[people/stevee/selinux-policy.git] / policy / modules / apps / gpg.te

policy_module(gpg, 2.3.1)

########################################
#
# Declarations
#

## <desc>
## <p>
## Allow usage of the gpg-agent --write-env-file option.
## This also allows gpg-agent to manage user files.
## </p>
## </desc>
gen_tunable(gpg_agent_env_file, false)

type gpg_t;
type gpg_exec_t;
typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
application_domain(gpg_t, gpg_exec_t)
ubac_constrained(gpg_t)
role system_r types gpg_t;

type gpg_agent_t;
type gpg_agent_exec_t;
typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t };
typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t };
application_domain(gpg_agent_t, gpg_agent_exec_t)
ubac_constrained(gpg_agent_t)

type gpg_agent_tmp_t;
typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t };
typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t };
files_tmp_file(gpg_agent_tmp_t)
ubac_constrained(gpg_agent_tmp_t)

type gpg_secret_t;
typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
typealias gpg_secret_t alias { auditadm_gpg_secret_t secadm_gpg_secret_t };
userdom_user_home_content(gpg_secret_t)

type gpg_helper_t;
type gpg_helper_exec_t;
typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t };
typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t };
application_domain(gpg_helper_t, gpg_helper_exec_t)
ubac_constrained(gpg_helper_t)
role system_r types gpg_helper_t;

type gpg_pinentry_t;
type pinentry_exec_t;
typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t };
typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t };
application_domain(gpg_pinentry_t, pinentry_exec_t)
ubac_constrained(gpg_pinentry_t)

type gpg_pinentry_tmp_t;
files_tmp_file(gpg_pinentry_tmp_t)
ubac_constrained(gpg_pinentry_tmp_t)

type gpg_pinentry_tmpfs_t;
files_tmpfs_file(gpg_pinentry_tmpfs_t)
ubac_constrained(gpg_pinentry_tmpfs_t)

########################################
#
# GPG local policy
#

allow gpg_t self:capability { ipc_lock setuid };
# setrlimit is for ulimit -c 0
allow gpg_t self:process { signal signull setrlimit getcap setcap setpgid };

allow gpg_t self:fifo_file rw_fifo_file_perms;
allow gpg_t self:tcp_socket create_stream_socket_perms;

manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })

domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)

# transition from the gpg domain to the helper domain
domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)

allow gpg_t gpg_secret_t:dir create_dir_perms;
manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)

kernel_read_sysctl(gpg_t)

corecmd_exec_shell(gpg_t)
corecmd_exec_bin(gpg_t)

corenet_all_recvfrom_unlabeled(gpg_t)
corenet_all_recvfrom_netlabel(gpg_t)
corenet_tcp_sendrecv_generic_if(gpg_t)
corenet_udp_sendrecv_generic_if(gpg_t)
corenet_tcp_sendrecv_generic_node(gpg_t)
corenet_udp_sendrecv_generic_node(gpg_t)
corenet_tcp_sendrecv_all_ports(gpg_t)
corenet_udp_sendrecv_all_ports(gpg_t)
corenet_tcp_connect_all_ports(gpg_t)
corenet_sendrecv_all_client_packets(gpg_t)

dev_read_rand(gpg_t)
dev_read_urand(gpg_t)
dev_read_generic_usb_dev(gpg_t)

fs_getattr_xattr_fs(gpg_t)
fs_list_inotifyfs(gpg_t)

domain_use_interactive_fds(gpg_t)

files_read_etc_files(gpg_t)
files_read_usr_files(gpg_t)
files_dontaudit_search_var(gpg_t)

auth_use_nsswitch(gpg_t)

logging_send_syslog_msg(gpg_t)

miscfiles_read_localization(gpg_t)

userdom_use_user_terminals(gpg_t)
# sign/encrypt user files
userdom_manage_user_tmp_files(gpg_t)
userdom_manage_user_home_content_files(gpg_t)
userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)

mta_write_config(gpg_t)

tunable_policy(`use_nfs_home_dirs',`
	fs_manage_nfs_dirs(gpg_t)
	fs_manage_nfs_files(gpg_t)
')

tunable_policy(`use_samba_home_dirs',`
	fs_manage_cifs_dirs(gpg_t)
	fs_manage_cifs_files(gpg_t)
')

optional_policy(`
	mozilla_read_user_home_files(gpg_t)
	mozilla_write_user_home_files(gpg_t)
')

optional_policy(`
	xserver_use_xdm_fds(gpg_t)
	xserver_rw_xdm_pipes(gpg_t)
')

optional_policy(`
	cron_system_entry(gpg_t, gpg_exec_t)
	cron_read_system_job_tmp_files(gpg_t)
')

