[people/stevee/selinux-policy.git] / policy / modules / apps / gpg.te

policy_module(gpg, 2.4.0)

########################################
#
# Declarations
#
attribute gpgdomain;

## <desc>
## <p>
## Allow usage of the gpg-agent --write-env-file option.
## This also allows gpg-agent to manage user files.
## </p>
## </desc>
gen_tunable(gpg_agent_env_file, false)

## <desc>
## <p>
## Allow gpg web domain to modify public files
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(gpg_web_anon_write, false)

type gpg_t, gpgdomain;
type gpg_exec_t;
typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
application_domain(gpg_t, gpg_exec_t)
ubac_constrained(gpg_t)
role system_r types gpg_t;

type gpg_agent_t;
type gpg_agent_exec_t;
typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t };
typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t };
application_domain(gpg_agent_t, gpg_agent_exec_t)
ubac_constrained(gpg_agent_t)

type gpg_agent_tmp_t;
typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t };
typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t };
files_tmp_file(gpg_agent_tmp_t)
ubac_constrained(gpg_agent_tmp_t)

type gpg_secret_t;
typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
typealias gpg_secret_t alias { auditadm_gpg_secret_t secadm_gpg_secret_t };
userdom_user_home_content(gpg_secret_t)

type gpg_helper_t;
type gpg_helper_exec_t;
typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t };
typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t };
application_domain(gpg_helper_t, gpg_helper_exec_t)
ubac_constrained(gpg_helper_t)
role system_r types gpg_helper_t;

type gpg_pinentry_t;
type pinentry_exec_t;
typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t };
typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t };
application_domain(gpg_pinentry_t, pinentry_exec_t)
ubac_constrained(gpg_pinentry_t)

type gpg_pinentry_tmp_t;
files_tmp_file(gpg_pinentry_tmp_t)
ubac_constrained(gpg_pinentry_tmp_t)

type gpg_pinentry_tmpfs_t;
files_tmpfs_file(gpg_pinentry_tmpfs_t)
ubac_constrained(gpg_pinentry_tmpfs_t)

type gpg_web_t;
domain_type(gpg_web_t)
gpg_entry_type(gpg_web_t)
role system_r types gpg_web_t;

########################################
#
# GPG local policy
#

allow gpgdomain self:capability { ipc_lock setuid };
allow gpgdomain self:process { getsched setsched };
#at setrlimit is for ulimit -c 0
allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid };
dontaudit gpgdomain self:netlink_audit_socket r_netlink_socket_perms;

allow gpgdomain self:fifo_file rw_fifo_file_perms;
allow gpgdomain self:tcp_socket create_stream_socket_perms;

manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })

domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)

# transition from the gpg domain to the helper domain
domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)

allow gpg_t gpg_secret_t:dir create_dir_perms;
manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)

kernel_read_sysctl(gpg_t)

corecmd_exec_shell(gpg_t)
corecmd_exec_bin(gpg_t)

corenet_all_recvfrom_unlabeled(gpg_t)
corenet_all_recvfrom_netlabel(gpg_t)
corenet_tcp_sendrecv_generic_if(gpg_t)
corenet_udp_sendrecv_generic_if(gpg_t)
corenet_tcp_sendrecv_generic_node(gpg_t)
corenet_udp_sendrecv_generic_node(gpg_t)
corenet_tcp_sendrecv_all_ports(gpg_t)
corenet_udp_sendrecv_all_ports(gpg_t)
corenet_tcp_connect_all_ports(gpg_t)
corenet_sendrecv_all_client_packets(gpg_t)

dev_read_rand(gpg_t)
dev_read_urand(gpg_t)
dev_read_generic_usb_dev(gpg_t)

fs_getattr_xattr_fs(gpg_t)
fs_list_inotifyfs(gpg_t)

domain_use_interactive_fds(gpg_t)

files_read_etc_files(gpg_t)
files_read_usr_files(gpg_t)
files_dontaudit_search_var(gpg_t)

auth_use_nsswitch(gpg_t)

logging_send_syslog_msg(gpg_t)

miscfiles_read_localization(gpg_t)

userdom_use_user_terminals(gpg_t)
# sign/encrypt user files
userdom_manage_all_user_tmp_content(gpg_t)
userdom_manage_user_home_content(gpg_t)
userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
userdom_stream_connect(gpg_t)

mta_write_config(gpg_t)

tunable_policy(`use_nfs_home_dirs',`
	fs_manage_nfs_dirs(gpg_t)
	fs_manage_nfs_files(gpg_t)
')

tunable_policy(`use_samba_home_dirs',`
	fs_manage_cifs_dirs(gpg_t)
	fs_manage_cifs_files(gpg_t)
')

optional_policy(`
	gnome_read_config(gpg_t)
	gnome_stream_connect_gkeyringd(gpg_t)
')

optional_policy(`
	mozilla_read_user_home_files(gpg_t)
	mozilla_write_user_home_files(gpg_t)
')

optional_policy(`
	xserver_use_xdm_fds(gpg_t)
	xserver_rw_xdm_pipes(gpg_t)
')

