# # Macros for gpg agent # # Author: Thomas Bleher # # # gpg_agent_domain(domain_prefix) # # The type declaration for the executable type for this program is # provided separately in domains/program/gpg-agent.te. # define(`gpg_agent_domain',` # Define a derived domain for the gpg-agent program when executed # by a user domain. # Derived domain based on the calling user domain and the program. type $1_gpg_agent_t, domain; # Transition from the user domain to the derived domain. domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t) # The user role is authorized for this domain. role $1_r types $1_gpg_agent_t; allow $1_gpg_agent_t privfd:fd use; # Write to the user domain tty. access_terminal($1_gpg_agent_t, $1) # Allow the user shell to signal the gpg-agent program. allow $1_t $1_gpg_agent_t:process { signal sigkill }; # allow ps to show gpg-agent can_ps($1_t, $1_gpg_agent_t) uses_shlib($1_gpg_agent_t) read_locale($1_gpg_agent_t) # rlimit: gpg-agent wants to prevent coredumps allow $1_gpg_agent_t self:process { setrlimit fork sigchld }; allow $1_gpg_agent_t { self proc_t }:dir search; allow $1_gpg_agent_t { self proc_t }:lnk_file read; allow $1_gpg_agent_t device_t:dir { getattr read }; # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search; create_dir_file($1_gpg_agent_t, $1_gpg_secret_t) if (use_nfs_home_dirs) { create_dir_file($1_gpg_agent_t, nfs_t) } if (use_samba_home_dirs) { create_dir_file($1_gpg_agent_t, cifs_t) } allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms; allow $1_gpg_agent_t self:fifo_file { getattr read write }; # create /tmp files tmp_domain($1_gpg_agent, `', `{ file dir sock_file }') # gpg connect allow $1_gpg_t $1_gpg_agent_tmp_t:dir search; allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write; can_unix_connect($1_gpg_t, $1_gpg_agent_t) # policy for pinentry # =================== # we need to allow gpg-agent to call pinentry so it can get the passphrase # from the user. # Please note that I didnt use the x_client_domain-macro as it gives too # much permissions type $1_gpg_pinentry_t, domain; role $1_r types $1_gpg_pinentry_t; allow $1_gpg_agent_t bin_t:dir search; domain_auto_trans($1_gpg_agent_t, pinentry_exec_t, $1_gpg_pinentry_t) uses_shlib($1_gpg_pinentry_t) read_locale($1_gpg_pinentry_t) allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; allow $1_gpg_pinentry_t self:fifo_file { getattr read write }; ifdef(`xdm.te', ` allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search; allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write }; can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t) ')dnl end ig xdm.te read_fonts($1_gpg_pinentry_t, $1) # read kde font cache allow $1_gpg_pinentry_t usr_t:file { getattr read }; allow $1_gpg_pinentry_t { proc_t self }:dir search; allow $1_gpg_pinentry_t { proc_t self }:lnk_file read; # read /proc/meminfo allow $1_gpg_pinentry_t proc_t:file read; allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search }; # for .Xauthority allow $1_gpg_pinentry_t $1_home_dir_t:dir { getattr search }; allow $1_gpg_pinentry_t $1_home_t:file { getattr read }; # wants to put some lock files into the user home dir, seems to work fine without dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write }; dontaudit $1_gpg_pinentry_t $1_home_t:file write; if (use_nfs_home_dirs) { allow $1_gpg_pinentry_t nfs_t:dir { getattr search }; allow $1_gpg_pinentry_t nfs_t:file { getattr read }; dontaudit $1_gpg_pinentry_t nfs_t:dir { read write }; dontaudit $1_gpg_pinentry_t nfs_t:file write; } if (use_samba_home_dirs) { allow $1_gpg_pinentry_t cifs_t:dir { getattr search }; allow $1_gpg_pinentry_t cifs_t:file { getattr read }; dontaudit $1_gpg_pinentry_t cifs_t:dir { read write }; dontaudit $1_gpg_pinentry_t cifs_t:file write; } # read /etc/X11/qtrc allow $1_gpg_pinentry_t etc_t:file { getattr read }; dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t bin_t }:dir { getattr search }; ')dnl end if gpg_agent