sendrecv_all_if(gpg_helper_t)
+corenet_tcp_sendrecv_all_nodes(gpg_helper_t)
+corenet_udp_sendrecv_all_nodes(gpg_helper_t)
+corenet_raw_sendrecv_all_nodes(gpg_helper_t)
+corenet_tcp_sendrecv_all_ports(gpg_helper_t)
+corenet_udp_sendrecv_all_ports(gpg_helper_t)
+corenet_tcp_bind_all_nodes(gpg_helper_t)
+corenet_udp_bind_all_nodes(gpg_helper_t)
+corenet_tcp_connect_all_ports(gpg_helper_t)
+
+files_read_etc_files(gpg_helper_t)
+
+fs_list_inotifyfs(gpg_helper_t)
+
+auth_use_nsswitch(gpg_helper_t)
+
+libs_use_ld_so(gpg_helper_t)
+libs_use_shared_libs(gpg_helper_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_dontaudit_rw_nfs_files(gpg_helper_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_dontaudit_rw_cifs_files(gpg_helper_t)
+')
+
+optional_policy(`
+	xserver_use_xdm_fds(gpg_t)
+	xserver_rw_xdm_pipes(gpg_t)
+')
+
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(gpg_t)
+	fs_manage_nfs_files(gpg_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(gpg_t)
+	fs_manage_cifs_files(gpg_t)
+')
+
+########################################
+#
+# GPG agent local policy
+#
+
+# rlimit: gpg-agent wants to prevent coredumps
+allow gpg_agent_t self:process setrlimit;
+
+allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
+allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
+
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+manage_dirs_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t)
+manage_files_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t)
+manage_lnk_files_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t)
+
+# allow gpg to connect to the gpg agent
+manage_dirs_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t)
+manage_files_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t)
+manage_lnk_files_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t)
+
+stream_connect_pattern(gpg_t,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t,gpg_agent_t)
+
+manage_dirs_pattern(gpg_agent_t,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t)
+manage_files_pattern(gpg_agent_t,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t)
+manage_sock_files_pattern(gpg_agent_t,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t)
+files_tmp_filetrans(gpg_agent_t, user_gpg_agent_tmp_t, { file sock_file dir })
+
+corecmd_search_bin(gpg_agent_t)
+
+domain_use_interactive_fds(gpg_agent_t)
+
+libs_use_ld_so(gpg_agent_t)
+libs_use_shared_libs(gpg_agent_t)
+
+miscfiles_read_localization(gpg_agent_t)
+
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+userdom_search_user_home_dirs(user,gpg_agent_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(gpg_agent_t)
+	fs_manage_nfs_files(gpg_agent_t)
+	fs_manage_nfs_symlinks(gpg_agent_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(gpg_agent_t)
+	fs_manage_cifs_files(gpg_agent_t)
+	fs_manage_cifs_symlinks(gpg_agent_t)
+')
+
+##############################
+#
+# Pinentry local policy
+#
+
+allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
+allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
+
+# we need to allow gpg-agent to call pinentry so it can get the passphrase 
+# from the user.
+domtrans_pattern(gpg_agent_t,pinentry_exec_t,gpg_pinentry_t)
+
+# read /proc/meminfo
+kernel_read_system_state(gpg_pinentry_t)
+
+files_read_usr_files(gpg_pinentry_t)
+# read /etc/X11/qtrc
+files_read_etc_files(gpg_pinentry_t)
+
+libs_use_ld_so(gpg_pinentry_t)
+libs_use_shared_libs(gpg_pinentry_t)
+
+miscfiles_read_fonts(gpg_pinentry_t)
+miscfiles_read_localization(gpg_pinentry_t)
+
+# for .Xauthority
+userdom_read_user_home_content_files(user,gpg_pinentry_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_read_nfs_files(gpg_pinentry_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_read_cifs_files(gpg_pinentry_t)
+')
+
+optional_policy(`
+	xserver_stream_connect_xdm_xserver(gpg_pinentry_t)
+')
+
+

[-- Attachment #3: apps_gpg.patch.sig --]
[-- Type: application/octet-stream, Size: 72 bytes --]

Re: refpolicy: patch for gpg-agent

[Václav Ovsík]

[-- Attachment #1: Type: text/plain, Size: 1704 bytes --]

Hi,

On Thu, Apr 24, 2008 at 02:25:48PM -0400, Daniel J Walsh wrote:
...
> Current Fedora allows gpg_t to manage files in the homedirs, since it
> needs to be able to read/write files in the homedir.  No reason to
> isolate it.
> 
> The reason for this patch being large is that Fedora no longer separates
> homedir labeling via Prefix, since this concept will not work in a
> distributed homedir environment.
...

