From e4f73afb8ee1bd324b82470bbf4c5882fec86cb2 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 21 Jul 2009 10:07:38 -0400 Subject: [PATCH] gpg patch from dan --- policy/modules/apps/gpg.fc | 4 ++-- policy/modules/apps/gpg.if | 11 ++++++++++- policy/modules/apps/gpg.te | 28 +++++++++++++++------------- 3 files changed, 27 insertions(+), 16 deletions(-) diff --git a/policy/modules/apps/gpg.fc b/policy/modules/apps/gpg.fc index 3a42f2a7..e9853d41 100644 --- a/policy/modules/apps/gpg.fc +++ b/policy/modules/apps/gpg.fc @@ -5,5 +5,5 @@ HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) /usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0) -/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) -/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) +/usr/lib(64)?/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) +/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if index f6a5c8ef..f264608d 100644 --- a/policy/modules/apps/gpg.if +++ b/policy/modules/apps/gpg.if @@ -30,7 +30,7 @@ interface(`gpg_role',` # allow ps to show gpg ps_process_pattern($2, gpg_t) - allow $2 gpg_t:process signal; + allow $2 gpg_t:process { signal sigkill }; # communicate with the user allow gpg_helper_t $2:fd use; @@ -49,6 +49,15 @@ interface(`gpg_role',` # Transition from the user domain to the agent domain. domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t) + + ifdef(`hide_broken_symptoms',` + #Leaked File Descriptors + dontaudit gpg_t $2:fifo_file rw_fifo_file_perms; + dontaudit gpg_t $2:tcp_socket rw_socket_perms; + dontaudit gpg_t $2:udp_socket rw_socket_perms; + dontaudit gpg_t $2:unix_stream_socket rw_socket_perms; + dontaudit gpg_t $2:unix_dgram_socket rw_socket_perms; + ') ') ######################################## diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te index 1c19eb64..71bf261a 100644 --- a/policy/modules/apps/gpg.te +++ b/policy/modules/apps/gpg.te @@ -1,5 +1,5 @@ -policy_module(gpg, 2.0.2) +policy_module(gpg, 2.0.3) ######################################## # @@ -60,11 +60,15 @@ ubac_constrained(gpg_pinentry_t) allow gpg_t self:capability { ipc_lock setuid }; # setrlimit is for ulimit -c 0 -allow gpg_t self:process { signal setrlimit setcap setpgid }; +allow gpg_t self:process { signal setrlimit getcap setcap setpgid }; allow gpg_t self:fifo_file rw_fifo_file_perms; allow gpg_t self:tcp_socket create_stream_socket_perms; +manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) +manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) +files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file }) + # transition from the gpg domain to the helper domain domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) @@ -73,6 +77,8 @@ manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir) +kernel_read_sysctl(gpg_t) + corenet_all_recvfrom_unlabeled(gpg_t) corenet_all_recvfrom_netlabel(gpg_t) corenet_tcp_sendrecv_generic_if(gpg_t) @@ -95,23 +101,21 @@ files_read_etc_files(gpg_t) files_read_usr_files(gpg_t) files_dontaudit_search_var(gpg_t) +auth_use_nsswitch(gpg_t) + miscfiles_read_localization(gpg_t) logging_send_syslog_msg(gpg_t) -sysnet_read_config(gpg_t) - userdom_use_user_terminals(gpg_t) -optional_policy(` - nis_use_ypbind(gpg_t) -') - ######################################## # # GPG helper local policy # +allow gpg_helper_t self:process { getsched setsched }; + # for helper programs (which automatically fetch keys) # Note: this is only tested with the hkp interface. If you use eg the # mail interface you will likely need additional permissions. @@ -136,13 +140,11 @@ corenet_tcp_bind_generic_node(gpg_helper_t) corenet_udp_bind_generic_node(gpg_helper_t) corenet_tcp_connect_all_ports(gpg_helper_t) -dev_read_urand(gpg_helper_t) - files_read_etc_files(gpg_helper_t) -# for nscd -files_dontaudit_search_var(gpg_helper_t) -sysnet_read_config(gpg_helper_t) +auth_use_nsswitch(gpg_helper_t) + +userdom_use_user_terminals(gpg_helper_t) tunable_policy(`use_nfs_home_dirs',` fs_dontaudit_rw_nfs_files(gpg_helper_t)