#optional_policy(`
#	cron_system_entry(gpg_t, gpg_exec_t)
#	cron_read_system_job_tmp_files(gpg_t)
#')

########################################
#
# GPG helper local policy
#

allow gpg_helper_t self:process { getsched setsched };

# for helper programs (which automatically fetch keys)
# Note: this is only tested with the hkp interface. If you use eg the
# mail interface you will likely need additional permissions.

allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
allow gpg_helper_t self:tcp_socket { connect connected_socket_perms };
allow gpg_helper_t self:udp_socket { connect connected_socket_perms };

dontaudit gpg_helper_t gpg_secret_t:file read;

corenet_all_recvfrom_unlabeled(gpg_helper_t)
corenet_all_recvfrom_netlabel(gpg_helper_t)
corenet_tcp_sendrecv_generic_if(gpg_helper_t)
corenet_raw_sendrecv_generic_if(gpg_helper_t)
corenet_udp_sendrecv_generic_if(gpg_helper_t)
corenet_tcp_sendrecv_generic_node(gpg_helper_t)
corenet_udp_sendrecv_generic_node(gpg_helper_t)
corenet_raw_sendrecv_generic_node(gpg_helper_t)
corenet_tcp_sendrecv_all_ports(gpg_helper_t)
corenet_udp_sendrecv_all_ports(gpg_helper_t)
corenet_tcp_bind_generic_node(gpg_helper_t)
corenet_udp_bind_generic_node(gpg_helper_t)
corenet_tcp_connect_all_ports(gpg_helper_t)

files_read_etc_files(gpg_helper_t)

auth_use_nsswitch(gpg_helper_t)

userdom_use_user_terminals(gpg_helper_t)

tunable_policy(`use_nfs_home_dirs',`
	fs_dontaudit_rw_nfs_files(gpg_helper_t)
')

tunable_policy(`use_samba_home_dirs',`
	fs_dontaudit_rw_cifs_files(gpg_helper_t)
')

########################################
#
# GPG agent local policy
#
domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)

# rlimit: gpg-agent wants to prevent coredumps
allow gpg_agent_t self:process setrlimit;

allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
allow gpg_agent_t self:fifo_file rw_fifo_file_perms;

# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)

# Allow the gpg-agent to manage its tmp files (socket)
manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })

# allow gpg to connect to the gpg agent
stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)

corecmd_read_bin_symlinks(gpg_agent_t)
corecmd_search_bin(gpg_agent_t)
corecmd_exec_shell(gpg_agent_t)

dev_read_urand(gpg_agent_t)

domain_use_interactive_fds(gpg_agent_t)

fs_dontaudit_list_inotifyfs(gpg_agent_t)

miscfiles_read_localization(gpg_agent_t)

# Write to the user domain tty.
userdom_use_user_terminals(gpg_agent_t)
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
userdom_search_user_home_dirs(gpg_agent_t)

ifdef(`hide_broken_symptoms',`
	userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
	userdom_dontaudit_write_user_tmp_files(gpg_agent_t)
')

tunable_policy(`gpg_agent_env_file',`
	# write ~/.gpg-agent-info or a similar to the users home dir
	# or subdir (gpg-agent --write-env-file option)
	#
	userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
	userdom_manage_user_home_content_dirs(gpg_agent_t)
	userdom_manage_user_home_content_files(gpg_agent_t)
')

tunable_policy(`use_nfs_home_dirs',`
	fs_manage_nfs_dirs(gpg_agent_t)
	fs_manage_nfs_files(gpg_agent_t)
	fs_manage_nfs_symlinks(gpg_agent_t)
')

tunable_policy(`use_samba_home_dirs',`
	fs_manage_cifs_dirs(gpg_agent_t)
	fs_manage_cifs_files(gpg_agent_t)
	fs_manage_cifs_symlinks(gpg_agent_t)
')

optional_policy(`
	mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
')

