348 lines
10 KiB
Plaintext
348 lines
10 KiB
Plaintext
|
|
#######################################
|
|
#
|
|
# Per user domain template for this module
|
|
#
|
|
# gpg_per_userdomain_template(userdomain_prefix)
|
|
#
|
|
define(`gpg_per_userdomain_template',`
|
|
gen_require(`$0'_depend)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type $1_gpg_t;
|
|
domain_type($1_gpg_t)
|
|
domain_entry_file($1_gpg_t,gpg_exec_t)
|
|
role $1_r types $1_gpg_t;
|
|
|
|
type $1_gpg_agent_t;
|
|
domain_type($1_gpg_agent_t)
|
|
domain_entry_file($1_gpg_agent_t,gpg_agent_exec_t)
|
|
role $1_r types $1_gpg_agent_t;
|
|
|
|
type $1_gpg_agent_tmp_t;
|
|
files_tmp_file($1_gpg_agent_tmp_t)
|
|
|
|
type $1_gpg_secret_t; #, $1_file_type;
|
|
files_file_type($1_gpg_secret_t)
|
|
|
|
type $1_gpg_helper_t;
|
|
domain_type($1_gpg_helper_t)
|
|
role $1_r types $1_gpg_helper_t;
|
|
|
|
type $1_gpg_pinentry_t;
|
|
domain_type($1_gpg_pinentry_t)
|
|
role $1_r types $1_gpg_pinentry_t;
|
|
|
|
########################################
|
|
#
|
|
# GPG local policy
|
|
#
|
|
|
|
# transition from the userdomain to the derived domain
|
|
allow $1_t $1_gpg_t:process transition;
|
|
allow $1_t gpg_exec_t:file rx_file_perms;
|
|
type_transition $1_t gpg_exec_t:process $1_gpg_t;
|
|
dontaudit $1_t $1_gpg_t:process { noatsecure siginh rlimitinh };
|
|
|
|
allow $1_t $1_gpg_t:fd use;
|
|
allow $1_gpg_t $1_t:fd use;
|
|
allow $1_gpg_t $1_t:fifo_file rw_file_perms;
|
|
allow $1_gpg_t $1_t:process sigchld;
|
|
|
|
allow $1_gpg_t self:capability { ipc_lock setuid };
|
|
allow { $1_t $1_gpg_t } $1_gpg_t:process signal;
|
|
# setrlimit is for ulimit -c 0
|
|
allow $1_gpg_t self:process { setrlimit setcap };
|
|
|
|
allow $1_gpg_t self:fifo_file rw_file_perms;
|
|
allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
allow $1_gpg_t $1_gpg_secret_t:dir rw_dir_perms;
|
|
allow $1_gpg_t $1_gpg_secret_t:file create_file_perms;
|
|
allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms;
|
|
|
|
corenet_tcp_sendrecv_all_if($1_gpg_t)
|
|
corenet_raw_sendrecv_all_if($1_gpg_t)
|
|
corenet_udp_sendrecv_all_if($1_gpg_t)
|
|
corenet_tcp_sendrecv_all_nodes($1_gpg_t)
|
|
corenet_raw_sendrecv_all_nodes($1_gpg_t)
|
|
corenet_udp_sendrecv_all_nodes($1_gpg_t)
|
|
corenet_tcp_sendrecv_all_ports($1_gpg_t)
|
|
corenet_udp_sendrecv_all_ports($1_gpg_t)
|
|
corenet_tcp_bind_all_nodes($1_gpg_t)
|
|
corenet_udp_bind_all_nodes($1_gpg_t)
|
|
|
|
dev_read_rand($1_gpg_t)
|
|
dev_read_urand($1_gpg_t)
|
|
|
|
fs_getattr_xattr_fs($1_gpg_t)
|
|
|
|
files_read_generic_etc_files($1_gpg_t)
|
|
files_read_usr_files($1_gpg_t)
|
|
|
|
libs_use_shared_libs($1_gpg_t)
|
|
libs_use_ld_so($1_gpg_t)
|
|
|
|
miscfiles_read_localization($1_gpg_t)
|
|
|
|
logging_send_syslog_msg($1_gpg_t)
|
|
|
|
sysnet_read_config($1_gpg_t)
|
|
|
|
# Legacy
|
|
tunable_policy(`allow_gpg_execstack',`
|
|
allow $1_gpg_t self:process execmem;
|
|
libs_legacy_use_shared_libs($1_gpg_t)
|
|
libs_legacy_use_ld_so($1_gpg_t)
|
|
miscfiles_legacy_read_localization($1_gpg_t)
