]>
Commit | Line | Data |
---|---|---|
a3b0dc5b | 1 | policy_module(gpg, 2.3.1) |
b2b38c78 CP |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
a42ce93a CP |
8 | ## <desc> |
9 | ## <p> | |
10 | ## Allow usage of the gpg-agent --write-env-file option. | |
11 | ## This also allows gpg-agent to manage user files. | |
12 | ## </p> | |
13 | ## </desc> | |
14 | gen_tunable(gpg_agent_env_file, false) | |
15 | ||
296273a7 | 16 | type gpg_t; |
b2b38c78 | 17 | type gpg_exec_t; |
296273a7 CP |
18 | typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t }; |
19 | typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t }; | |
20 | application_domain(gpg_t, gpg_exec_t) | |
21 | ubac_constrained(gpg_t) | |
857d37e8 | 22 | role system_r types gpg_t; |
b2b38c78 | 23 | |
296273a7 | 24 | type gpg_agent_t; |
b2b38c78 | 25 | type gpg_agent_exec_t; |
296273a7 CP |
26 | typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t }; |
27 | typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t }; | |
28 | application_domain(gpg_agent_t, gpg_agent_exec_t) | |
29 | ubac_constrained(gpg_agent_t) | |
30 | ||
31 | type gpg_agent_tmp_t; | |
32 | typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t }; | |
33 | typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t }; | |
34 | files_tmp_file(gpg_agent_tmp_t) | |
35 | ubac_constrained(gpg_agent_tmp_t) | |
36 | ||
37 | type gpg_secret_t; | |
38 | typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t }; | |
39 | typealias gpg_secret_t alias { auditadm_gpg_secret_t secadm_gpg_secret_t }; | |
40 | userdom_user_home_content(gpg_secret_t) | |
41 | ||
42 | type gpg_helper_t; | |
43 | type gpg_helper_exec_t; | |
44 | typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t }; | |
45 | typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t }; | |
46 | application_domain(gpg_helper_t, gpg_helper_exec_t) | |
47 | ubac_constrained(gpg_helper_t) | |
857d37e8 | 48 | role system_r types gpg_helper_t; |
b2b38c78 | 49 | |
296273a7 | 50 | type gpg_pinentry_t; |
b2b38c78 | 51 | type pinentry_exec_t; |
296273a7 CP |
52 | typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t }; |
53 | typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t }; | |
54 | application_domain(gpg_pinentry_t, pinentry_exec_t) | |
55 | ubac_constrained(gpg_pinentry_t) | |
56 | ||
857d37e8 CP |
57 | type gpg_pinentry_tmp_t; |
58 | files_tmp_file(gpg_pinentry_tmp_t) | |
59 | ubac_constrained(gpg_pinentry_tmp_t) | |
60 | ||
61 | type gpg_pinentry_tmpfs_t; | |
62 | files_tmpfs_file(gpg_pinentry_tmpfs_t) | |
63 | ubac_constrained(gpg_pinentry_tmpfs_t) | |
64 | ||
296273a7 CP |
65 | ######################################## |
66 | # | |
67 | # GPG local policy | |
68 | # | |
69 | ||
70 | allow gpg_t self:capability { ipc_lock setuid }; | |
71 | # setrlimit is for ulimit -c 0 | |
857d37e8 | 72 | allow gpg_t self:process { signal signull setrlimit getcap setcap setpgid }; |
296273a7 CP |
73 | |
74 | allow gpg_t self:fifo_file rw_fifo_file_perms; | |
75 | allow gpg_t self:tcp_socket create_stream_socket_perms; | |
76 | ||
e4f73afb CP |
77 | manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) |
78 | manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) | |
79 | files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file }) | |
80 | ||
857d37e8 CP |
81 | domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) |
82 | ||
296273a7 CP |
83 | # transition from the gpg domain to the helper domain |
84 | domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) | |
85 | ||
86 | allow gpg_t gpg_secret_t:dir create_dir_perms; | |
87 | manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) | |
