policy_module(gpg, 2.2.1) ######################################## # # Declarations # ## ##

## Allow usage of the gpg-agent --write-env-file option. ## This also allows gpg-agent to manage user files. ##

##
gen_tunable(gpg_agent_env_file, false) type gpg_t; type gpg_exec_t; typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t }; typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t }; application_domain(gpg_t, gpg_exec_t) ubac_constrained(gpg_t) type gpg_agent_t; type gpg_agent_exec_t; typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t }; typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t }; application_domain(gpg_agent_t, gpg_agent_exec_t) ubac_constrained(gpg_agent_t) type gpg_agent_tmp_t; typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t }; typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t }; files_tmp_file(gpg_agent_tmp_t) ubac_constrained(gpg_agent_tmp_t) type gpg_secret_t; typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t }; typealias gpg_secret_t alias { auditadm_gpg_secret_t secadm_gpg_secret_t }; userdom_user_home_content(gpg_secret_t) type gpg_helper_t; type gpg_helper_exec_t; typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t }; typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t }; application_domain(gpg_helper_t, gpg_helper_exec_t) ubac_constrained(gpg_helper_t) type gpg_pinentry_t; type pinentry_exec_t; typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t }; typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t }; application_domain(gpg_pinentry_t, pinentry_exec_t) ubac_constrained(gpg_pinentry_t) ######################################## # # GPG local policy # allow gpg_t self:capability { ipc_lock setuid }; # setrlimit is for ulimit -c 0 allow gpg_t self:process { signal setrlimit getcap setcap setpgid }; allow gpg_t self:fifo_file rw_fifo_file_perms; allow gpg_t self:tcp_socket create_stream_socket_perms; manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file }) # transition from the gpg domain to the helper domain domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) allow gpg_t gpg_secret_t:dir create_dir_perms; manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir) kernel_read_sysctl(gpg_t) corenet_all_recvfrom_unlabeled(gpg_t) corenet_all_recvfrom_netlabel(gpg_t) corenet_tcp_sendrecv_generic_if(gpg_t) corenet_udp_sendrecv_generic_if(gpg_t) corenet_tcp_sendrecv_generic_node(gpg_t) corenet_udp_sendrecv_generic_node(gpg_t) corenet_tcp_sendrecv_all_ports(gpg_t) corenet_udp_sendrecv_all_ports(gpg_t) corenet_tcp_connect_all_ports(gpg_t) corenet_sendrecv_all_client_packets(gpg_t) dev_read_rand(gpg_t) dev_read_urand(gpg_t) dev_read_generic_usb_dev(gpg_t) fs_getattr_xattr_fs(gpg_t) domain_use_interactive_fds(gpg_t) files_read_etc_files(gpg_t) files_read_usr_files(gpg_t) files_dontaudit_search_var(gpg_t) auth_use_nsswitch(gpg_t) logging_send_syslog_msg(gpg_t) miscfiles_read_localization(gpg_t) userdom_use_user_terminals(gpg_t) # sign/encrypt user files userdom_manage_user_tmp_files(gpg_t) userdom_manage_user_home_content_files(gpg_t) mta_write_config(gpg_t) tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(gpg_t) fs_manage_nfs_files(gpg_t) ') tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(gpg_t) fs_manage_cifs_files(gpg_t) ') optional_policy(` xserver_use_xdm_fds(gpg_t) xserver_rw_xdm_pipes(gpg_t) ') optional_policy(` cron_system_entry(gpg_t, gpg_exec_t) cron_read_system_job_tmp_files(gpg_t) ') ######################################## # # GPG helper local policy # allow gpg_helper_t self:process { getsched setsched }; # for helper programs (which automatically fetch keys) # Note: this is only tested with the hkp interface. If you use eg the # mail interface you will likely need additional permissions. allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms; allow gpg_helper_t self:tcp_socket { connect connected_socket_perms }; allow gpg_helper_t self:udp_socket { connect connected_socket_perms }; dontaudit gpg_helper_t gpg_secret_t:file read; corenet_all_recvfrom_unlabeled(gpg_helper_t) corenet_all_recvfrom_netlabel(gpg_helper_t) corenet_tcp_sendrecv_generic_if(gpg_helper_t) corenet_raw_sendrecv_generic_if(gpg_helper_t) corenet_udp_sendrecv_generic_if(gpg_helper_t) corenet_tcp_sendrecv_generic_node(gpg_helper_t) corenet_udp_sendrecv_generic_node(gpg_helper_t) corenet_raw_sendrecv_generic_node(gpg_helper_t) corenet_tcp_sendrecv_all_ports(gpg_helper_t) corenet_udp_sendrecv_all_ports(gpg_helper_t) corenet_tcp_bind_generic_node(gpg_helper_t) corenet_udp_bind_generic_node(gpg_helper_t) corenet_tcp_connect_all_ports(gpg_helper_t) files_read_etc_files(gpg_helper_t) auth_use_nsswitch(gpg_helper_t) userdom_use_user_terminals(gpg_helper_t) tunable_policy(`use_nfs_home_dirs',` fs_dontaudit_rw_nfs_files(gpg_helper_t) ') tunable_policy(`use_samba_home_dirs',` fs_dontaudit_rw_cifs_files(gpg_helper_t) ') ######################################## # # GPG agent local policy # # rlimit: gpg-agent wants to prevent coredumps allow gpg_agent_t self:process setrlimit; allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ; allow gpg_agent_t self:fifo_file rw_fifo_file_perms; # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) # Allow the gpg-agent to manage its tmp files (socket) manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) # allow gpg to connect to the gpg agent stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t) corecmd_search_bin(gpg_agent_t) domain_use_interactive_fds(gpg_agent_t) miscfiles_read_localization(gpg_agent_t) # Write to the user domain tty. userdom_use_user_terminals(gpg_agent_t) # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) userdom_search_user_home_dirs(gpg_agent_t) tunable_policy(`gpg_agent_env_file',` # write ~/.gpg-agent-info or a similar to the users home dir # or subdir (gpg-agent --write-env-file option) # userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file) userdom_manage_user_home_content_dirs(gpg_agent_t) userdom_manage_user_home_content_files(gpg_agent_t) ') tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(gpg_agent_t) fs_manage_nfs_files(gpg_agent_t) fs_manage_nfs_symlinks(gpg_agent_t) ') tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(gpg_agent_t) fs_manage_cifs_files(gpg_agent_t) fs_manage_cifs_symlinks(gpg_agent_t) ') ############################## # # Pinentry local policy # allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms; # we need to allow gpg-agent to call pinentry so it can get the passphrase # from the user. domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t) # read /proc/meminfo kernel_read_system_state(gpg_pinentry_t) files_read_usr_files(gpg_pinentry_t) # read /etc/X11/qtrc files_read_etc_files(gpg_pinentry_t) miscfiles_read_fonts(gpg_pinentry_t) miscfiles_read_localization(gpg_pinentry_t) # for .Xauthority userdom_read_user_home_content_files(gpg_pinentry_t) tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(gpg_pinentry_t) ') tunable_policy(`use_samba_home_dirs',` fs_read_cifs_files(gpg_pinentry_t) ') optional_policy(` xserver_stream_connect(gpg_pinentry_t) ')