diff options
| author |   Kenton Groombridge <me@concord.sh> | 2021-11-16 17:54:20 -0500 |
|---|---|---|
| committer |   Jason Zaman <perfinion@gentoo.org> | 2022-01-29 17:11:51 -0800 |
| commit | e606305dec24f5938337bdf23b4f630e46064fad (patch) | |
| tree | 5ee893b6d4781d0136638de9005292002f0f5a14 | |
| parent | container: initial support for container engines (diff) | |
| download | hardened-refpolicy-e606305dec24f5938337bdf23b4f630e46064fad.tar.gz hardened-refpolicy-e606305dec24f5938337bdf23b4f630e46064fad.tar.bz2 hardened-refpolicy-e606305dec24f5938337bdf23b4f630e46064fad.zip | |
container, gpg, userdom: allow container engines to execute gpg
Container engines need to be able to execute gpg in order to verify
container image signatures if they are signed.
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
| -rw-r--r-- | policy/modules/apps/gpg.if | 37 | ||||
| -rw-r--r-- | policy/modules/services/container.te | 7 | ||||
| -rw-r--r-- | policy/modules/system/userdomain.if | 19 |
3 files changed, 63 insertions, 0 deletions
diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if index c15dce8d3..c45cf389a 100644 --- a/policy/modules/apps/gpg.if +++ b/policy/modules/apps/gpg.if @@ -158,6 +158,24 @@ interface(`gpg_exec_agent',` can_exec($1, gpg_agent_exec_t) ') +######################################## +## <summary> +## Do not audit attempts to execute the gpg-agent. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`gpg_dontaudit_exec_agent',` + gen_require(` + type gpg_agent_exec_t; + ') + + dontaudit $1 gpg_agent_exec_t:file exec_file_perms; +') + ###################################### ## <summary> ## Make gpg executable files an @@ -382,6 +400,25 @@ interface(`gpg_pinentry_dbus_chat',` ######################################## ## <summary> +## Do not audit attempts to search gpg +## user secrets. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`gpg_dontaudit_search_user_secrets',` + gen_require(` + type gpg_secret_t; + ') + + dontaudit $1 gpg_secret_t:dir search_dir_perms; +') + +######################################## +## <summary> ## List gpg user secrets. ## </summary> ## <param name="domain"> diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te index 7178798f3..71ed00c68 100644 --- a/policy/modules/services/container.te +++ b/policy/modules/services/container.te @@ -432,6 +432,13 @@ ifdef(`init_systemd',` ') optional_policy(` + # to verify container image signatures + gpg_exec(container_engine_domain) + gpg_dontaudit_exec_agent(container_engine_domain) + gpg_dontaudit_search_user_secrets(container_engine_domain) +') + +optional_policy(` iptables_domtrans(container_engine_domain) ') diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 7399afb9a..5e6126f4f 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -3494,6 +3494,25 @@ interface(`userdom_search_user_runtime_root',` ######################################## ## <summary> +## Do not audit attempts to search +## user runtime root directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`userdom_dontaudit_search_user_runtime_root',` + gen_require(` + type user_runtime_root_t; + ') + + dontaudit $1 user_runtime_root_t:dir search; +') + +######################################## +## <summary> ## Create, read, write, and delete user ## runtime root dirs. ## </summary> |