88 | manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) | |
89 | userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir) | |
90 | ||
e4f73afb CP |
91 | kernel_read_sysctl(gpg_t) |
92 | ||
857d37e8 CP |
93 | corecmd_exec_shell(gpg_t) |
94 | corecmd_exec_bin(gpg_t) | |
95 | ||
296273a7 CP |
96 | corenet_all_recvfrom_unlabeled(gpg_t) |
97 | corenet_all_recvfrom_netlabel(gpg_t) | |
668b3093 CP |
98 | corenet_tcp_sendrecv_generic_if(gpg_t) |
99 | corenet_udp_sendrecv_generic_if(gpg_t) | |
c1262146 CP |
100 | corenet_tcp_sendrecv_generic_node(gpg_t) |
101 | corenet_udp_sendrecv_generic_node(gpg_t) | |
296273a7 CP |
102 | corenet_tcp_sendrecv_all_ports(gpg_t) |
103 | corenet_udp_sendrecv_all_ports(gpg_t) | |
104 | corenet_tcp_connect_all_ports(gpg_t) | |
105 | corenet_sendrecv_all_client_packets(gpg_t) | |
106 | ||
107 | dev_read_rand(gpg_t) | |
108 | dev_read_urand(gpg_t) | |
ca7fa520 | 109 | dev_read_generic_usb_dev(gpg_t) |
296273a7 CP |
110 | |
111 | fs_getattr_xattr_fs(gpg_t) | |
857d37e8 | 112 | fs_list_inotifyfs(gpg_t) |
296273a7 CP |
113 | |
114 | domain_use_interactive_fds(gpg_t) | |
115 | ||
116 | files_read_etc_files(gpg_t) | |
117 | files_read_usr_files(gpg_t) | |
118 | files_dontaudit_search_var(gpg_t) | |
119 | ||
e4f73afb CP |
120 | auth_use_nsswitch(gpg_t) |
121 | ||
296273a7 CP |
122 | logging_send_syslog_msg(gpg_t) |
123 | ||
36ded4bd CP |
124 | miscfiles_read_localization(gpg_t) |
125 | ||
296273a7 | 126 | userdom_use_user_terminals(gpg_t) |
36ded4bd CP |
127 | # sign/encrypt user files |
128 | userdom_manage_user_tmp_files(gpg_t) | |
129 | userdom_manage_user_home_content_files(gpg_t) | |
857d37e8 | 130 | userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) |
36ded4bd CP |
131 | |
132 | mta_write_config(gpg_t) | |
133 | ||
134 | tunable_policy(`use_nfs_home_dirs',` | |
135 | fs_manage_nfs_dirs(gpg_t) | |
136 | fs_manage_nfs_files(gpg_t) | |
137 | ') | |
138 | ||
139 | tunable_policy(`use_samba_home_dirs',` | |
140 | fs_manage_cifs_dirs(gpg_t) | |
141 | fs_manage_cifs_files(gpg_t) | |
142 | ') | |
143 | ||
857d37e8 CP |
144 | optional_policy(` |
145 | mozilla_read_user_home_files(gpg_t) | |
146 | mozilla_write_user_home_files(gpg_t) | |
147 | ') | |
148 | ||
36ded4bd CP |
149 | optional_policy(` |
150 | xserver_use_xdm_fds(gpg_t) | |
151 | xserver_rw_xdm_pipes(gpg_t) | |
152 | ') | |
153 | ||
154 | optional_policy(` | |
155 | cron_system_entry(gpg_t, gpg_exec_t) | |
156 | cron_read_system_job_tmp_files(gpg_t) | |
157 | ') | |
296273a7 | 158 | |
296273a7 CP |
159 | ######################################## |
160 | # | |
161 | # GPG helper local policy | |
162 | # | |
163 | ||
e4f73afb CP |
164 | allow gpg_helper_t self:process { getsched setsched }; |
165 | ||
296273a7 | 166 | # for helper programs (which automatically fetch keys) |
857d37e8 | 167 | # Note: this is only tested with the hkp interface. If you use eg the |
296273a7 CP |
168 | # mail interface you will likely need additional permissions. |
169 | ||
170 | allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms; | |
171 | allow gpg_helper_t self:tcp_socket { connect connected_socket_perms }; | |
172 | allow gpg_helper_t self:udp_socket { connect connected_socket_perms }; | |
173 | ||
174 | dontaudit gpg_helper_t gpg_secret_t:file read; | |
175 | ||
176 | corenet_all_recvfrom_unlabeled(gpg_helper_t) | |
177 | corenet_all_recvfrom_netlabel(gpg_helper_t) | |
668b3093 CP |
178 | corenet_tcp_sendrecv_generic_if(gpg_helper_t) |
179 | corenet_raw_sendrecv_generic_if(gpg_helper_t) | |
180 | corenet_udp_sendrecv_generic_if(gpg_helper_t) | |
c1262146 CP |
181 | corenet_tcp_sendrecv_generic_node(gpg_helper_t) |
182 | corenet_udp_sendrecv_generic_node(gpg_helper_t) | |
