145 lines
4.1 KiB
Plaintext
145 lines
4.1 KiB
Plaintext
|
#
|
||
|
# Macros for gpg and pgp
|
||
|
#
|
||
|
# Author: Russell Coker <russell@coker.com.au>
|
||
|
#
|
||
|
# based on the work of:
|
||
|
# Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
||
|
#
|
||
|
|
||
|
#
|
||
|
# gpg_domain(domain_prefix)
|
||
|
#
|
||
|
# Define a derived domain for the gpg/pgp program when executed by
|
||
|
# a user domain.
|
||
|
#
|
||
|
# The type declaration for the executable type for this program is
|
||
|
# provided separately in domains/program/gpg.te.
|
||
|
#
|
||
|
define(`gpg_domain', `
|
||
|
# Derived domain based on the calling user domain and the program.
|
||
|
type $1_gpg_t, domain, privlog;
|
||
|
type $1_gpg_secret_t, file_type, $1_file_type, sysadmfile;
|
||
|
|
||
|
# Transition from the user domain to the derived domain.
|
||
|
domain_auto_trans($1_t, gpg_exec_t, $1_gpg_t)
|
||
|
|
||
|
can_network($1_gpg_t)
|
||
|
can_ypbind($1_gpg_t)
|
||
|
|
||
|
# for a bug in kmail
|
||
|
dontaudit $1_gpg_t $1_t:unix_stream_socket { getattr read write };
|
||
|
|
||
|
# The user role is authorized for this domain.
|
||
|
role $1_r types $1_gpg_t;
|
||
|
|
||
|
# Legacy
|
||
|
if (allow_gpg_execstack) {
|
||
|
legacy_domain($1_gpg)
|
||
|
allow $1_gpg_t locale_t:file execute;
|
||
|
|
||
|
# Not quite sure why this is needed...
|
||
|
allow $1_gpg_t gpg_exec_t:file execmod;
|
||
|
}
|
||
|
|
||
|
allow $1_t $1_gpg_secret_t:file getattr;
|
||
|
|
||
|
allow $1_gpg_t device_t:dir r_dir_perms;
|
||
|
allow $1_gpg_t { random_device_t urandom_device_t }:chr_file r_file_perms;
|
||
|
|
||
|
allow $1_gpg_t etc_t:file r_file_perms;
|
||
|
|
||
|
allow $1_gpg_t self:unix_stream_socket create_stream_socket_perms;
|
||
|
allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
|
||
|
|
||
|
access_terminal($1_gpg_t, $1)
|
||
|
ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')
|
||
|
|
||
|
# Inherit and use descriptors
|
||
|
allow $1_gpg_t { privfd $1_t }:fd use;
|
||
|
allow { $1_t $1_gpg_t } $1_gpg_t:process signal;
|
||
|
|
||
|
# setrlimit is for ulimit -c 0
|
||
|
allow $1_gpg_t self:process { setrlimit setcap };
|
||
|
|
||
|
# allow ps to show gpg
|
||
|
can_ps($1_t, $1_gpg_t)
|
||
|
|
||
|
uses_shlib($1_gpg_t)
|
||
|
|
||
|
# should not need read access...
|
||
|
allow $1_gpg_t home_root_t:dir { read search };
|
||
|
|
||
|
# use $1_gpg_secret_t for files it creates
|
||
|
# NB we are doing the type transition for directory creation only!
|
||
|
# so ~/.gnupg will be of $1_gpg_secret_t, then files created under it such as
|
||
|
# secring.gpg will be of $1_gpg_secret_t too. But when you use gpg to decrypt
|
||
|
# a file and write output to your home directory it will use user_home_t.
|
||
|
file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_gpg_secret_t, dir)
|
||
|
rw_dir_create_file($1_gpg_t, $1_gpg_secret_t)
|
||
|
|
||
|
file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_home_t, file)
|
||
|
create_dir_file($1_gpg_t, $1_home_t)
|
||
|
|
||
|
# allow the usual access to /tmp
|
||
|
file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t)
|
||
|
|
||
|
if (use_nfs_home_dirs) {
|
||
|
create_dir_file($1_gpg_t, nfs_t)
|
||
|
}
|
||
|
if (use_samba_home_dirs) {
|
||
|
create_dir_file($1_gpg_t, cifs_t)
|
||
|
}
|
||
|
|
||
|
allow $1_gpg_t self:capability { ipc_lock setuid };
|
||
|
rw_dir_create_file($1_gpg_t, $1_file_type)
|
||
|
|
||
|
allow $1_gpg_t { etc_t usr_t }:dir r_dir_perms;
|
||
|
allow $1_gpg_t fs_t:filesystem getattr;
|
||
|
allow $1_gpg_t usr_t:file r_file_perms;
|
||
|
read_locale($1_gpg_t)
|
||
|
allow $1_t $1_gpg_secret_t:dir rw_dir_perms;
|
||
|
|
||
|
dontaudit $1_gpg_t var_t:dir search;
|
||
|
|
||
|
ifdef(`gpg-agent.te', `gpg_agent_domain($1)')
|
||
|
|
||
|
# for helper programs (which automatically fetch keys)
|
||
|
# Note: this is only tested with the hkp interface. If you use eg the
|
||
|
# mail interface you will likely need additional permissions.
|
||
|
type $1_gpg_helper_t, domain;
|
||
|
role $1_r types $1_gpg_helper_t;
|
||
|
|
||
|
domain_auto_trans($1_gpg_t, gpg_helper_exec_t, $1_gpg_helper_t)
|
||
|
uses_shlib($1_gpg_helper_t)
|
||
|
|
||
|
# allow gpg to fork so it can call the helpers
|
||
|
allow $1_gpg_t self:process { fork sigchld };
|
||
|
allow $1_gpg_t self:fifo_file { getattr read write };
|
||
|
|
||
|
dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
|
||
|
if (use_nfs_home_dirs) {
|
||
|
dontaudit $1_gpg_helper_t nfs_t:file { read write };
|
||
|
}
|
||
|
if (use_samba_home_dirs) {
|
||
|
dontaudit $1_gpg_helper_t cifs_t:file { read write };
|
||
|
}
|
||
|
|
||
|
# communicate with the user
|
||
|
allow $1_gpg_helper_t $1_t:fd use;
|
||
|
allow $1_gpg_helper_t $1_t:fifo_file write;
|
||
|
# get keys from the network
|
||
|
can_network_client($1_gpg_helper_t)
|
||
|
allow $1_gpg_helper_t etc_t:file { getattr read };
|
||
|
allow $1_gpg_helper_t urandom_device_t:chr_file read;
|
||
|
allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
|
||
|
# for nscd
|
||
|
dontaudit $1_gpg_helper_t var_t:dir search;
|
||
|
|
||
|
ifdef(`xdm.te', `
|
||
|
dontaudit $1_gpg_t xdm_t:fd use;
|
||
|
dontaudit $1_gpg_t xdm_t:fifo_file read;
|
||
|
')
|
||
|
|
||
|
')dnl end gpg_domain definition
|