########################################
#
# GPG helper local policy
#

allow gpg_helper_t self:process { getsched setsched };

# for helper programs (which automatically fetch keys)
# Note: this is only tested with the hkp interface. If you use eg the
# mail interface you will likely need additional permissions.

allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
allow gpg_helper_t self:tcp_socket { connect connected_socket_perms };
allow gpg_helper_t self:udp_socket { connect connected_socket_perms };

dontaudit gpg_helper_t gpg_secret_t:file read;

corenet_all_recvfrom_unlabeled(gpg_helper_t)
corenet_all_recvfrom_netlabel(gpg_helper_t)
corenet_tcp_sendrecv_generic_if(gpg_helper_t)
corenet_raw_sendrecv_generic_if(gpg_helper_t)
corenet_udp_sendrecv_generic_if(gpg_helper_t)
corenet_tcp_sendrecv_generic_node(gpg_helper_t)
corenet_udp_sendrecv_generic_node(gpg_helper_t)
corenet_raw_sendrecv_generic_node(gpg_helper_t)
corenet_tcp_sendrecv_all_ports(gpg_helper_t)
corenet_udp_sendrecv_all_ports(gpg_helper_t)
corenet_tcp_bind_generic_node(gpg_helper_t)
corenet_udp_bind_generic_node(gpg_helper_t)
corenet_tcp_connect_all_ports(gpg_helper_t)

files_read_etc_files(gpg_helper_t)

auth_use_nsswitch(gpg_helper_t)

userdom_use_user_terminals(gpg_helper_t)

tunable_policy(`use_nfs_home_dirs',`
	fs_dontaudit_rw_nfs_files(gpg_helper_t)
')

tunable_policy(`use_samba_home_dirs',`
	fs_dontaudit_rw_cifs_files(gpg_helper_t)
')

########################################
#
# GPG agent local policy
#

# rlimit: gpg-agent wants to prevent coredumps
allow gpg_agent_t self:process setrlimit;

allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
allow gpg_agent_t self:fifo_file rw_fifo_file_perms;

# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)

# Allow the gpg-agent to manage its tmp files (socket)
manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })

# allow gpg to connect to the gpg agent
stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)

corecmd_read_bin_symlinks(gpg_agent_t)
corecmd_search_bin(gpg_agent_t)
corecmd_exec_shell(gpg_agent_t)

dev_read_urand(gpg_agent_t)

domain_use_interactive_fds(gpg_agent_t)

fs_dontaudit_list_inotifyfs(gpg_agent_t)

miscfiles_read_localization(gpg_agent_t)

# Write to the user domain tty.
userdom_use_user_terminals(gpg_agent_t)
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
userdom_search_user_home_dirs(gpg_agent_t)

ifdef(`hide_broken_symptoms',`
	userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
')

tunable_policy(`gpg_agent_env_file',`
	# write ~/.gpg-agent-info or a similar to the users home dir
	# or subdir (gpg-agent --write-env-file option)
	#
	userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
	userdom_manage_user_home_content_dirs(gpg_agent_t)
	userdom_manage_user_home_content_files(gpg_agent_t)
')

tunable_policy(`use_nfs_home_dirs',`
	fs_manage_nfs_dirs(gpg_agent_t)
	fs_manage_nfs_files(gpg_agent_t)
	fs_manage_nfs_symlinks(gpg_agent_t)
')

tunable_policy(`use_samba_home_dirs',`
	fs_manage_cifs_dirs(gpg_agent_t)
	fs_manage_cifs_files(gpg_agent_t)
	fs_manage_cifs_symlinks(gpg_agent_t)
')

optional_policy(`
	mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
')

##############################
#
# Pinentry local policy
#

allow gpg_pinentry_t self:process { getcap getsched setsched signal };
allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
allow gpg_pinentry_t self:netlink_route_socket create_netlink_socket_perms;
allow gpg_pinentry_t self:shm create_shm_perms;
allow gpg_pinentry_t self:tcp_socket create_stream_socket_perms;
allow gpg_pinentry_t self:unix_dgram_socket sendto;
allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };

can_exec(gpg_pinentry_t, pinentry_exec_t)