##############################
#
# Pinentry local policy
#

allow gpg_pinentry_t self:process { getcap getsched setsched signal };
allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
allow gpg_pinentry_t self:netlink_route_socket create_netlink_socket_perms;
allow gpg_pinentry_t self:shm create_shm_perms;
allow gpg_pinentry_t self:tcp_socket create_stream_socket_perms;
allow gpg_pinentry_t self:unix_dgram_socket sendto;
allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };

can_exec(gpg_pinentry_t, pinentry_exec_t)

# we need to allow gpg-agent to call pinentry so it can get the passphrase
# from the user.
domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)

manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)

manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })

# read /proc/meminfo
kernel_read_system_state(gpg_pinentry_t)

corecmd_exec_bin(gpg_pinentry_t)

corenet_all_recvfrom_netlabel(gpg_pinentry_t)
corenet_all_recvfrom_unlabeled(gpg_pinentry_t)
corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t)
corenet_tcp_bind_generic_node(gpg_pinentry_t)
corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t)
corenet_tcp_sendrecv_generic_if(gpg_pinentry_t)
corenet_tcp_sendrecv_generic_node(gpg_pinentry_t)
corenet_tcp_sendrecv_generic_port(gpg_pinentry_t)

dev_read_urand(gpg_pinentry_t)
dev_read_rand(gpg_pinentry_t)

files_read_usr_files(gpg_pinentry_t)
# read /etc/X11/qtrc
files_read_etc_files(gpg_pinentry_t)

fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
fs_getattr_tmpfs(gpg_pinentry_t)

auth_use_nsswitch(gpg_pinentry_t)

logging_send_syslog_msg(gpg_pinentry_t)

miscfiles_read_fonts(gpg_pinentry_t)
miscfiles_read_localization(gpg_pinentry_t)

# for .Xauthority
userdom_read_user_home_content_files(gpg_pinentry_t)
userdom_read_user_tmpfs_files(gpg_pinentry_t)
# Bug: user pulseaudio files need open,read and unlink:
allow gpg_pinentry_t user_tmpfs_t:file unlink;
userdom_signull_unpriv_users(gpg_pinentry_t)

tunable_policy(`use_nfs_home_dirs',`
	fs_read_nfs_files(gpg_pinentry_t)
')

tunable_policy(`use_samba_home_dirs',`
	fs_read_cifs_files(gpg_pinentry_t)
')

optional_policy(`
	gnome_read_home_config(gpg_pinentry_t)
')

optional_policy(`
	dbus_session_bus_client(gpg_pinentry_t)
	dbus_system_bus_client(gpg_pinentry_t)
')

optional_policy(`
	gnome_write_generic_cache_files(gpg_pinentry_t)
	gnome_read_generic_cache_files(gpg_pinentry_t)
	gnome_read_gconf_home_files(gpg_pinentry_t)
')

optional_policy(`
	pulseaudio_exec(gpg_pinentry_t)
	pulseaudio_rw_home_files(gpg_pinentry_t)
	pulseaudio_setattr_home_dir(gpg_pinentry_t)
	pulseaudio_stream_connect(gpg_pinentry_t)
	pulseaudio_signull(gpg_pinentry_t)
')

optional_policy(`
	xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)

')

#############################
#
# gpg web local policy
#

allow gpg_web_t self:process setrlimit;

dev_read_rand(gpg_web_t)
dev_read_urand(gpg_web_t)

can_exec(gpg_web_t, gpg_exec_t)

files_read_usr_files(gpg_web_t)

miscfiles_read_localization(gpg_web_t)

apache_dontaudit_rw_tmp_files(gpg_web_t)
apache_manage_sys_content_rw(gpg_web_t)

