gpg patch from dan.

gpg sends sigstop and signull Reads usb devices Can encrypts users content in /tmp and the homedir, as well as on NFS and cifs
2009-09-03 08:23:18 -04:00 · 2009-09-03 08:23:18 -04:00 · ca7fa520e7
commit ca7fa520e7
parent f2f296ba60
2 changed files with 10 additions and 4 deletions
--- a/policy/modules/apps/gpg.if
+++ b/policy/modules/apps/gpg.if
@ -30,7 +30,7 @@ interface(`gpg_role',`

 	# allow ps to show gpg
 	ps_process_pattern($2, gpg_t)
-	allow $2 gpg_t:process { signal sigkill };
+	allow $2 gpg_t:process { signull sigstop signal sigkill };

 	# communicate with the user 
 	allow gpg_helper_t $2:fd use;
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@ -1,5 +1,5 @@

-policy_module(gpg, 2.1.0)
+policy_module(gpg, 2.1.1)

 ########################################
 #
@ -92,6 +92,7 @@ corenet_sendrecv_all_client_packets(gpg_t)

 dev_read_rand(gpg_t)
 dev_read_urand(gpg_t)
+dev_read_generic_usb_dev(gpg_t)

 fs_getattr_xattr_fs(gpg_t)

@ -145,13 +146,18 @@ files_read_etc_files(gpg_helper_t)
 auth_use_nsswitch(gpg_helper_t)

 userdom_use_user_terminals(gpg_helper_t)
+# sign/encrypt user files
+userdom_manage_user_tmp_files(gpg_t)
+userdom_manage_user_home_content_files(gpg_t)

 tunable_policy(`use_nfs_home_dirs',`
-	fs_dontaudit_rw_nfs_files(gpg_helper_t)
+	fs_manage_nfs_dirs(gpg_t)
+	fs_manage_nfs_files(gpg_t)
 ')

 tunable_policy(`use_samba_home_dirs',`
-	fs_dontaudit_rw_cifs_files(gpg_helper_t)
+	fs_manage_cifs_dirs(gpg_t)
+	fs_manage_cifs_files(gpg_t)
 ')

 optional_policy(`