# we need to allow gpg-agent to call pinentry so it can get the passphrase
# from the user.
domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)

manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)

manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })

# read /proc/meminfo
kernel_read_system_state(gpg_pinentry_t)

corecmd_exec_bin(gpg_pinentry_t)

corenet_all_recvfrom_netlabel(gpg_pinentry_t)
corenet_all_recvfrom_unlabeled(gpg_pinentry_t)
corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t)
corenet_tcp_bind_generic_node(gpg_pinentry_t)
corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t)
corenet_tcp_sendrecv_generic_if(gpg_pinentry_t)
corenet_tcp_sendrecv_generic_node(gpg_pinentry_t)
corenet_tcp_sendrecv_generic_port(gpg_pinentry_t)

dev_read_urand(gpg_pinentry_t)
dev_read_rand(gpg_pinentry_t)

files_read_usr_files(gpg_pinentry_t)
# read /etc/X11/qtrc
files_read_etc_files(gpg_pinentry_t)

fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
fs_getattr_tmpfs(gpg_pinentry_t)

auth_use_nsswitch(gpg_pinentry_t)

logging_send_syslog_msg(gpg_pinentry_t)

miscfiles_read_fonts(gpg_pinentry_t)
miscfiles_read_localization(gpg_pinentry_t)

# for .Xauthority
userdom_read_user_home_content_files(gpg_pinentry_t)
userdom_read_user_tmpfs_files(gpg_pinentry_t)

tunable_policy(`use_nfs_home_dirs',`
	fs_read_nfs_files(gpg_pinentry_t)
')

tunable_policy(`use_samba_home_dirs',`
	fs_read_cifs_files(gpg_pinentry_t)
')

optional_policy(`
	dbus_session_bus_client(gpg_pinentry_t)
	dbus_system_bus_client(gpg_pinentry_t)
')

optional_policy(`
	pulseaudio_exec(gpg_pinentry_t)
	pulseaudio_rw_home_files(gpg_pinentry_t)
	pulseaudio_setattr_home_dir(gpg_pinentry_t)
	pulseaudio_stream_connect(gpg_pinentry_t)
	pulseaudio_signull(gpg_pinentry_t)
')