|
|
# Not quite sure why this is needed...
|
|
allow $1_gpg_t gpg_exec_t:file execmod;
|
|
')
|
|
|
|
ifdef(`TODO',`
|
|
|
|
can_ypbind($1_gpg_t)
|
|
|
|
allow $1_t $1_gpg_secret_t:file getattr;
|
|
|
|
access_terminal($1_gpg_t, $1)
|
|
ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')
|
|
|
|
# Inherit and use descriptors
|
|
allow $1_gpg_t { privfd $1_t }:fd use;
|
|
|
|
# allow ps to show gpg
|
|
can_ps($1_t, $1_gpg_t)
|
|
|
|
# should not need read access...
|
|
allow $1_gpg_t home_root_t:dir { read search };
|
|
|
|
# use $1_gpg_secret_t for files it creates
|
|
# NB we are doing the type transition for directory creation only!
|
|
# so ~/.gnupg will be of $1_gpg_secret_t, then files created under it such as
|
|
# secring.gpg will be of $1_gpg_secret_t too. But when you use gpg to decrypt
|
|
# a file and write output to your home directory it will use user_home_t.
|
|
file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_gpg_secret_t, dir)
|
|
|
|
file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_home_t, file)
|
|
create_dir_file($1_gpg_t, $1_home_t)
|
|
|
|
# allow the usual access to /tmp
|
|
file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t)
|
|
|
|
tunable_policy(`use_nfs_home_dirs',`
|
|
create_dir_file($1_gpg_t, nfs_t)
|
|
')
|
|
tunable_policy(`use_samba_home_dirs',`
|
|
create_dir_file($1_gpg_t, cifs_t)
|
|
')
|
|
|
|
rw_dir_create_file($1_gpg_t, $1_file_type)
|
|
|
|
allow $1_t $1_gpg_secret_t:dir rw_dir_perms;
|
|
|
|
dontaudit $1_gpg_t var_t:dir search;
