## Policy for GNU Privacy Guard and related programs. ####################################### ## ## The per user domain template for the gpg module. ## ## ##

## This template creates the types and rules for GPG, ## GPG-agent, and GPG helper programs. This protects ## the user keys and secrets, and runs the programs ## in domains specific to the user type. ##

##

## This is invoked automatically for each user and ## generally does not need to be invoked directly ## by policy writers. ##

##
## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## The user domain. ## ## ## ## ## The role associated with the user. ## ## # template(`gpg_per_userdomain_template',` gen_require(` type gpg_exec_t, gpg_helper_exec_t; type gpg_agent_exec_t, pinentry_exec_t; ') ######################################## # # Declarations # type $1_gpg_t; domain_type($1_gpg_t) domain_entry_file($1_gpg_t,gpg_exec_t) role $3 types $1_gpg_t; type $1_gpg_agent_t; domain_type($1_gpg_agent_t) domain_entry_file($1_gpg_agent_t,gpg_agent_exec_t) role $3 types $1_gpg_agent_t; type $1_gpg_agent_tmp_t; files_tmp_file($1_gpg_agent_tmp_t) type $1_gpg_secret_t; userdom_user_home_content($1,$1_gpg_secret_t) type $1_gpg_helper_t; domain_type($1_gpg_helper_t) domain_entry_file($1_gpg_helper_t,gpg_helper_exec_t) role $3 types $1_gpg_helper_t; type $1_gpg_pinentry_t; domain_type($1_gpg_pinentry_t) domain_entry_file($1_gpg_pinentry_t,pinentry_exec_t) role $3 types $1_gpg_pinentry_t; ######################################## # # GPG local policy # # transition from the userdomain to the derived domain domain_auto_trans($2,gpg_exec_t,$1_gpg_t) allow $2 $1_gpg_t:fd use; allow $1_gpg_t $2:fd use; allow $1_gpg_t $2:fifo_file rw_file_perms; allow $1_gpg_t $2:process sigchld; allow $1_gpg_t self:capability { ipc_lock setuid }; allow { $2 $1_gpg_t } $1_gpg_t:process signal; # setrlimit is for ulimit -c 0 allow $1_gpg_t self:process { setrlimit setcap setpgid }; allow $1_gpg_t self:fifo_file rw_file_perms; allow $1_gpg_t self:tcp_socket create_stream_socket_perms; allow $1_gpg_t $1_gpg_secret_t:dir rw_dir_perms; allow $1_gpg_t $1_gpg_secret_t:file create_file_perms; allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms; corenet_tcp_sendrecv_all_if($1_gpg_t) corenet_raw_sendrecv_all_if($1_gpg_t) corenet_udp_sendrecv_all_if($1_gpg_t) corenet_tcp_sendrecv_all_nodes($1_gpg_t) corenet_raw_sendrecv_all_nodes($1_gpg_t) corenet_udp_sendrecv_all_nodes($1_gpg_t) corenet_tcp_sendrecv_all_ports($1_gpg_t) corenet_udp_sendrecv_all_ports($1_gpg_t) corenet_non_ipsec_sendrecv($1_gpg_t) corenet_tcp_bind_all_nodes($1_gpg_t) corenet_udp_bind_all_nodes($1_gpg_t) corenet_tcp_connect_all_ports($1_gpg_t) dev_read_rand($1_gpg_t) dev_read_urand($1_gpg_t) fs_getattr_xattr_fs($1_gpg_t) domain_use_interactive_fds($1_gpg_t) files_read_etc_files($1_gpg_t) files_read_usr_files($1_gpg_t) files_dontaudit_search_var($1_gpg_t) libs_use_shared_libs($1_gpg_t) libs_use_ld_so($1_gpg_t) miscfiles_read_localization($1_gpg_t) logging_send_syslog_msg($1_gpg_t) sysnet_read_config($1_gpg_t) userdom_use_user_terminals($1,$1_gpg_t) optional_policy(`nis',` nis_use_ypbind($1_gpg_t) ') ifdef(`TODO',` # Read content to encrypt/decrypt/sign read_content($1_gpg_t, $1) # Write content to encrypt/decrypt/sign write_trusted($1_gpg_t, $1) ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;') # allow ps to show gpg can_ps($1_t, $1_gpg_t) ') dnl end TODO ######################################## # # GPG