optional_policy(`
	xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
')
Commit	Line	Data
a3b0dc5b	1	policy_module(gpg, 2.3.1)
b2b38c78 CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
a42ce93a CP	8	## <desc>
	9	## <p>
	10	## Allow usage of the gpg-agent --write-env-file option.
	11	## This also allows gpg-agent to manage user files.
	12	## </p>
	13	## </desc>
	14	gen_tunable(gpg_agent_env_file, false)
	15
296273a7	16	type gpg_t;
b2b38c78	17	type gpg_exec_t;
296273a7 CP	18	typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
	19	typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
	20	application_domain(gpg_t, gpg_exec_t)
	21	ubac_constrained(gpg_t)
857d37e8	22	role system_r types gpg_t;
b2b38c78	23
296273a7	24	type gpg_agent_t;
b2b38c78	25	type gpg_agent_exec_t;
296273a7 CP	26	typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t };
	27	typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t };
	28	application_domain(gpg_agent_t, gpg_agent_exec_t)
	29	ubac_constrained(gpg_agent_t)
	30
	31	type gpg_agent_tmp_t;
	32	typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t };
	33	typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t };
	34	files_tmp_file(gpg_agent_tmp_t)
	35	ubac_constrained(gpg_agent_tmp_t)
	36
	37	type gpg_secret_t;
	38	typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
	39	typealias gpg_secret_t alias { auditadm_gpg_secret_t secadm_gpg_secret_t };
	40	userdom_user_home_content(gpg_secret_t)
	41
	42	type gpg_helper_t;
	43	type gpg_helper_exec_t;
	44	typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t };
	45	typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t };
	46	application_domain(gpg_helper_t, gpg_helper_exec_t)
	47	ubac_constrained(gpg_helper_t)
857d37e8	48	role system_r types gpg_helper_t;
b2b38c78	49
296273a7	50	type gpg_pinentry_t;
b2b38c78	51	type pinentry_exec_t;
296273a7 CP	52	typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t };
	53	typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t };
	54	application_domain(gpg_pinentry_t, pinentry_exec_t)
	55	ubac_constrained(gpg_pinentry_t)
	56
857d37e8 CP	57	type gpg_pinentry_tmp_t;
	58	files_tmp_file(gpg_pinentry_tmp_t)
	59	ubac_constrained(gpg_pinentry_tmp_t)
	60
	61	type gpg_pinentry_tmpfs_t;
	62	files_tmpfs_file(gpg_pinentry_tmpfs_t)
	63	ubac_constrained(gpg_pinentry_tmpfs_t)
	64
296273a7 CP	65	########################################
	66	#
	67	# GPG local policy
	68	#
	69
	70	allow gpg_t self:capability { ipc_lock setuid };
	71	# setrlimit is for ulimit -c 0
857d37e8	72	allow gpg_t self:process { signal signull setrlimit getcap setcap setpgid };
296273a7 CP	73
	74	allow gpg_t self:fifo_file rw_fifo_file_perms;
	75	allow gpg_t self:tcp_socket create_stream_socket_perms;
	76
e4f73afb CP	77	manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
	78	manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
	79	files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
	80
857d37e8 CP	81	domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
857d37e8 CP	82
296273a7 CP	83	# transition from the gpg domain to the helper domain
	84	domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
	85
	86	allow gpg_t gpg_secret_t:dir create_dir_perms;
	87	manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
	88	manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
	89	userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
	90
e4f73afb CP	91	kernel_read_sysctl(gpg_t)
e4f73afb CP	92
857d37e8 CP	93	corecmd_exec_shell(gpg_t)
	94	corecmd_exec_bin(gpg_t)
	95
296273a7 CP	96	corenet_all_recvfrom_unlabeled(gpg_t)
296273a7 CP	97	corenet_all_recvfrom_netlabel(gpg_t)
668b3093 CP	98	corenet_tcp_sendrecv_generic_if(gpg_t)
668b3093 CP	99	corenet_udp_sendrecv_generic_if(gpg_t)
c1262146 CP	100	corenet_tcp_sendrecv_generic_node(gpg_t)
c1262146 CP	101	corenet_udp_sendrecv_generic_node(gpg_t)
296273a7 CP	102	corenet_tcp_sendrecv_all_ports(gpg_t)
	103	corenet_udp_sendrecv_all_ports(gpg_t)
	104	corenet_tcp_connect_all_ports(gpg_t)
	105	corenet_sendrecv_all_client_packets(gpg_t)
	106
	107	dev_read_rand(gpg_t)
	108	dev_read_urand(gpg_t)
ca7fa520	109	dev_read_generic_usb_dev(gpg_t)
296273a7 CP	110
296273a7 CP	111	fs_getattr_xattr_fs(gpg_t)
857d37e8	112	fs_list_inotifyfs(gpg_t)
296273a7 CP	113
	114	domain_use_interactive_fds(gpg_t)
	115
	116	files_read_etc_files(gpg_t)
	117	files_read_usr_files(gpg_t)