|
|
') dnl end TODO
|
|
|
|
########################################
|
|
#
|
|
# GPG helper local policy
|
|
#
|
|
|
|
# for helper programs (which automatically fetch keys)
|
|
# Note: this is only tested with the hkp interface. If you use eg the
|
|
# mail interface you will likely need additional permissions.
|
|
|
|
# transition from the gpg domain to the helper domain
|
|
allow $1_gpg_t $1_gpg_helper_t:process transition;
|
|
allow $1_gpg_t gpg_helper_exec_t:file rx_file_perms;
|
|
type_transition $1_gpg_t gpg_helper_exec_t:process $1_gpg_helper_t;
|
|
dontaudit $1_gpg_helper_t $1_gpg_t:process { noatsecure siginh rlimitinh };
|
|
|
|
allow $1_gpg_t $1_gpg_helper_t:fd use;
|
|
allow $1_gpg_helper_t $1_gpg_t:fd use;
|
|
allow $1_gpg_helper_t $1_gpg_t:fifo_file rw_file_perms;
|
|
allow $1_gpg_helper_t $1_gpg_t:process sigchld;
|
|
|
|
allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
allow $1_gpg_helper_t self:tcp_socket { connect connected_socket_perms };
|
|
allow $1_gpg_helper_t self:udp_socket { connect connected_socket_perms };
|
|
|
|
dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
|
|
|
|
corenet_tcp_sendrecv_all_if($1_gpg_helper_t)
|
|
corenet_raw_sendrecv_all_if($1_gpg_helper_t)
|
|
corenet_udp_sendrecv_all_if($1_gpg_helper_t)
|
|
corenet_tcp_sendrecv_all_nodes($1_gpg_helper_t)
|
|
corenet_udp_sendrecv_all_nodes($1_gpg_helper_t)
|
|
corenet_raw_sendrecv_all_nodes($1_gpg_helper_t)
|
|
corenet_tcp_sendrecv_all_ports($1_gpg_helper_t)
|
|
corenet_udp_sendrecv_all_ports($1_gpg_helper_t)
|
|
corenet_tcp_bind_all_nodes($1_gpg_helper_t)
|
|
corenet_udp_bind_all_nodes($1_gpg_helper_t)
|
|
|
|
dev_read_urand($1_gpg_helper_t)
|
|
|
|
files_read_generic_etc_files($1_gpg_helper_t)
|
|
# for nscd
|
|
files_dontaudit_search_var($1_gpg_helper_t)
|
|
|
|
libs_use_ld_so($1_gpg_helper_t)
|
|
libs_use_shared_libs($1_gpg_helper_t)
|
|
|
|
sysnet_read_config($1_gpg_helper_t)
|
|
|
|
ifdef(`TODO',`
|
|
|
|
tunable_policy(`use_nfs_home_dirs',`
|
|
dontaudit $1_gpg_helper_t nfs_t:file { read write };
|
|
')
|
|
tunable_policy(`use_samba_home_dirs',`
|
|
dontaudit $1_gpg_helper_t cifs_t:file { read write };
|
|
')
|
|
|
|
# communicate with the user
|
|
allow $1_gpg_helper_t $1_t:fd use;
|
|
allow $1_gpg_helper_t $1_t:fifo_file write;
|
|
|
|
ifdef(`xdm.te', `
|
|
dontaudit $1_gpg_t xdm_t:fd use;
|
|
dontaudit $1_gpg_t xdm_t:fifo_file read;
|
|
')
|
|
') dnl end TODO
|
|
|
|
########################################
|
|
#
|
|
# GPG agent local policy
|
|
#
|
|
|
|
# rlimit: gpg-agent wants to prevent coredumps
|
|
allow $1_gpg_agent_t self:process setrlimit;
|
|
|
|
allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
|
|
allow $1_gpg_agent_t self:fifo_file rw_file_perms;
|
|
|
|
allow $1_t $1_gpg_agent_tmp_t:dir create_dir_perms;
|
|
allow $1_t $1_gpg_agent_tmp_t:file create_file_perms;
|
|
allow $1_t $1_gpg_agent_tmp_t:sock_file create_file_perms;
|
|
files_create_tmp_files($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
|
|
|
|
domain_use_wide_inherit_fd($1_gpg_agent_t)
|
|
|
|
libs_use_ld_so($1_gpg_agent_t)
|
|
libs_use_shared_libs($1_gpg_agent_t)
|
|
|
|
miscfiles_read_localization($1_gpg_agent_t)
|
|
|
|
ifdef(`TODO',`
|
|
# Transition from the user domain to the derived domain.
|
|
domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)
|
|
|
|
allow $1_gpg_agent_t xdm_t:fd use;
|
|
|
|
# Write to the user domain tty.
|
|
access_terminal($1_gpg_agent_t, $1)