My patch was about gpg-agent (gpg_agent_t) and not gpg itself (gpg_t).
Thanks for the Fedora gpg patch. It is quite big. I must keep the change
small to be acceptable by Christopher :).


On Tue, May 06, 2008 at 01:33:35PM -0400, Christopher J. PeBenito wrote:
... 
> I've been kicking this one around in my head for a while since this
> doesn't seem clear cut.  I think adding another type is too much for
> such a file, so I still think the best choice is to have a tunable that
> allows writing to $1_home_t files, as I suggested before.

OK. This time I attached a patch with a tunable (shared by all roles).
The tunable (gpg_agent_manage_user_files) defaults to false.
Maybe names should be corrected.


> Another suggestion that was made to me would be to use the same type
> used by the socket ($1_gpg_agent_tmp_t).  I'm not convinced there
> actually a security equivalence, but if you can come up with a good
> argument, then I'm open to it.  If that happens the type will have to be
> renamed since creating a *_tmp_t file in a user home directory is
> confusing.

I hope the above will be sufficient. My original meaning was less
tunables the better (less possibility to miss-configure something...)
and therefore I wrote the patch without tunable first.

Best Regards
-- 
Zito

[-- Attachment #2: gpg-agent --]
[-- Type: text/plain, Size: 2360 bytes --]

Index: policy/modules/apps/gpg.if
===================================================================
--- policy/modules/apps/gpg.if.orig	2008-05-12 09:14:15.000000000 +0200
+++ policy/modules/apps/gpg.if	2008-05-12 14:51:23.000000000 +0200
@@ -212,6 +212,15 @@
 	manage_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
 	manage_lnk_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
 
+	tunable_policy(`gpg_agent_manage_user_files',`
+	    # write ~/.gpg-agent-info or a similar to the users home dir
+	    # or subdir (gpg-agent --write-env-file option)
+	    #
+	    userdom_user_home_dir_filetrans_user_home_content($1,$1_gpg_agent_t,file)
+	    userdom_manage_user_home_content_dirs($1,$1_gpg_agent_t)
+	    userdom_manage_user_home_content_files($1,$1_gpg_agent_t)
+	')
+
 	# allow gpg to connect to the gpg agent
 	stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t)
 
@@ -219,11 +228,18 @@
 	ps_process_pattern($2,$1_gpg_agent_t)
 
 	# Allow the user shell to signal the gpg-agent program.
-	allow $2 $1_gpg_agent_t:process { signal sigkill };
+	allow $2 $1_gpg_agent_t:process { signal sigkill signull };
 
+	# Allow the user to manage gpg-agent tmp files (socket)
 	manage_dirs_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
 	manage_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
 	manage_sock_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
+
+	# Allow the gpg-agent to manage its tmp files (socket)
+	manage_dirs_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
+	manage_files_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
+	manage_sock_files_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
+
 	files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
 
 	# Transition from the user domain to the derived domain.
Index: policy/modules/apps/gpg.te
===================================================================
--- policy/modules/apps/gpg.te.orig	2008-05-12 09:14:15.000000000 +0200
+++ policy/modules/apps/gpg.te	2008-05-12 09:14:28.000000000 +0200
@@ -6,6 +6,13 @@
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow gpg-agent to manage user files.
+## </p>
+## </desc>
+gen_tunable(gpg_agent_manage_user_files,false)
+
 # Type for gpg or pgp executables.
 type gpg_exec_t;
 type gpg_helper_exec_t;

[-- Attachment #3: gpg-agent-nouser --]
[-- Type: text/plain, Size: 895 bytes --]

Index: refpolicy-svn/policy/modules/apps/gpg.if
===================================================================
--- refpolicy-svn.orig/policy/modules/apps/gpg.if	2008-05-12 14:51:48.000000000 +0200
+++ refpolicy-svn/policy/modules/apps/gpg.if	2008-05-12 14:51:48.000000000 +0200
@@ -230,11 +230,6 @@
 	# Allow the user shell to signal the gpg-agent program.
 	allow $2 $1_gpg_agent_t:process { signal sigkill signull };
 
-	# Allow the user to manage gpg-agent tmp files (socket)
-	manage_dirs_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
-	manage_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
-	manage_sock_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
-
 	# Allow the gpg-agent to manage its tmp files (socket)
 	manage_dirs_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
 	manage_files_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)

Re: refpolicy: patch for gpg-agent

[Christopher J. PeBenito]