	118	files_dontaudit_search_var(gpg_t)
	119
e4f73afb CP	120	auth_use_nsswitch(gpg_t)
e4f73afb CP	121
296273a7 CP	122	logging_send_syslog_msg(gpg_t)
296273a7 CP	123
36ded4bd CP	124	miscfiles_read_localization(gpg_t)
36ded4bd CP	125
296273a7	126	userdom_use_user_terminals(gpg_t)
36ded4bd CP	127	# sign/encrypt user files
	128	userdom_manage_user_tmp_files(gpg_t)
	129	userdom_manage_user_home_content_files(gpg_t)
857d37e8	130	userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
36ded4bd CP	131
	132	mta_write_config(gpg_t)
	133
	134	tunable_policy(`use_nfs_home_dirs',`
	135	fs_manage_nfs_dirs(gpg_t)
	136	fs_manage_nfs_files(gpg_t)
	137	')
	138
	139	tunable_policy(`use_samba_home_dirs',`
	140	fs_manage_cifs_dirs(gpg_t)
	141	fs_manage_cifs_files(gpg_t)
	142	')
	143
857d37e8 CP	144	optional_policy(`
	145	mozilla_read_user_home_files(gpg_t)
	146	mozilla_write_user_home_files(gpg_t)
	147	')
	148
36ded4bd CP	149	optional_policy(`
	150	xserver_use_xdm_fds(gpg_t)
	151	xserver_rw_xdm_pipes(gpg_t)
	152	')
	153
	154	optional_policy(`
	155	cron_system_entry(gpg_t, gpg_exec_t)
	156	cron_read_system_job_tmp_files(gpg_t)
	157	')
296273a7	158
296273a7 CP	159	########################################
	160	#
	161	# GPG helper local policy
	162	#
	163
e4f73afb CP	164	allow gpg_helper_t self:process { getsched setsched };
e4f73afb CP	165
296273a7	166	# for helper programs (which automatically fetch keys)
857d37e8	167	# Note: this is only tested with the hkp interface. If you use eg the
296273a7 CP	168	# mail interface you will likely need additional permissions.
	169
	170	allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
	171	allow gpg_helper_t self:tcp_socket { connect connected_socket_perms };
	172	allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
	173
	174	dontaudit gpg_helper_t gpg_secret_t:file read;
	175
	176	corenet_all_recvfrom_unlabeled(gpg_helper_t)
	177	corenet_all_recvfrom_netlabel(gpg_helper_t)
668b3093 CP	178	corenet_tcp_sendrecv_generic_if(gpg_helper_t)
	179	corenet_raw_sendrecv_generic_if(gpg_helper_t)
	180	corenet_udp_sendrecv_generic_if(gpg_helper_t)
c1262146 CP	181	corenet_tcp_sendrecv_generic_node(gpg_helper_t)
	182	corenet_udp_sendrecv_generic_node(gpg_helper_t)
	183	corenet_raw_sendrecv_generic_node(gpg_helper_t)
296273a7 CP	184	corenet_tcp_sendrecv_all_ports(gpg_helper_t)
296273a7 CP	185	corenet_udp_sendrecv_all_ports(gpg_helper_t)
c1262146 CP	186	corenet_tcp_bind_generic_node(gpg_helper_t)
c1262146 CP	187	corenet_udp_bind_generic_node(gpg_helper_t)
296273a7 CP	188	corenet_tcp_connect_all_ports(gpg_helper_t)
296273a7 CP	189
296273a7	190	files_read_etc_files(gpg_helper_t)
296273a7	191
e4f73afb CP	192	auth_use_nsswitch(gpg_helper_t)
	193
	194	userdom_use_user_terminals(gpg_helper_t)
296273a7 CP	195
296273a7 CP	196	tunable_policy(`use_nfs_home_dirs',`
36ded4bd	197	fs_dontaudit_rw_nfs_files(gpg_helper_t)
296273a7 CP	198	')
	199
	200	tunable_policy(`use_samba_home_dirs',`
36ded4bd	201	fs_dontaudit_rw_cifs_files(gpg_helper_t)
296273a7 CP	202	')
	203
	204	########################################
	205	#
	206	# GPG agent local policy
	207	#
	208
	209	# rlimit: gpg-agent wants to prevent coredumps
	210	allow gpg_agent_t self:process setrlimit;
	211
	212	allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
	213	allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
	214
	215	# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
	216	manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
	217	manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
	218	manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
	219
	220	# Allow the gpg-agent to manage its tmp files (socket)
	221	manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
	222	manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
	223	manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
	224	files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
	225
	226	# allow gpg to connect to the gpg agent
	227	stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
	228
a3b0dc5b	229	corecmd_read_bin_symlinks(gpg_agent_t)
296273a7	230	corecmd_search_bin(gpg_agent_t)
857d37e8	231	corecmd_exec_shell(gpg_agent_t)
296273a7	232
a3b0dc5b CP	233	dev_read_urand(gpg_agent_t)
a3b0dc5b CP	234
296273a7 CP	235	domain_use_interactive_fds(gpg_agent_t)
296273a7 CP	236
a3b0dc5b CP	237	fs_dontaudit_list_inotifyfs(gpg_agent_t)
a3b0dc5b CP	238