tunable_policy(`gpg_web_anon_write',`
    miscfiles_manage_public_files(gpg_web_t)
')
Commit	Line	Data
826d0142	1	policy_module(gpg, 2.4.0)
b2b38c78 CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
3eaa9939	7	attribute gpgdomain;
b2b38c78	8
a42ce93a CP	9	## <desc>
	10	## <p>
	11	## Allow usage of the gpg-agent --write-env-file option.
	12	## This also allows gpg-agent to manage user files.
	13	## </p>
	14	## </desc>
	15	gen_tunable(gpg_agent_env_file, false)
	16
3eaa9939 DW	17	## <desc>
	18	## <p>
	19	## Allow gpg web domain to modify public files
	20	## used for public file transfer services.
	21	## </p>
	22	## </desc>
	23	gen_tunable(gpg_web_anon_write, false)
	24
	25	type gpg_t, gpgdomain;
b2b38c78	26	type gpg_exec_t;
296273a7 CP	27	typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
	28	typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
	29	application_domain(gpg_t, gpg_exec_t)
	30	ubac_constrained(gpg_t)
857d37e8	31	role system_r types gpg_t;
b2b38c78	32
296273a7	33	type gpg_agent_t;
b2b38c78	34	type gpg_agent_exec_t;
296273a7 CP	35	typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t };
	36	typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t };
	37	application_domain(gpg_agent_t, gpg_agent_exec_t)
	38	ubac_constrained(gpg_agent_t)
	39
	40	type gpg_agent_tmp_t;
	41	typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t };
	42	typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t };
	43	files_tmp_file(gpg_agent_tmp_t)
	44	ubac_constrained(gpg_agent_tmp_t)
	45
	46	type gpg_secret_t;
	47	typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
	48	typealias gpg_secret_t alias { auditadm_gpg_secret_t secadm_gpg_secret_t };
	49	userdom_user_home_content(gpg_secret_t)
	50
	51	type gpg_helper_t;
	52	type gpg_helper_exec_t;
	53	typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t };
	54	typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t };
	55	application_domain(gpg_helper_t, gpg_helper_exec_t)
	56	ubac_constrained(gpg_helper_t)
857d37e8	57	role system_r types gpg_helper_t;
b2b38c78	58
296273a7	59	type gpg_pinentry_t;
b2b38c78	60	type pinentry_exec_t;
296273a7 CP	61	typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t };
	62	typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t };
	63	application_domain(gpg_pinentry_t, pinentry_exec_t)
	64	ubac_constrained(gpg_pinentry_t)
	65
857d37e8 CP	66	type gpg_pinentry_tmp_t;
	67	files_tmp_file(gpg_pinentry_tmp_t)
	68	ubac_constrained(gpg_pinentry_tmp_t)
	69
	70	type gpg_pinentry_tmpfs_t;
	71	files_tmpfs_file(gpg_pinentry_tmpfs_t)
	72	ubac_constrained(gpg_pinentry_tmpfs_t)
	73
3eaa9939 DW	74	type gpg_web_t;
	75	domain_type(gpg_web_t)
	76	gpg_entry_type(gpg_web_t)
	77	role system_r types gpg_web_t;
	78
296273a7 CP	79	########################################
	80	#
	81	# GPG local policy
	82	#
	83
3eaa9939 DW	84	allow gpgdomain self:capability { ipc_lock setuid };
	85	allow gpgdomain self:process { getsched setsched };
	86	#at setrlimit is for ulimit -c 0
	87	allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid };
ee84ada8	88	dontaudit gpgdomain self:netlink_audit_socket r_netlink_socket_perms;
296273a7	89
3eaa9939 DW	90	allow gpgdomain self:fifo_file rw_fifo_file_perms;
3eaa9939 DW	91	allow gpgdomain self:tcp_socket create_stream_socket_perms;
296273a7	92
e4f73afb CP	93	manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
	94	manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
	95	files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
	96
857d37e8 CP	97	domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
857d37e8 CP	98
296273a7 CP	99	# transition from the gpg domain to the helper domain
	100	domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
	101
	102	allow gpg_t gpg_secret_t:dir create_dir_perms;
	103	manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
	104	manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
	105	userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
	106
e4f73afb CP	107	kernel_read_sysctl(gpg_t)
e4f73afb CP	108
857d37e8 CP	109	corecmd_exec_shell(gpg_t)
	110	corecmd_exec_bin(gpg_t)
