####################################### # # Per user domain template for this module # # gpg_per_userdomain_template(userdomain_prefix) # define(`gpg_per_userdomain_template',` requires_block_template(`$0'_depend) ######################################## # # Declarations # type $1_gpg_t; domain_make_domain($1_gpg_t) domain_make_entrypoint_file($1_gpg_t,gpg_exec_t) role $1_r types $1_gpg_t; type $1_gpg_agent_t; domain_make_domain($1_gpg_agent_t) domain_make_entrypoint_file($1_gpg_agent_t,gpg_agent_exec_t) role $1_r types $1_gpg_agent_t; type $1_gpg_agent_tmp_t; files_make_temporary_file($1_gpg_agent_tmp_t) type $1_gpg_secret_t; #, $1_file_type; files_make_file($1_gpg_secret_t) type $1_gpg_helper_t; domain_make_domain($1_gpg_helper_t) role $1_r types $1_gpg_helper_t; type $1_gpg_pinentry_t; domain_make_domain($1_gpg_pinentry_t) role $1_r types $1_gpg_pinentry_t; ######################################## # # GPG local policy # # transition from the userdomain to the derived domain allow $1_t $1_gpg_t:process transition; allow $1_t gpg_exec_t:file { getattr read execute }; type_transition $1_t gpg_exec_t:process $1_gpg_t; dontaudit $1_t $1_gpg_t:process { noatsecure siginh rlimitinh }; allow $1_t $1_gpg_t:fd use; allow $1_gpg_t $1_t:fd use; allow $1_gpg_t $1_t:fifo_file rw_file_perms; allow $1_gpg_t $1_t:process sigchld; allow $1_gpg_t self:capability { ipc_lock setuid }; allow { $1_t $1_gpg_t } $1_gpg_t:process signal; # setrlimit is for ulimit -c 0 allow $1_gpg_t self:process { setrlimit setcap }; allow $1_gpg_t self:fifo_file { getattr read write }; allow $1_gpg_t self:tcp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; allow $1_gpg_t $1_gpg_secret_t:dir { read getattr lock search ioctl add_name remove_name write }; allow $1_gpg_t $1_gpg_secret_t:file { create ioctl read getattr lock write setattr append link unlink rename }; allow $1_gpg_t $1_gpg_secret_t:lnk_file { create read getattr setattr link unlink rename }; corenetwork_sendrecv_tcp_on_all_interfaces($1_gpg_t) corenetwork_sendrecv_raw_on_all_interfaces($1_gpg_t) corenetwork_sendrecv_udp_on_all_interfaces($1_gpg_t) corenetwork_sendrecv_tcp_on_all_nodes($1_gpg_t) corenetwork_sendrecv_raw_on_all_nodes($1_gpg_t) corenetwork_sendrecv_udp_on_all_nodes($1_gpg_t) corenetwork_sendrecv_tcp_on_all_ports($1_gpg_t) corenetwork_sendrecv_udp_on_all_ports($1_gpg_t) corenetwork_bind_tcp_on_all_nodes($1_gpg_t) corenetwork_bind_udp_on_all_nodes($1_gpg_t) devices_get_random_data($1_gpg_t) devices_get_pseudorandom_data($1_gpg_t) filesystem_get_persistent_filesystem_attributes($1_gpg_t) files_read_general_system_config($1_gpg_t) files_read_general_application_resources($1_gpg_t) libraries_use_shared_libraries($1_gpg_t) libraries_use_dynamic_loader($1_gpg_t) miscfiles_read_localization($1_gpg_t) logging_send_system_log_message($1_gpg_t) sysnetwork_read_network_config($1_gpg_t) # Legacy if (allow_gpg_execstack) { allow $1_gpg_t self:process execmem; libraries_legacy_use_shared_libraries($1_gpg_t) libraries_legacy_use_dynamic_loader($1_gpg_t) miscfiles_legacy_read_localization($1_gpg_t) # Not quite sure why this is needed... allow $1_gpg_t gpg_exec_t:file execmod; } ifdef(`TODO',` can_ypbind($1_gpg_t) allow $1_t $1_gpg_secret_t:file getattr; access_terminal($1_gpg_t, $1) ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;') # Inherit and use descriptors allow $1_gpg_t { privfd $1_t }:fd use; # allow ps to show gpg can_ps($1_t, $1_gpg_t) # should not need read access... allow $1_gpg_t home_root_t:dir { read search }; # use $1_gpg_secret_t for files it creates # NB we are doing the type transition for directory creation only! # so ~/.gnupg