|
|
|
|
# Allow the user shell to signal the gpg-agent program.
|
|
allow $1_t $1_gpg_agent_t:process { signal sigkill };
|
|
# allow ps to show gpg-agent
|
|
can_ps($1_t, $1_gpg_agent_t)
|
|
|
|
allow $1_gpg_agent_t proc_t:dir search;
|
|
allow $1_gpg_agent_t proc_t:lnk_file read;
|
|
|
|
allow $1_gpg_agent_t device_t:dir r_file_perms;
|
|
|
|
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
|
|
allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
|
|
create_dir_file($1_gpg_agent_t, $1_gpg_secret_t)
|
|
tunable_policy(`use_nfs_home_dirs',`
|
|
create_dir_file($1_gpg_agent_t, nfs_t)
|
|
')
|
|
tunable_policy(`use_samba_home_dirs',`
|
|
create_dir_file($1_gpg_agent_t, cifs_t)
|
|
')
|
|
|
|
# gpg connect
|
|
allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
|
|
allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write;
|
|
can_unix_connect($1_gpg_t, $1_gpg_agent_t)
|
|
') dnl endif TODO
|
|
|
|
##############################
|
|
#
|
|
# Pinentry local policy
|
|
#
|
|
|
|
# we need to allow gpg-agent to call pinentry so it can get the passphrase
|
|
# from the user.
|
|
allow $1_gpg_agent_t $1_gpg_pinentry_t:process transition;
|
|
allow $1_gpg_agent_t pinentry_exec_t:file rx_file_perms;
|
|
type_transition $1_gpg_agent_t pinentry_exec_t:process $1_gpg_pinentry_t;
|
|
dontaudit $1_gpg_agent_t $1_gpg_pinentry_t:process { noatsecure siginh rlimitinh };
|
|
|
|
allow $1_gpg_pinentry_t $1_gpg_agent_t:fd use;
|
|
allow $1_gpg_agent_t $1_gpg_pinentry_t:fd use;
|
|
allow $1_gpg_agent_t $1_gpg_pinentry_t:fifo_file rw_file_perms;
|
|
allow $1_gpg_agent_t $1_gpg_pinentry_t:process sigchld;
|
|
|
|
allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
|
|
allow $1_gpg_pinentry_t self:fifo_file rw_file_perms;
|
|
|
|
# read /proc/meminfo
|
|
kernel_read_system_state($1_gpg_pinentry_t)
|
|
|
|
files_read_usr_files($1_gpg_pinentry_t)
|
|
# read /etc/X11/qtrc
|
|
files_read_generic_etc_files($1_gpg_pinentry_t)
|
|
|
|
libs_use_ld_so($1_gpg_pinentry_t)
|
|
libs_use_shared_libs($1_gpg_pinentry_t)
|
|
|
|
miscfiles_read_fonts($1_gpg_pinentry_t)
|
|
miscfiles_read_localization($1_gpg_pinentry_t)
|
|
|
|
ifdef(`TODO',`
|
|
|
|
allow $1_gpg_agent_t bin_t:dir search;
|
|
|
|
ifdef(`xdm.te', `
|
|
allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search;
|
|
allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write };
|
|
can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t)
|
|
allow $1_gpg_pinentry_t xdm_t:fd use;
|
|
')
|
|
|
|
allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search };
|
|
|
|
# for .Xauthority
|
|
allow $1_gpg_pinentry_t $1_home_dir_t:dir { getattr search };
|
|
allow $1_gpg_pinentry_t $1_home_t:file r_file_perms;
|
|
# wants to put some lock files into the user home dir, seems to work fine without
|
|
dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
|
|
dontaudit $1_gpg_pinentry_t $1_home_t:file write;
|
|
|
|
tunable_policy(`use_nfs_home_dirs',`
|
|
allow $1_gpg_pinentry_t nfs_t:dir { getattr search };
|
|
allow $1_gpg_pinentry_t nfs_t:file r_file_perms;
|
|
dontaudit $1_gpg_pinentry_t nfs_t:dir { read write };
|
|
dontaudit $1_gpg_pinentry_t nfs_t:file write;
|
|
')
|
|
|
|
tunable_policy(`use_samba_home_dirs',`
|
|
allow $1_gpg_pinentry_t cifs_t:dir { getattr search };
|
|
allow $1_gpg_pinentry_t cifs_t:file r_file_perms;
|
|
dontaudit $1_gpg_pinentry_t cifs_t:dir { read write };
|
|
dontaudit $1_gpg_pinentry_t cifs_t:file write;
|
|
')
|
|
|
|
dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search };
|
|
') dnl end TODO
|
|
')
|
|
|