helper local policy # # for helper programs (which automatically fetch keys) # Note: this is only tested with the hkp interface. If you use eg the # mail interface you will likely need additional permissions. # communicate with the user allow $1_gpg_helper_t $2:fd use; allow $1_gpg_helper_t $2:fifo_file write; # transition from the gpg domain to the helper domain domain_auto_trans($1_gpg_t,gpg_helper_exec_t,$1_gpg_helper_t) allow $1_gpg_t $1_gpg_helper_t:fd use; allow $1_gpg_helper_t $1_gpg_t:fd use; allow $1_gpg_helper_t $1_gpg_t:fifo_file rw_file_perms; allow $1_gpg_helper_t $1_gpg_t:process sigchld; allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms; allow $1_gpg_helper_t self:tcp_socket { connect connected_socket_perms }; allow $1_gpg_helper_t self:udp_socket { connect connected_socket_perms }; dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read; corenet_tcp_sendrecv_all_if($1_gpg_helper_t) corenet_raw_sendrecv_all_if($1_gpg_helper_t) corenet_udp_sendrecv_all_if($1_gpg_helper_t) corenet_tcp_sendrecv_all_nodes($1_gpg_helper_t) corenet_udp_sendrecv_all_nodes($1_gpg_helper_t) corenet_raw_sendrecv_all_nodes($1_gpg_helper_t) corenet_tcp_sendrecv_all_ports($1_gpg_helper_t) corenet_udp_sendrecv_all_ports($1_gpg_helper_t) corenet_non_ipsec_sendrecv($1_gpg_helper_t) corenet_tcp_bind_all_nodes($1_gpg_helper_t) corenet_udp_bind_all_nodes($1_gpg_helper_t) corenet_tcp_connect_all_ports($1_gpg_helper_t) dev_read_urand($1_gpg_helper_t) files_read_etc_files($1_gpg_helper_t) # for nscd files_dontaudit_search_var($1_gpg_helper_t) libs_use_ld_so($1_gpg_helper_t) libs_use_shared_libs($1_gpg_helper_t) sysnet_read_config($1_gpg_helper_t) tunable_policy(`use_nfs_home_dirs',` fs_dontaudit_rw_nfs_files($1_gpg_helper_t) ') tunable_policy(`use_samba_home_dirs',` fs_dontaudit_rw_cifs_files($1_gpg_helper_t) ') ifdef(`TODO',` ifdef(`xdm.te',` can_pipe_xdm($1_gpg_t) ') ') dnl end TODO ######################################## # # GPG agent local policy # # rlimit: gpg-agent wants to prevent coredumps allow $1_gpg_agent_t self:process setrlimit; allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ; allow $1_gpg_agent_t self:fifo_file rw_file_perms; # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) allow $1_gpg_agent_t $1_gpg_secret_t:dir create_dir_perms; allow $1_gpg_agent_t $1_gpg_secret_t:file create_file_perms; allow $1_gpg_agent_t $1_gpg_secret_t:lnk_file create_lnk_perms; # allow gpg to connect to the gpg agent allow $1_gpg_t $1_gpg_agent_tmp_t:dir search; allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write; allow $1_gpg_t $1_gpg_agent_t:unix_stream_socket connectto; # Allow the user shell to signal the gpg-agent program. allow $2 $1_gpg_agent_t:process { signal sigkill }; allow $2 $1_gpg_agent_tmp_t:dir create_dir_perms; allow $2 $1_gpg_agent_tmp_t:file create_file_perms; allow $2 $1_gpg_agent_tmp_t:sock_file create_file_perms; files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir }) corecmd_search_bin($1_gpg_agent_t) # Transition from the user domain to the derived domain. domain_auto_trans($2, gpg_agent_exec_t, $1_gpg_agent_t) domain_use_interactive_fds($1_gpg_agent_t) libs_use_ld_so($1_gpg_agent_t) libs_use_shared_libs($1_gpg_agent_t) miscfiles_read_localization($1_gpg_agent_t) # Write to the user domain