diff options
| author |   Jason Zaman <jason@perfinion.com> | 2017-05-26 23:57:56 +0800 |
|---|---|---|
| committer | Jason Zaman <jason@perfinion.com> | 2017-06-06 01:16:18 +0800 |
| commit | eb4243483e9aab2e37ec39334dbff1acedb5351d (patch) | |
| tree | a4d7c9ac277cd27fd377c035135ba09d020b256b | |
| parent | Module version bump for misc patches from Guido Trentalancia. (diff) | |
| download | hardened-refpolicy-eb424348.tar.gz hardened-refpolicy-eb424348.tar.bz2 hardened-refpolicy-eb424348.zip | |
dirmngr: add to roles and allow gpg to domtrans
| -rw-r--r-- | policy/modules/contrib/dirmngr.if | 69 | ||||
| -rw-r--r-- | policy/modules/contrib/gpg.te | 4 |
2 files changed, 73 insertions, 0 deletions
diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if index 4cd2810e..2f6875a6 100644 --- a/policy/modules/contrib/dirmngr.if +++ b/policy/modules/contrib/dirmngr.if @@ -1,5 +1,74 @@ ## <summary>Server for managing and downloading certificate revocation lists.</summary> +############################################################ +## <summary> +## Role access for dirmngr. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`dirmngr_role',` + gen_require(` + type dirmngr_t, dirmngr_exec_t; + ') + + role $1 types dirmngr_t; + + domtrans_pattern($2, dirmngr_exec_t, dirmngr_t) + + allow $2 dirmngr_t:process { ptrace signal_perms }; + ps_process_pattern($2, dirmngr_t) + + allow dirmngr_t $2:fd use; + allow dirmngr_t $2:fifo_file { read write }; +') + +######################################## +## <summary> +## Execute dirmngr in the dirmngr domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`dirmngr_domtrans',` + gen_require(` + type dirmngr_t, dirmngr_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, dirmngr_exec_t, dirmngr_t) +') + +######################################## +## <summary> +## Execute the dirmngr in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dirmngr_exec',` + gen_require(` + type dirmngr_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, dirmngr_exec_t) +') + ######################################## ## <summary> ## All of the rules required to diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te index c145fb4c..1b8448c7 100644 --- a/policy/modules/contrib/gpg.te +++ b/policy/modules/contrib/gpg.te @@ -139,6 +139,10 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` + dirmngr_domtrans(gpg_t) +') + +optional_policy(` evolution_read_orbit_tmp_files(gpg_t) ') |