On Tue, 2008-04-15 at 15:26 +0200, Václav Ovsík wrote:
> Hi,
> after a longer period of inactivity I'm back with a new try :)
> 
> On Wed, Mar 26, 2008 at 11:11:12AM -0400, Christopher J. PeBenito wrote:
> > On Fri, 2008-03-21 at 14:03 +0100, Václav Ovsík wrote:
> > > On Tue, Mar 04, 2008 at 02:51:41PM -0500, Christopher J. PeBenito wrote:
> > > > On Wed, 2008-02-20 at 18:03 +0100, Václav Ovsík wrote:
> > > > > I'm running HEAD refpolicy on Debian Sid, but this patch is not
> > > > > Debian-specific this time.
> > > > > Having a copy of my std bash profile on the testing machine with
> > > > > a snippet (from gpg-agent man page):
> > > > > 
> > > > >     if test -f $HOME/.gpg-agent-info \
> > > > >              && kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info`
> > > > > 2>/dev/null
> > > > >     then
> > > > >         . $HOME/.gpg-agent-info
> > > > >         export GPG_AGENT_INFO
> > > > >         export SSH_AUTH_SOCK
> > > > >         export SSH_AGENT_PID
> > > > >     else
> > > > >         eval `gpg-agent --daemon --write-env-file`
> > > > >     fi
> > > > > 
> > > > > I got a number of denials for this snippet of commands.
> > > > > 
> > > > > 1. Found a typo for permissions to create socket in the /tmp.
> > > > > 2. Added permission to send signal 0 by the user (see above).
> > > > > 3. Added permissions for writing agent info file into users home
> > > > >    directory.
> > > > > 
> > > > > Index: policy/modules/apps/gpg.if
> > > > > ===================================================================
> > > > > --- policy/modules/apps/gpg.if  (revision 2617)
> > > > > +++ policy/modules/apps/gpg.if  (working copy)
> > > > > @@ -212,6 +212,12 @@
> > > > >         manage_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
> > > > >         manage_lnk_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
> > > > >  
> > > > > +       # write ~/.gpg-agent-info (gpg-agent --write-env-file option)
> > > > > +       allow $1_gpg_agent_t { $1_home_dir_t $1_home_t }:dir add_entry_dir_perms;
> > > > > +       type_transition $1_gpg_agent_t $1_home_dir_t:file $1_home_t;
> > > > > +       allow $1_gpg_agent_t $1_home_t:file create_file_perms;
> > > > > +       allow $1_gpg_agent_t $1_home_t:file write_file_perms;
> > > > 
> > > > I'm a little hesitant to add this unconditionally, I don't think we want
> > > > gpg-agent to write out to general home dir content.  Perhaps we should
> > > > have a tunable, or a specific type for this.
> > > 
> > > I added this rules, so an example from gpg-agent manpage can work
> > > out-of-the-box. Adding a tunable (with the default to disallow) will not
> > > satisfy this. Maybe the later - specific type, but what security risk
> > > poses this rules?
> > > I thought, that domain X_gpg_agent_t is very trusted domain, that
> > > manages my secret keys and should be shielded against the world around
> > > and not the opposite.
> > 
> > Its trusted for handling keys, not trusted for handling general content
> > in the user's home directory.  Remember that if the rules are made
> > conditional, theres nothing stopping distros from making the tunable
> > default to true.
[...]
> Another patch is attached with the specific type for home file
> (<ROLE>_gpg_agent_home_t). I hope, this is better than general write
> permission from the previous patch and without administrative overhead
> of tunable.
> 
> Allowed rules for userdomain on gpg-agent tmp files (socket) are
> contained, but I'm not completely certain this is needed. Gpg-agent
> creates socket while starting and cleans it up when exits. The socket
> file remains in /tmp only when gpg-agent is killed by SIGKILL, and there
> is probably no need to remove this stuff by the userdomain either.
> Tmpreaper/tmpwatch cron job should do cleanup. Although I hope including
> these rules for userdomain is harmless.

I've been kicking this one around in my head for a while since this
doesn't seem clear cut.  I think adding another type is too much for
such a file, so I still think the best choice is to have a tunable that
allows writing to $1_home_t files, as I suggested before.

Another suggestion that was made to me would be to use the same type
used by the socket ($1_gpg_agent_tmp_t).  I'm not convinced there
actually a security equivalence, but if you can come up with a good
argument, then I'm open to it.  If that happens the type will have to be
renamed since creating a *_tmp_t file in a user home directory is
confusing.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.