	111
296273a7 CP	112	corenet_all_recvfrom_unlabeled(gpg_t)
296273a7 CP	113	corenet_all_recvfrom_netlabel(gpg_t)
668b3093 CP	114	corenet_tcp_sendrecv_generic_if(gpg_t)
668b3093 CP	115	corenet_udp_sendrecv_generic_if(gpg_t)
c1262146 CP	116	corenet_tcp_sendrecv_generic_node(gpg_t)
c1262146 CP	117	corenet_udp_sendrecv_generic_node(gpg_t)
296273a7 CP	118	corenet_tcp_sendrecv_all_ports(gpg_t)
	119	corenet_udp_sendrecv_all_ports(gpg_t)
	120	corenet_tcp_connect_all_ports(gpg_t)
	121	corenet_sendrecv_all_client_packets(gpg_t)
	122
	123	dev_read_rand(gpg_t)
	124	dev_read_urand(gpg_t)
ca7fa520	125	dev_read_generic_usb_dev(gpg_t)
296273a7 CP	126
296273a7 CP	127	fs_getattr_xattr_fs(gpg_t)
857d37e8	128	fs_list_inotifyfs(gpg_t)
296273a7 CP	129
	130	domain_use_interactive_fds(gpg_t)
	131
	132	files_read_etc_files(gpg_t)
	133	files_read_usr_files(gpg_t)
	134	files_dontaudit_search_var(gpg_t)
	135
e4f73afb CP	136	auth_use_nsswitch(gpg_t)
e4f73afb CP	137
296273a7 CP	138	logging_send_syslog_msg(gpg_t)
296273a7 CP	139
36ded4bd CP	140	miscfiles_read_localization(gpg_t)
36ded4bd CP	141
296273a7	142	userdom_use_user_terminals(gpg_t)
36ded4bd	143	# sign/encrypt user files
47de8acb DW	144	userdom_manage_all_user_tmp_content(gpg_t)
47de8acb DW	145	userdom_manage_user_home_content(gpg_t)
857d37e8	146	userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
3eaa9939	147	userdom_stream_connect(gpg_t)
36ded4bd CP	148
	149	mta_write_config(gpg_t)
	150
	151	tunable_policy(`use_nfs_home_dirs',`
	152	fs_manage_nfs_dirs(gpg_t)
	153	fs_manage_nfs_files(gpg_t)
	154	')
	155
	156	tunable_policy(`use_samba_home_dirs',`
	157	fs_manage_cifs_dirs(gpg_t)
	158	fs_manage_cifs_files(gpg_t)
	159	')
	160
3eaa9939 DW	161	optional_policy(`
3eaa9939 DW	162	gnome_read_config(gpg_t)
b46c3dcf	163	gnome_stream_connect_gkeyringd(gpg_t)
3eaa9939 DW	164	')
3eaa9939 DW	165
857d37e8 CP	166	optional_policy(`
	167	mozilla_read_user_home_files(gpg_t)
	168	mozilla_write_user_home_files(gpg_t)
	169	')
	170
36ded4bd CP	171	optional_policy(`
	172	xserver_use_xdm_fds(gpg_t)
	173	xserver_rw_xdm_pipes(gpg_t)
	174	')
	175
3eaa9939 DW	176	#optional_policy(`
	177	# cron_system_entry(gpg_t, gpg_exec_t)
	178	# cron_read_system_job_tmp_files(gpg_t)
	179	#')
296273a7	180
296273a7 CP	181	########################################
	182	#
	183	# GPG helper local policy
	184	#
	185
e4f73afb CP	186	allow gpg_helper_t self:process { getsched setsched };
e4f73afb CP	187
296273a7	188	# for helper programs (which automatically fetch keys)
857d37e8	189	# Note: this is only tested with the hkp interface. If you use eg the
296273a7 CP	190	# mail interface you will likely need additional permissions.
	191
	192	allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
	193	allow gpg_helper_t self:tcp_socket { connect connected_socket_perms };
	194	allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
	195
	196	dontaudit gpg_helper_t gpg_secret_t:file read;
	197
	198	corenet_all_recvfrom_unlabeled(gpg_helper_t)
	199	corenet_all_recvfrom_netlabel(gpg_helper_t)
668b3093 CP	200	corenet_tcp_sendrecv_generic_if(gpg_helper_t)
	201	corenet_raw_sendrecv_generic_if(gpg_helper_t)
	202	corenet_udp_sendrecv_generic_if(gpg_helper_t)
c1262146 CP	203	corenet_tcp_sendrecv_generic_node(gpg_helper_t)
	204	corenet_udp_sendrecv_generic_node(gpg_helper_t)
	205	corenet_raw_sendrecv_generic_node(gpg_helper_t)
296273a7 CP	206	corenet_tcp_sendrecv_all_ports(gpg_helper_t)
296273a7 CP	207	corenet_udp_sendrecv_all_ports(gpg_helper_t)
c1262146 CP	208	corenet_tcp_bind_generic_node(gpg_helper_t)
c1262146 CP	209	corenet_udp_bind_generic_node(gpg_helper_t)
296273a7 CP	210	corenet_tcp_connect_all_ports(gpg_helper_t)
296273a7 CP	211
296273a7	212	files_read_etc_files(gpg_helper_t)
296273a7	213
e4f73afb CP	214	auth_use_nsswitch(gpg_helper_t)
	215
	216	userdom_use_user_terminals(gpg_helper_t)
296273a7 CP	217
296273a7 CP	218	tunable_policy(`use_nfs_home_dirs',`
36ded4bd	219	fs_dontaudit_rw_nfs_files(gpg_helper_t)
296273a7 CP	220	')
	221
	222	tunable_policy(`use_samba_home_dirs',`
36ded4bd	223	fs_dontaudit_rw_cifs_files(gpg_helper_t)
296273a7 CP	224	')
