1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
|
policy_module(gpg, 2.5.0)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow usage of the gpg-agent --write-env-file option.
## This also allows gpg-agent to manage user files.
## </p>
## </desc>
gen_tunable(gpg_agent_env_file, false)
type gpg_t;
type gpg_exec_t;
typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
userdom_user_application_domain(gpg_t, gpg_exec_t)
role system_r types gpg_t;
type gpg_agent_t;
type gpg_agent_exec_t;
typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t };
typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t };
userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t)
type gpg_agent_tmp_t;
typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t };
typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t };
userdom_user_tmp_file(gpg_agent_tmp_t)
type gpg_secret_t;
typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
typealias gpg_secret_t alias { auditadm_gpg_secret_t secadm_gpg_secret_t };
userdom_user_home_content(gpg_secret_t)
type gpg_helper_t;
type gpg_helper_exec_t;
typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t };
typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t };
userdom_user_application_domain(gpg_helper_t, gpg_helper_exec_t)
role system_r types gpg_helper_t;
type gpg_pinentry_t;
type pinentry_exec_t;
typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t };
typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t };
userdom_user_application_domain(gpg_pinentry_t, pinentry_exec_t)
type gpg_pinentry_tmp_t;
userdom_user_tmp_file(gpg_pinentry_tmp_t)
type gpg_pinentry_tmpfs_t;
userdom_user_tmpfs_file(gpg_pinentry_tmpfs_t)
########################################
#
# GPG local policy
#
allow gpg_t self:capability { ipc_lock setuid };
# setrlimit is for ulimit -c 0
allow gpg_t self:process { signal signull setrlimit getcap setcap setpgid };
allow gpg_t self:fifo_file rw_fifo_file_perms;
allow gpg_t self:tcp_socket create_stream_socket_perms;
manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
# transition from the gpg domain to the helper domain
domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
allow gpg_t gpg_secret_t:dir create_dir_perms;
manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
kernel_read_sysctl(gpg_t)
corecmd_exec_shell(gpg_t)
corecmd_exec_bin(gpg_t)
corenet_all_recvfrom_unlabeled(gpg_t)
corenet_all_recvfrom_netlabel(gpg_t)
corenet_tcp_sendrecv_generic_if(gpg_t)
corenet_udp_sendrecv_generic_if(gpg_t)
corenet_tcp_sendrecv_generic_node(gpg_t)
corenet_udp_sendrecv_generic_node(gpg_t)
corenet_tcp_sendrecv_all_ports(gpg_t)
corenet_udp_sendrecv_all_ports(gpg_t)
corenet_tcp_connect_all_ports(gpg_t)
corenet_sendrecv_all_client_packets(gpg_t)
dev_read_rand(gpg_t)
dev_read_urand(gpg_t)
dev_read_generic_usb_dev(gpg_t)
fs_getattr_xattr_fs(gpg_t)
fs_list_inotifyfs(gpg_t)
domain_use_interactive_fds(gpg_t)
files_read_etc_files(gpg_t)
files_read_usr_files(gpg_t)
files_dontaudit_search_var(gpg_t)
auth_use_nsswitch(gpg_t)
logging_send_syslog_msg(gpg_t)
miscfiles_read_localization(gpg_t)
userdom_use_user_terminals(gpg_t)
# sign/encrypt user files
userdom_manage_user_tmp_files(gpg_t)
userdom_manage_user_home_content_files(gpg_t)
userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
mta_write_config(gpg_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(gpg_t)
fs_manage_nfs_files(gpg_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(gpg_t)
fs_manage_cifs_files(gpg_t)
')
optional_policy(`
mozilla_read_user_home_files(gpg_t)
mozilla_write_user_home_files(gpg_t)
')
optional_policy(`
xserver_use_xdm_fds(gpg_t)
xserver_rw_xdm_pipes(gpg_t)
')
optional_policy(`
cron_system_entry(gpg_t, gpg_exec_t)
cron_read_system_job_tmp_files(gpg_t)
')
########################################
#
# GPG helper local policy
#
allow gpg_helper_t self:process { getsched setsched };
