diff options
| author |   Jason Zaman <jason@perfinion.com> | 2017-05-26 23:57:58 +0800 |
|---|---|---|
| committer | Jason Zaman <jason@perfinion.com> | 2017-06-06 01:16:18 +0800 |
| commit | 996e3b5ef2273ae294ef466afcd37bac49083998 (patch) | |
| tree | 8ae68f72f347602b56d96605255021864b8ffcd8 | |
| parent | gpg: Fix overspecified dependencies in gpg_agent_tmp_filetrans. (diff) | |
| download | hardened-refpolicy-996e3b5e.tar.gz hardened-refpolicy-996e3b5e.tar.bz2 hardened-refpolicy-996e3b5e.zip | |
dirmngr: fcontext for ~/.gnupg/crls.d/
| -rw-r--r-- | policy/modules/contrib/dirmngr.fc | 2 | ||||
| -rw-r--r-- | policy/modules/contrib/dirmngr.te | 7 | ||||
| -rw-r--r-- | policy/modules/contrib/gpg.if | 20 |
3 files changed, 29 insertions, 0 deletions
diff --git a/policy/modules/contrib/dirmngr.fc b/policy/modules/contrib/dirmngr.fc index a9cf15a8..60f19f47 100644 --- a/policy/modules/contrib/dirmngr.fc +++ b/policy/modules/contrib/dirmngr.fc @@ -1,3 +1,5 @@ +HOME_DIR/\.gnupg/crls\.d(/.+)? gen_context(system_u:object_r:dirmngr_home_t,s0) + /etc/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_conf_t,s0) /etc/rc\.d/init\.d/dirmngr -- gen_context(system_u:object_r:dirmngr_initrc_exec_t,s0) diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te index 8e4a1a89..17cce56a 100644 --- a/policy/modules/contrib/dirmngr.te +++ b/policy/modules/contrib/dirmngr.te @@ -27,6 +27,9 @@ files_type(dirmngr_var_lib_t) type dirmngr_var_run_t; files_pid_file(dirmngr_var_run_t) +type dirmngr_home_t; +userdom_user_home_content(dirmngr_home_t) + ######################################## # # Local policy @@ -37,6 +40,8 @@ allow dirmngr_t self:fifo_file rw_file_perms; allow dirmngr_t dirmngr_conf_t:dir list_dir_perms; allow dirmngr_t dirmngr_conf_t:file read_file_perms; allow dirmngr_t dirmngr_conf_t:lnk_file read_lnk_file_perms; +allow dirmngr_t dirmngr_home_t:dir list_dir_perms; +allow dirmngr_t dirmngr_home_t:file read_file_perms; manage_dirs_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t) append_files_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t) @@ -61,6 +66,7 @@ kernel_read_crypto_sysctls(dirmngr_t) files_read_etc_files(dirmngr_t) miscfiles_read_localization(dirmngr_t) +miscfiles_read_generic_certs(dirmngr_t) userdom_search_user_home_dirs(dirmngr_t) userdom_search_user_runtime(dirmngr_t) @@ -68,4 +74,5 @@ userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir) optional_policy(` gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file) + gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir) ') diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if index 8bad95c4..4f118bf3 100644 --- a/policy/modules/contrib/gpg.if +++ b/policy/modules/contrib/gpg.if @@ -253,6 +253,26 @@ interface(`gpg_agent_tmp_filetrans',` ######################################## ## <summary> +## filetrans in gpg_secret_t dirs +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gpg_secret_filetrans',` + gen_require(` + type gpg_secret_t; + ') + + filetrans_pattern($1, gpg_secret_t, $2, $3, $4) + allow $1 gpg_secret_t:dir search_dir_perms; + userdom_search_user_home_dirs($1) +') + +######################################## +## <summary> ## Send messages to and from gpg ## pinentry over DBUS. ## </summary> |