183 | corenet_raw_sendrecv_generic_node(gpg_helper_t) | |
296273a7 CP |
184 | corenet_tcp_sendrecv_all_ports(gpg_helper_t) |
185 | corenet_udp_sendrecv_all_ports(gpg_helper_t) | |
c1262146 CP |
186 | corenet_tcp_bind_generic_node(gpg_helper_t) |
187 | corenet_udp_bind_generic_node(gpg_helper_t) | |
296273a7 CP |
188 | corenet_tcp_connect_all_ports(gpg_helper_t) |
189 | ||
296273a7 | 190 | files_read_etc_files(gpg_helper_t) |
296273a7 | 191 | |
e4f73afb CP |
192 | auth_use_nsswitch(gpg_helper_t) |
193 | ||
194 | userdom_use_user_terminals(gpg_helper_t) | |
296273a7 CP |
195 | |
196 | tunable_policy(`use_nfs_home_dirs',` | |
36ded4bd | 197 | fs_dontaudit_rw_nfs_files(gpg_helper_t) |
296273a7 CP |
198 | ') |
199 | ||
200 | tunable_policy(`use_samba_home_dirs',` | |
36ded4bd | 201 | fs_dontaudit_rw_cifs_files(gpg_helper_t) |
296273a7 CP |
202 | ') |
203 | ||
204 | ######################################## | |
205 | # | |
206 | # GPG agent local policy | |
207 | # | |
208 | ||
209 | # rlimit: gpg-agent wants to prevent coredumps | |
210 | allow gpg_agent_t self:process setrlimit; | |
211 | ||
212 | allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ; | |
213 | allow gpg_agent_t self:fifo_file rw_fifo_file_perms; | |
214 | ||
215 | # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) | |
216 | manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) | |
217 | manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) | |
218 | manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) | |
219 | ||
220 | # Allow the gpg-agent to manage its tmp files (socket) | |
221 | manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) | |
222 | manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) | |
223 | manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) | |
224 | files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) | |
225 | ||
226 | # allow gpg to connect to the gpg agent | |
227 | stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t) | |
228 | ||
a3b0dc5b | 229 | corecmd_read_bin_symlinks(gpg_agent_t) |
296273a7 | 230 | corecmd_search_bin(gpg_agent_t) |
857d37e8 | 231 | corecmd_exec_shell(gpg_agent_t) |
296273a7 | 232 | |
a3b0dc5b CP |
233 | dev_read_urand(gpg_agent_t) |
234 | ||
296273a7 CP |
235 | domain_use_interactive_fds(gpg_agent_t) |
236 | ||
a3b0dc5b CP |
237 | fs_dontaudit_list_inotifyfs(gpg_agent_t) |
238 | ||
296273a7 CP |
239 | miscfiles_read_localization(gpg_agent_t) |
240 | ||
241 | # Write to the user domain tty. | |
242 | userdom_use_user_terminals(gpg_agent_t) | |
243 | # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) | |
244 | userdom_search_user_home_dirs(gpg_agent_t) | |
245 | ||
a3b0dc5b CP |
246 | ifdef(`hide_broken_symptoms',` |
247 | userdom_dontaudit_read_user_tmp_files(gpg_agent_t) | |
248 | ') | |
249 | ||
296273a7 CP |
250 | tunable_policy(`gpg_agent_env_file',` |
251 | # write ~/.gpg-agent-info or a similar to the users home dir | |
252 | # or subdir (gpg-agent --write-env-file option) | |
253 | # | |
254 | userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file) | |
255 | userdom_manage_user_home_content_dirs(gpg_agent_t) | |
256 | userdom_manage_user_home_content_files(gpg_agent_t) | |
257 | ') | |
258 | ||
259 | tunable_policy(`use_nfs_home_dirs',` | |
260 | fs_manage_nfs_dirs(gpg_agent_t) | |
261 | fs_manage_nfs_files(gpg_agent_t) | |
262 | fs_manage_nfs_symlinks(gpg_agent_t) | |
263 | ') | |
264 | ||
265 | tunable_policy(`use_samba_home_dirs',` | |
266 | fs_manage_cifs_dirs(gpg_agent_t) | |
267 | fs_manage_cifs_files(gpg_agent_t) | |
268 | fs_manage_cifs_symlinks(gpg_agent_t) | |
269 | ') | |
270 | ||
a3b0dc5b CP |
271 | optional_policy(` |
