116 lines
3.2 KiB
Plaintext
116 lines
3.2 KiB
Plaintext
#
|
|
# Macros for gpg and pgp
|
|
#
|
|
# Author: Russell Coker <russell@coker.com.au>
|
|
#
|
|
# based on the work of:
|
|
# Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
|
#
|
|
|
|
#
|
|
# gpg_domain(domain_prefix)
|
|
#
|
|
# Define a derived domain for the gpg/pgp program when executed by
|
|
# a user domain.
|
|
#
|
|
# The type declaration for the executable type for this program is
|
|
# provided separately in domains/program/gpg.te.
|
|
#
|
|
define(`gpg_domain', `
|
|
# Derived domain based on the calling user domain and the program.
|
|
type $1_gpg_t, domain, privlog;
|
|
type $1_gpg_secret_t, file_type, $1_file_type, sysadmfile;
|
|
|
|
# Transition from the user domain to the derived domain.
|
|
domain_auto_trans($1_t, gpg_exec_t, $1_gpg_t)
|
|
role $1_r types $1_gpg_t;
|
|
|
|
can_network($1_gpg_t)
|
|
allow $1_gpg_t port_type:tcp_socket name_connect;
|
|
can_ypbind($1_gpg_t)
|
|
|
|
# for a bug in kmail
|
|
dontaudit $1_gpg_t $1_t:unix_stream_socket { getattr read write };
|
|
|
|
allow $1_gpg_t device_t:dir r_dir_perms;
|
|
allow $1_gpg_t { random_device_t urandom_device_t }:chr_file r_file_perms;
|
|
|
|
allow $1_gpg_t etc_t:file r_file_perms;
|
|
|
|
allow $1_gpg_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
access_terminal($1_gpg_t, $1)
|
|
ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')
|
|
|
|
# Inherit and use descriptors
|
|
allow $1_gpg_t { privfd $1_t }:fd use;
|
|
allow { $1_t $1_gpg_t } $1_gpg_t:process signal;
|
|
|
|
# setrlimit is for ulimit -c 0
|
|
allow $1_gpg_t self:process { setrlimit setcap setpgid };
|
|
|
|
# allow ps to show gpg
|
|
can_ps($1_t, $1_gpg_t)
|
|
|
|
uses_shlib($1_gpg_t)
|
|
|
|
# Access .gnupg
|
|
rw_dir_create_file($1_gpg_t, $1_gpg_secret_t)
|
|
|
|
# Read content to encrypt/decrypt/sign
|
|
read_content($1_gpg_t, $1)
|
|
|
|
# Write content to encrypt/decrypt/sign
|
|
write_trusted($1_gpg_t, $1)
|
|
|
|
allow $1_gpg_t self:capability { ipc_lock setuid };
|
|
|
|
allow $1_gpg_t { etc_t usr_t }:dir r_dir_perms;
|
|
allow $1_gpg_t fs_t:filesystem getattr;
|
|
allow $1_gpg_t usr_t:file r_file_perms;
|
|
read_locale($1_gpg_t)
|
|
|
|
dontaudit $1_gpg_t var_t:dir search;
|
|
|
|
ifdef(`gpg-agent.te', `gpg_agent_domain($1)')
|
|
|
|
# for helper programs (which automatically fetch keys)
|
|
# Note: this is only tested with the hkp interface. If you use eg the
|
|
# mail interface you will likely need additional permissions.
|
|
type $1_gpg_helper_t, domain;
|
|
role $1_r types $1_gpg_helper_t;
|
|
|
|
domain_auto_trans($1_gpg_t, gpg_helper_exec_t, $1_gpg_helper_t)
|
|
uses_shlib($1_gpg_helper_t)
|
|
|
|
# allow gpg to fork so it can call the helpers
|
|
allow $1_gpg_t self:process { fork sigchld };
|
|
allow $1_gpg_t self:fifo_file { getattr read write };
|
|
|
|
dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
|
|
if (use_nfs_home_dirs) {
|
|
dontaudit $1_gpg_helper_t nfs_t:file { read write };
|
|
}
|
|
if (use_samba_home_dirs) {
|
|
dontaudit $1_gpg_helper_t cifs_t:file { read write };
|
|
}
|
|
|
|
# communicate with the user
|
|
allow $1_gpg_helper_t $1_t:fd use;
|
|
allow $1_gpg_helper_t $1_t:fifo_file write;
|
|
# get keys from the network
|
|
can_network_client($1_gpg_helper_t)
|
|
allow $1_gpg_helper_t port_type:tcp_socket name_connect;
|
|
allow $1_gpg_helper_t etc_t:file { getattr read };
|
|
allow $1_gpg_helper_t urandom_device_t:chr_file read;
|
|
allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
|
|
# for nscd
|
|
dontaudit $1_gpg_helper_t var_t:dir search;
|
|
|
|
ifdef(`xdm.te', `
|
|
can_pipe_xdm($1_gpg_t)
|
|
')
|
|
|
|
')dnl end gpg_domain definition
|