126 lines
4.0 KiB
Plaintext
126 lines
4.0 KiB
Plaintext
#
|
|
# Macros for gpg agent
|
|
#
|
|
# Author: Thomas Bleher <ThomasBleher@gmx.de>
|
|
#
|
|
#
|
|
# gpg_agent_domain(domain_prefix)
|
|
#
|
|
# The type declaration for the executable type for this program is
|
|
# provided separately in domains/program/gpg-agent.te.
|
|
#
|
|
define(`gpg_agent_domain',`
|
|
# Define a derived domain for the gpg-agent program when executed
|
|
# by a user domain.
|
|
# Derived domain based on the calling user domain and the program.
|
|
type $1_gpg_agent_t, domain;
|
|
|
|
# Transition from the user domain to the derived domain.
|
|
domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)
|
|
|
|
# The user role is authorized for this domain.
|
|
role $1_r types $1_gpg_agent_t;
|
|
|
|
allow $1_gpg_agent_t privfd:fd use;
|
|
|
|
# Write to the user domain tty.
|
|
access_terminal($1_gpg_agent_t, $1)
|
|
|
|
# Allow the user shell to signal the gpg-agent program.
|
|
allow $1_t $1_gpg_agent_t:process { signal sigkill };
|
|
# allow ps to show gpg-agent
|
|
can_ps($1_t, $1_gpg_agent_t)
|
|
|
|
uses_shlib($1_gpg_agent_t)
|
|
read_locale($1_gpg_agent_t)
|
|
|
|
# rlimit: gpg-agent wants to prevent coredumps
|
|
allow $1_gpg_agent_t self:process { setrlimit fork sigchld };
|
|
|
|
allow $1_gpg_agent_t { self proc_t }:dir search;
|
|
allow $1_gpg_agent_t { self proc_t }:lnk_file read;
|
|
|
|
allow $1_gpg_agent_t device_t:dir { getattr read };
|
|
|
|
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
|
|
allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
|
|
create_dir_file($1_gpg_agent_t, $1_gpg_secret_t)
|
|
if (use_nfs_home_dirs) {
|
|
create_dir_file($1_gpg_agent_t, nfs_t)
|
|
}
|
|
if (use_samba_home_dirs) {
|
|
create_dir_file($1_gpg_agent_t, cifs_t)
|
|
}
|
|
|
|
allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow $1_gpg_agent_t self:fifo_file { getattr read write };
|
|
|
|
# create /tmp files
|
|
tmp_domain($1_gpg_agent, `', `{ file dir sock_file }')
|
|
|
|
# gpg connect
|
|
allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
|
|
allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write;
|
|
can_unix_connect($1_gpg_t, $1_gpg_agent_t)
|
|
|
|
# policy for pinentry
|
|
# ===================
|
|
# we need to allow gpg-agent to call pinentry so it can get the passphrase
|
|
# from the user.
|
|
# Please note that I didnt use the x_client_domain-macro as it gives too
|
|
# much permissions
|
|
type $1_gpg_pinentry_t, domain;
|
|
role $1_r types $1_gpg_pinentry_t;
|
|
|
|
allow $1_gpg_agent_t bin_t:dir search;
|
|
domain_auto_trans($1_gpg_agent_t, pinentry_exec_t, $1_gpg_pinentry_t)
|
|
|
|
uses_shlib($1_gpg_pinentry_t)
|
|
read_locale($1_gpg_pinentry_t)
|
|
|
|
allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
|
|
allow $1_gpg_pinentry_t self:fifo_file { getattr read write };
|
|
|
|
ifdef(`xdm.te', `
|
|
allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search;
|
|
allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write };
|
|
can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t)
|
|
')dnl end ig xdm.te
|
|
|
|
read_fonts($1_gpg_pinentry_t, $1)
|
|
# read kde font cache
|
|
allow $1_gpg_pinentry_t usr_t:file { getattr read };
|
|
|
|
allow $1_gpg_pinentry_t { proc_t self }:dir search;
|
|
allow $1_gpg_pinentry_t { proc_t self }:lnk_file read;
|
|
# read /proc/meminfo
|
|
allow $1_gpg_pinentry_t proc_t:file read;
|
|
|
|
allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search };
|
|
|
|
# for .Xauthority
|
|
allow $1_gpg_pinentry_t $1_home_dir_t:dir { getattr search };
|
|
allow $1_gpg_pinentry_t $1_home_t:file { getattr read };
|
|
# wants to put some lock files into the user home dir, seems to work fine without
|
|
dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
|
|
dontaudit $1_gpg_pinentry_t $1_home_t:file write;
|
|
if (use_nfs_home_dirs) {
|
|
allow $1_gpg_pinentry_t nfs_t:dir { getattr search };
|
|
allow $1_gpg_pinentry_t nfs_t:file { getattr read };
|
|
dontaudit $1_gpg_pinentry_t nfs_t:dir { read write };
|
|
dontaudit $1_gpg_pinentry_t nfs_t:file write;
|
|
}
|
|
if (use_samba_home_dirs) {
|
|
allow $1_gpg_pinentry_t cifs_t:dir { getattr search };
|
|
allow $1_gpg_pinentry_t cifs_t:file { getattr read };
|
|
dontaudit $1_gpg_pinentry_t cifs_t:dir { read write };
|
|
dontaudit $1_gpg_pinentry_t cifs_t:file write;
|
|
}
|
|
|
|
# read /etc/X11/qtrc
|
|
allow $1_gpg_pinentry_t etc_t:file { getattr read };
|
|
|
|
dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t bin_t }:dir { getattr search };
|
|
|
|
')dnl end if gpg_agent
|