# for helper programs (which automatically fetch keys)
# Note: this is only tested with the hkp interface. If you use eg the
# mail interface you will likely need additional permissions.
allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
allow gpg_helper_t self:tcp_socket { connect connected_socket_perms };
allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
dontaudit gpg_helper_t gpg_secret_t:file read;
corenet_all_recvfrom_unlabeled(gpg_helper_t)
corenet_all_recvfrom_netlabel(gpg_helper_t)
corenet_tcp_sendrecv_generic_if(gpg_helper_t)
corenet_raw_sendrecv_generic_if(gpg_helper_t)
corenet_udp_sendrecv_generic_if(gpg_helper_t)
corenet_tcp_sendrecv_generic_node(gpg_helper_t)
corenet_udp_sendrecv_generic_node(gpg_helper_t)
corenet_raw_sendrecv_generic_node(gpg_helper_t)
corenet_tcp_sendrecv_all_ports(gpg_helper_t)
corenet_udp_sendrecv_all_ports(gpg_helper_t)
corenet_tcp_bind_generic_node(gpg_helper_t)
corenet_udp_bind_generic_node(gpg_helper_t)
corenet_tcp_connect_all_ports(gpg_helper_t)
files_read_etc_files(gpg_helper_t)
auth_use_nsswitch(gpg_helper_t)
userdom_use_user_terminals(gpg_helper_t)
tunable_policy(`use_nfs_home_dirs',`
fs_dontaudit_rw_nfs_files(gpg_helper_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_dontaudit_rw_cifs_files(gpg_helper_t)
')
########################################
#
# GPG agent local policy
#
# rlimit: gpg-agent wants to prevent coredumps
allow gpg_agent_t self:process setrlimit;
allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
# Allow the gpg-agent to manage its tmp files (socket)
manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
# allow gpg to connect to the gpg agent
stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
corecmd_read_bin_symlinks(gpg_agent_t)
corecmd_search_bin(gpg_agent_t)
corecmd_exec_shell(gpg_agent_t)
dev_read_urand(gpg_agent_t)
domain_use_interactive_fds(gpg_agent_t)
fs_dontaudit_list_inotifyfs(gpg_agent_t)
miscfiles_read_localization(gpg_agent_t)
# Write to the user domain tty.
userdom_use_user_terminals(gpg_agent_t)
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
userdom_search_user_home_dirs(gpg_agent_t)
ifdef(`hide_broken_symptoms',`
userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
')
tunable_policy(`gpg_agent_env_file',`
# write ~/.gpg-agent-info or a similar to the users home dir
# or subdir (gpg-agent --write-env-file option)
#
userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
userdom_manage_user_home_content_dirs(gpg_agent_t)
userdom_manage_user_home_content_files(gpg_agent_t)
')
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(gpg_agent_t)
fs_manage_nfs_files(gpg_agent_t)
fs_manage_nfs_symlinks(gpg_agent_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(gpg_agent_t)
fs_manage_cifs_files(gpg_agent_t)
fs_manage_cifs_symlinks(gpg_agent_t)
')
optional_policy(`
mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
')
##############################
#
# Pinentry local policy
#
allow gpg_pinentry_t self:process { getcap getsched setsched signal };
allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
allow gpg_pinentry_t self:netlink_route_socket create_netlink_socket_perms;
allow gpg_pinentry_t self:shm create_shm_perms;
allow gpg_pinentry_t self:tcp_socket create_stream_socket_perms;
allow gpg_pinentry_t self:unix_dgram_socket sendto;
allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
can_exec(gpg_pinentry_t, pinentry_exec_t)
# we need to allow gpg-agent to call pinentry so it can get the passphrase
# from the user.
domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
# read /proc/meminfo
kernel_read_system_state(gpg_pinentry_t)
corecmd_exec_bin(gpg_pinentry_t)
corenet_all_recvfrom_netlabel(gpg_pinentry_t)
corenet_all_recvfrom_unlabeled(gpg_pinentry_t)
corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t)
corenet_tcp_bind_generic_node(gpg_pinentry_t)
corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t)
corenet_tcp_sendrecv_generic_if(gpg_pinentry_t)
corenet_tcp_sendrecv_generic_node(gpg_pinentry_t)
corenet_tcp_sendrecv_generic_port(gpg_pinentry_t)
dev_read_urand(gpg_pinentry_t)
dev_read_rand(gpg_pinentry_t)
files_read_usr_files(gpg_pinentry_t)
# read /etc/X11/qtrc
files_read_etc_files(gpg_pinentry_t)
fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
fs_getattr_tmpfs(gpg_pinentry_t)
auth_use_nsswitch(gpg_pinentry_t)
logging_send_syslog_msg(gpg_pinentry_t)
miscfiles_read_fonts(gpg_pinentry_t)
miscfiles_read_localization(gpg_pinentry_t)
# for .Xauthority
userdom_read_user_home_content_files(gpg_pinentry_t)
userdom_read_user_tmpfs_files(gpg_pinentry_t)
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(gpg_pinentry_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_read_cifs_files(gpg_pinentry_t)
')
optional_policy(`
dbus_session_bus_client(gpg_pinentry_t)
dbus_system_bus_client(gpg_pinentry_t)
')
optional_policy(`
mutt_read_home_files(gpg_t)
mutt_read_tmp_files(gpg_t)
mutt_rw_tmp_files(gpg_t)
')
optional_policy(`
pulseaudio_exec(gpg_pinentry_t)
pulseaudio_rw_home_files(gpg_pinentry_t)
pulseaudio_setattr_home_dir(gpg_pinentry_t)
pulseaudio_stream_connect(gpg_pinentry_t)
pulseaudio_signull(gpg_pinentry_t)
')
optional_policy(`
xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
')
|
GitWeb