will be of $1_gpg_secret_t, then files created under it such as # secring.gpg will be of $1_gpg_secret_t too. But when you use gpg to decrypt # a file and write output to your home directory it will use user_home_t. file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_gpg_secret_t, dir) file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_home_t, file) create_dir_file($1_gpg_t, $1_home_t) # allow the usual access to /tmp file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t) if (use_nfs_home_dirs) { create_dir_file($1_gpg_t, nfs_t) } if (use_samba_home_dirs) { create_dir_file($1_gpg_t, cifs_t) } rw_dir_create_file($1_gpg_t, $1_file_type) allow $1_t $1_gpg_secret_t:dir rw_dir_perms; dontaudit $1_gpg_t var_t:dir search; ') dnl end TODO ######################################## # # GPG helper local policy # # for helper programs (which automatically fetch keys) # Note: this is only tested with the hkp interface. If you use eg the # mail interface you will likely need additional permissions. # transition from the gpg domain to the helper domain allow $1_gpg_t $1_gpg_helper_t:process transition; allow $1_gpg_t gpg_helper_exec_t:file { getattr read execute }; type_transition $1_gpg_t gpg_helper_exec_t:process $1_gpg_helper_t; dontaudit $1_gpg_helper_t $1_gpg_t:process { noatsecure siginh rlimitinh }; allow $1_gpg_t $1_gpg_helper_t:fd use; allow $1_gpg_helper_t $1_gpg_t:fd use; allow $1_gpg_helper_t $1_gpg_t:fifo_file rw_file_perms; allow $1_gpg_helper_t $1_gpg_t:process sigchld; allow $1_gpg_helper_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; allow $1_gpg_helper_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown }; allow $1_gpg_helper_t self:udp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown }; dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read; corenetwork_sendrecv_tcp_on_all_interfaces($1_gpg_helper_t) corenetwork_sendrecv_raw_on_all_interfaces($1_gpg_helper_t) corenetwork_sendrecv_udp_on_all_interfaces($1_gpg_helper_t) corenetwork_sendrecv_tcp_on_all_nodes($1_gpg_helper_t) corenetwork_sendrecv_udp_on_all_nodes($1_gpg_helper_t) corenetwork_sendrecv_raw_on_all_nodes($1_gpg_helper_t) corenetwork_sendrecv_tcp_on_all_ports($1_gpg_helper_t) corenetwork_sendrecv_udp_on_all_ports($1_gpg_helper_t) corenetwork_bind_tcp_on_all_nodes($1_gpg_helper_t) corenetwork_bind_udp_on_all_nodes($1_gpg_helper_t) devices_get_pseudorandom_data($1_gpg_helper_t) files_read_general_system_config($1_gpg_helper_t) # for nscd files_ignore_search_system_state_data_directory($1_gpg_helper_t) libraries_use_dynamic_loader($1_gpg_helper_t) libraries_use_shared_libraries($1_gpg_helper_t) sysnetwork_read_network_config($1_gpg_helper_t) ifdef(`TODO',` if (use_nfs_home_dirs) { dontaudit $1_gpg_helper_t nfs_t:file { read write }; } if (use_samba_home_dirs) { dontaudit $1_gpg_helper_t cifs_t:file { read write }; } # communicate with the user allow $1_gpg_helper_t $1_t:fd use; allow $1_gpg_helper_t $1_t:fifo_file write; ifdef(`xdm.te', ` dontaudit $1_gpg_t xdm_t:fd use; dontaudit $1_gpg_t xdm_t:fifo_file read; ') ') dnl end TODO ######################################## # # GPG agent local policy # # rlimit: gpg-agent wants to prevent coredumps allow $1_gpg_agent_t self:process setrlimit; allow $1_gpg_agent_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }; allow $1_gpg_agent_t self:fifo_file { getattr read write }; allow $1_t $1_gpg_agent_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; allow $1_t $1_gpg_agent_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename }; allow $1_t $1_gpg_agent_tmp_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; files_create_private_tmp_data($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir }) domain_use_widely_inheritable_file_descriptors($1_gpg_agent_t) libraries_use_dynamic_loader($1_gpg_agent_t) libraries_use_shared_libraries($1_gpg_agent_t) miscfiles_read_localization($1_gpg_agent_t) ifdef(`TODO',` # Transition from the user domain to the derived domain. domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t) allow $1_gpg_agent_t xdm_t:fd use; # Write to the user domain tty. access_terminal($1_gpg_agent_t, $1) # Allow the user shell to signal the gpg-agent program. allow $1_t $1_gpg_agent_t:process { signal sigkill }; # allow ps to show gpg-agent can_ps($1_t, $1_gpg_agent_t) allow $1_gpg_agent_t proc_t:dir search; allow $1_gpg_agent_t proc_t:lnk_file read; allow $1_gpg_agent_t device_t:dir { getattr read }; # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search; create_dir_file($1_gpg_agent_t, $1_gpg_secret_t) if (use_nfs_home_dirs) { create_dir_file($1_gpg_agent_t, nfs_t) } if (use_samba_home_dirs) { create_dir_file($1_gpg_agent_t, cifs_t) } # gpg connect allow $1_gpg_t $1_gpg_agent_tmp_t:dir search; allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write; can_unix_connect($1_gpg_t, $1_gpg_agent_t) ') dnl endif TODO ############################## # # Pinentry local policy # # we need to allow gpg-agent to call pinentry so it can get the passphrase # from the user. allow $1_gpg_agent_t $1_gpg_pinentry_t:process transition; allow $1_gpg_agent_t pinentry_exec_t:file { getattr read execute }; type_transition $1_gpg_agent_t pinentry_exec_t:process $1_gpg_pinentry_t; dontaudit $1_gpg_agent_t $1_gpg_pinentry_t:process { noatsecure siginh rlimitinh }; allow $1_gpg_pinentry_t $1_gpg_agent_t:fd use; allow $1_gpg_agent_t $1_gpg_pinentry_t:fd use; allow $1_gpg_agent_t $1_gpg_pinentry_t:fifo_file rw_file_perms; allow $1_gpg_agent_t $1_gpg_pinentry_t:process sigchld; allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; allow $1_gpg_pinentry_t self:fifo_file { getattr read write }; # read /proc/meminfo kernel_read_system_state($1_gpg_pinentry_t) files_read_general_application_resources($1_gpg_pinentry_t) # read /etc/X11/qtrc files_read_general_system_config($1_gpg_pinentry_t) libraries_use_dynamic_loader($1_gpg_pinentry_t) libraries_use_shared_libraries($1_gpg_pinentry_t) miscfiles_read_fonts($1_gpg_pinentry_t) miscfiles_read_localization($1_gpg_pinentry_t) ifdef(`TODO',` allow $1_gpg_agent_t bin_t:dir search; ifdef(`xdm.te', ` allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search; allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write }; can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t) allow $1_gpg_pinentry_t xdm_t:fd use; ') allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search }; # for .Xauthority allow $1_gpg_pinentry_t $1_home_dir_t:dir { getattr search }; allow $1_gpg_pinentry_t $1_home_t:file { getattr read }; # wants to put some lock files into the user home dir, seems to work fine without dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write }; dontaudit $1_gpg_pinentry_t $1_home_t:file write; if (use_nfs_home_dirs) { allow $1_gpg_pinentry_t nfs_t:dir { getattr search }; allow $1_gpg_pinentry_t nfs_t:file { getattr read }; dontaudit $1_gpg_pinentry_t nfs_t:dir { read write }; dontaudit $1_gpg_pinentry_t nfs_t:file write; } if (use_samba_home_dirs) { allow $1_gpg_pinentry_t cifs_t:dir { getattr search }; allow $1_gpg_pinentry_t cifs_t:file { getattr read }; dontaudit $1_gpg_pinentry_t cifs_t:dir { read write }; dontaudit $1_gpg_pinentry_t cifs_t:file write; } dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search }; ') dnl end TODO ')