272 | mozilla_dontaudit_rw_user_home_files(gpg_agent_t) | |
273 | ') | |
274 | ||
296273a7 CP |
275 | ############################## |
276 | # | |
277 | # Pinentry local policy | |
278 | # | |
279 | ||
857d37e8 | 280 | allow gpg_pinentry_t self:process { getcap getsched setsched signal }; |
296273a7 | 281 | allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms; |
857d37e8 CP |
282 | allow gpg_pinentry_t self:netlink_route_socket create_netlink_socket_perms; |
283 | allow gpg_pinentry_t self:shm create_shm_perms; | |
284 | allow gpg_pinentry_t self:tcp_socket create_stream_socket_perms; | |
285 | allow gpg_pinentry_t self:unix_dgram_socket sendto; | |
286 | allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; | |
296273a7 | 287 | |
857d37e8 CP |
288 | can_exec(gpg_pinentry_t, pinentry_exec_t) |
289 | ||
290 | # we need to allow gpg-agent to call pinentry so it can get the passphrase | |
296273a7 CP |
291 | # from the user. |
292 | domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t) | |
293 | ||
857d37e8 CP |
294 | manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) |
295 | userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file) | |
296 | ||
297 | manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) | |
298 | manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) | |
299 | fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) | |
857d37e8 | 300 | |
296273a7 CP |
301 | # read /proc/meminfo |
302 | kernel_read_system_state(gpg_pinentry_t) | |
303 | ||
857d37e8 CP |
304 | corecmd_exec_bin(gpg_pinentry_t) |
305 | ||
306 | corenet_all_recvfrom_netlabel(gpg_pinentry_t) | |
307 | corenet_all_recvfrom_unlabeled(gpg_pinentry_t) | |
308 | corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t) | |
309 | corenet_tcp_bind_generic_node(gpg_pinentry_t) | |
310 | corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t) | |
311 | corenet_tcp_sendrecv_generic_if(gpg_pinentry_t) | |
312 | corenet_tcp_sendrecv_generic_node(gpg_pinentry_t) | |
313 | corenet_tcp_sendrecv_generic_port(gpg_pinentry_t) | |
314 | ||
315 | dev_read_urand(gpg_pinentry_t) | |
316 | dev_read_rand(gpg_pinentry_t) | |
317 | ||
296273a7 CP |
318 | files_read_usr_files(gpg_pinentry_t) |
319 | # read /etc/X11/qtrc | |
320 | files_read_etc_files(gpg_pinentry_t) | |
321 | ||
a3b0dc5b CP |
322 | fs_dontaudit_list_inotifyfs(gpg_pinentry_t) |
323 | fs_getattr_tmpfs(gpg_pinentry_t) | |
324 | ||
325 | auth_use_nsswitch(gpg_pinentry_t) | |
326 | ||
857d37e8 CP |
327 | logging_send_syslog_msg(gpg_pinentry_t) |
328 | ||
296273a7 CP |
329 | miscfiles_read_fonts(gpg_pinentry_t) |
330 | miscfiles_read_localization(gpg_pinentry_t) | |
331 | ||
332 | # for .Xauthority | |
333 | userdom_read_user_home_content_files(gpg_pinentry_t) | |
857d37e8 | 334 | userdom_read_user_tmpfs_files(gpg_pinentry_t) |
296273a7 CP |
335 | |
336 | tunable_policy(`use_nfs_home_dirs',` | |
337 | fs_read_nfs_files(gpg_pinentry_t) | |
338 | ') | |
339 | ||
340 | tunable_policy(`use_samba_home_dirs',` | |
341 | fs_read_cifs_files(gpg_pinentry_t) | |
342 | ') | |
343 | ||
344 | optional_policy(` | |
857d37e8 CP |
345 | dbus_session_bus_client(gpg_pinentry_t) |
346 | dbus_system_bus_client(gpg_pinentry_t) | |
347 | ') | |
348 | ||
349 | optional_policy(` | |
350 | pulseaudio_exec(gpg_pinentry_t) | |
a3b0dc5b | 351 | pulseaudio_rw_home_files(gpg_pinentry_t) |
857d37e8 CP |
352 | pulseaudio_setattr_home_dir(gpg_pinentry_t) |
353 | pulseaudio_stream_connect(gpg_pinentry_t) | |
a3b0dc5b | 354 | pulseaudio_signull(gpg_pinentry_t) |
857d37e8 CP |
355 | ') |
356 | ||
357 | optional_policy(` | |
358 | xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) | |
296273a7 | 359 | ') |