tty. userdom_use_user_terminals($1,$1_gpg_agent_t) tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs($1_gpg_agent_t) fs_manage_nfs_files($1_gpg_agent_t) fs_manage_nfs_symlinks($1_gpg_agent_t) ') tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs($1_gpg_agent_t) fs_manage_cifs_files($1_gpg_agent_t) fs_manage_cifs_symlinks($1_gpg_agent_t) ') ifdef(`TODO',` # allow ps to show gpg-agent can_ps($1_t, $1_gpg_agent_t) allow $1_gpg_agent_t proc_t:dir search; allow $1_gpg_agent_t proc_t:lnk_file read; # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search; ') dnl endif TODO ############################## # # Pinentry local policy # # we need to allow gpg-agent to call pinentry so it can get the passphrase # from the user. domain_auto_trans($1_gpg_agent_t,pinentry_exec_t,$1_gpg_pinentry_t) allow $1_gpg_pinentry_t $1_gpg_agent_t:fd use; allow $1_gpg_agent_t $1_gpg_pinentry_t:fd use; allow $1_gpg_agent_t $1_gpg_pinentry_t:fifo_file rw_file_perms; allow $1_gpg_agent_t $1_gpg_pinentry_t:process sigchld; allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; allow $1_gpg_pinentry_t self:fifo_file rw_file_perms; # read /proc/meminfo kernel_read_system_state($1_gpg_pinentry_t) files_read_usr_files($1_gpg_pinentry_t) # read /etc/X11/qtrc files_read_etc_files($1_gpg_pinentry_t) libs_use_ld_so($1_gpg_pinentry_t) libs_use_shared_libs($1_gpg_pinentry_t) miscfiles_read_fonts($1_gpg_pinentry_t) miscfiles_read_localization($1_gpg_pinentry_t) tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files($1_gpg_pinentry_t) ') tunable_policy(`use_samba_home_dirs',` fs_read_cifs_files($1_gpg_pinentry_t) ') ifdef(`TODO',` ifdef(`xdm.te', ` allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search; allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write }; allow $1_gpg_pinentry_t xdm_xserver_t:unix_stream_socket connectto; ') allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search }; # for .Xauthority allow $1_gpg_pinentry_t $1_home_dir_t:dir { getattr search }; allow $1_gpg_pinentry_t $1_home_t:file r_file_perms; # wants to put some lock files into the user home dir, seems to work fine without dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write }; dontaudit $1_gpg_pinentry_t $1_home_t:file write; tunable_policy(`use_nfs_home_dirs',` dontaudit $1_gpg_pinentry_t nfs_t:dir write; dontaudit $1_gpg_pinentry_t nfs_t:file write; ') tunable_policy(`use_samba_home_dirs',` dontaudit $1_gpg_pinentry_t cifs_t:dir write; dontaudit $1_gpg_pinentry_t cifs_t:file write; ') dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search }; ') dnl end TODO ') ######################################## ## ## Transition to a user gpg domain. ## ## ##

## Transition to a user gpg domain. ##

##

## This is a templated interface, and should only ## be called from a per-userdomain template. ##

##
## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## Domain allowed access. ## ## # template(`gpg_domtrans_user_gpg',` gen_require(` type $1_gpg_t, gpg_exec_t; ') domain_auto_trans($2, gpg_exec_t, $1_gpg_t) allow $2 $1_gpg_t:fd use; allow $1_gpg_t $2:fd use; allow $1_gpg_t $2:fifo_file rw_file_perms; allow $1_gpg_t $2:process sigchld; ') ######################################## ## ## Send generic signals to user gpg processes. ## ## ##

## This is a templated interface, and should only ## be called from a per-userdomain template. ##

##
## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## Domain allowed access. ## ## # template(`gpg_signal_user_gpg',` gen_require(` type $1_gpg_t; ') allow $2 $1_gpg_t:process signal; ')