296273a7 CP	239	miscfiles_read_localization(gpg_agent_t)
	240
	241	# Write to the user domain tty.
	242	userdom_use_user_terminals(gpg_agent_t)
	243	# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
	244	userdom_search_user_home_dirs(gpg_agent_t)
	245
a3b0dc5b CP	246	ifdef(`hide_broken_symptoms',`
	247	userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
	248	')
	249
296273a7 CP	250	tunable_policy(`gpg_agent_env_file',`
	251	# write ~/.gpg-agent-info or a similar to the users home dir
	252	# or subdir (gpg-agent --write-env-file option)
	253	#
	254	userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
	255	userdom_manage_user_home_content_dirs(gpg_agent_t)
	256	userdom_manage_user_home_content_files(gpg_agent_t)
	257	')
	258
	259	tunable_policy(`use_nfs_home_dirs',`
	260	fs_manage_nfs_dirs(gpg_agent_t)
	261	fs_manage_nfs_files(gpg_agent_t)
	262	fs_manage_nfs_symlinks(gpg_agent_t)
	263	')
	264
	265	tunable_policy(`use_samba_home_dirs',`
	266	fs_manage_cifs_dirs(gpg_agent_t)
	267	fs_manage_cifs_files(gpg_agent_t)
	268	fs_manage_cifs_symlinks(gpg_agent_t)
	269	')
	270
a3b0dc5b CP	271	optional_policy(`
	272	mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
	273	')
	274
296273a7 CP	275	##############################
	276	#
	277	# Pinentry local policy
	278	#
	279
857d37e8	280	allow gpg_pinentry_t self:process { getcap getsched setsched signal };
296273a7	281	allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
857d37e8 CP	282	allow gpg_pinentry_t self:netlink_route_socket create_netlink_socket_perms;
	283	allow gpg_pinentry_t self:shm create_shm_perms;
	284	allow gpg_pinentry_t self:tcp_socket create_stream_socket_perms;
	285	allow gpg_pinentry_t self:unix_dgram_socket sendto;
	286	allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
296273a7	287
857d37e8 CP	288	can_exec(gpg_pinentry_t, pinentry_exec_t)
	289
	290	# we need to allow gpg-agent to call pinentry so it can get the passphrase
296273a7 CP	291	# from the user.
	292	domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
	293
857d37e8 CP	294	manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
	295	userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
	296
	297	manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
	298	manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
	299	fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
857d37e8	300
296273a7 CP	301	# read /proc/meminfo
	302	kernel_read_system_state(gpg_pinentry_t)
	303
857d37e8 CP	304	corecmd_exec_bin(gpg_pinentry_t)
	305
	306	corenet_all_recvfrom_netlabel(gpg_pinentry_t)
	307	corenet_all_recvfrom_unlabeled(gpg_pinentry_t)
	308	corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t)
	309	corenet_tcp_bind_generic_node(gpg_pinentry_t)
	310	corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t)
	311	corenet_tcp_sendrecv_generic_if(gpg_pinentry_t)
	312	corenet_tcp_sendrecv_generic_node(gpg_pinentry_t)
	313	corenet_tcp_sendrecv_generic_port(gpg_pinentry_t)
	314
	315	dev_read_urand(gpg_pinentry_t)
	316	dev_read_rand(gpg_pinentry_t)
	317
296273a7 CP	318	files_read_usr_files(gpg_pinentry_t)
	319	# read /etc/X11/qtrc
	320	files_read_etc_files(gpg_pinentry_t)
	321
a3b0dc5b CP	322	fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
	323	fs_getattr_tmpfs(gpg_pinentry_t)
	324
	325	auth_use_nsswitch(gpg_pinentry_t)
	326
857d37e8 CP	327	logging_send_syslog_msg(gpg_pinentry_t)
857d37e8 CP	328
296273a7 CP	329	miscfiles_read_fonts(gpg_pinentry_t)
	330	miscfiles_read_localization(gpg_pinentry_t)
	331
	332	# for .Xauthority
	333	userdom_read_user_home_content_files(gpg_pinentry_t)
857d37e8	334	userdom_read_user_tmpfs_files(gpg_pinentry_t)
296273a7 CP	335
	336	tunable_policy(`use_nfs_home_dirs',`
	337	fs_read_nfs_files(gpg_pinentry_t)
	338	')
	339
	340	tunable_policy(`use_samba_home_dirs',`
	341	fs_read_cifs_files(gpg_pinentry_t)
	342	')
	343
	344	optional_policy(`
857d37e8 CP	345	dbus_session_bus_client(gpg_pinentry_t)
	346	dbus_system_bus_client(gpg_pinentry_t)
	347	')
	348
	349	optional_policy(`
	350	pulseaudio_exec(gpg_pinentry_t)
a3b0dc5b	351	pulseaudio_rw_home_files(gpg_pinentry_t)
857d37e8 CP	352	pulseaudio_setattr_home_dir(gpg_pinentry_t)
857d37e8 CP	353	pulseaudio_stream_connect(gpg_pinentry_t)
a3b0dc5b	354	pulseaudio_signull(gpg_pinentry_t)
857d37e8 CP	355	')
	356
	357	optional_policy(`
	358	xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
296273a7	359	')