	225
	226	########################################
	227	#
	228	# GPG agent local policy
	229	#
3eaa9939	230	domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
296273a7 CP	231
	232	# rlimit: gpg-agent wants to prevent coredumps
	233	allow gpg_agent_t self:process setrlimit;
	234
	235	allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
	236	allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
	237
	238	# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
	239	manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
	240	manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
	241	manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
	242
	243	# Allow the gpg-agent to manage its tmp files (socket)
	244	manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
	245	manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
	246	manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
	247	files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
	248
	249	# allow gpg to connect to the gpg agent
	250	stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
	251
a3b0dc5b	252	corecmd_read_bin_symlinks(gpg_agent_t)
296273a7	253	corecmd_search_bin(gpg_agent_t)
857d37e8	254	corecmd_exec_shell(gpg_agent_t)
296273a7	255
a3b0dc5b CP	256	dev_read_urand(gpg_agent_t)
a3b0dc5b CP	257
296273a7 CP	258	domain_use_interactive_fds(gpg_agent_t)
296273a7 CP	259
a3b0dc5b CP	260	fs_dontaudit_list_inotifyfs(gpg_agent_t)
a3b0dc5b CP	261
296273a7 CP	262	miscfiles_read_localization(gpg_agent_t)
	263
	264	# Write to the user domain tty.
	265	userdom_use_user_terminals(gpg_agent_t)
	266	# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
	267	userdom_search_user_home_dirs(gpg_agent_t)
	268
a3b0dc5b CP	269	ifdef(`hide_broken_symptoms',`
a3b0dc5b CP	270	userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
3eaa9939	271	userdom_dontaudit_write_user_tmp_files(gpg_agent_t)
a3b0dc5b CP	272	')
a3b0dc5b CP	273
296273a7 CP	274	tunable_policy(`gpg_agent_env_file',`
	275	# write ~/.gpg-agent-info or a similar to the users home dir
	276	# or subdir (gpg-agent --write-env-file option)
	277	#
	278	userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
	279	userdom_manage_user_home_content_dirs(gpg_agent_t)
	280	userdom_manage_user_home_content_files(gpg_agent_t)
	281	')
	282
	283	tunable_policy(`use_nfs_home_dirs',`
	284	fs_manage_nfs_dirs(gpg_agent_t)
	285	fs_manage_nfs_files(gpg_agent_t)
	286	fs_manage_nfs_symlinks(gpg_agent_t)
	287	')
	288
	289	tunable_policy(`use_samba_home_dirs',`
	290	fs_manage_cifs_dirs(gpg_agent_t)
	291	fs_manage_cifs_files(gpg_agent_t)
	292	fs_manage_cifs_symlinks(gpg_agent_t)
	293	')
	294
a3b0dc5b CP	295	optional_policy(`
	296	mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
	297	')
	298
296273a7 CP	299	##############################
	300	#
	301	# Pinentry local policy
	302	#
	303
857d37e8	304	allow gpg_pinentry_t self:process { getcap getsched setsched signal };
296273a7	305	allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
857d37e8 CP	306	allow gpg_pinentry_t self:netlink_route_socket create_netlink_socket_perms;
	307	allow gpg_pinentry_t self:shm create_shm_perms;
	308	allow gpg_pinentry_t self:tcp_socket create_stream_socket_perms;
	309	allow gpg_pinentry_t self:unix_dgram_socket sendto;
	310	allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
296273a7	311
857d37e8 CP	312	can_exec(gpg_pinentry_t, pinentry_exec_t)
	313
	314	# we need to allow gpg-agent to call pinentry so it can get the passphrase
296273a7 CP	315	# from the user.
	316	domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
	317
857d37e8 CP	318	manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
	319	userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
	320
	321	manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
	322	manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
	323	fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
857d37e8	324
296273a7 CP	325	# read /proc/meminfo
	326	kernel_read_system_state(gpg_pinentry_t)
	327
857d37e8 CP	328	corecmd_exec_bin(gpg_pinentry_t)
	329
	330	corenet_all_recvfrom_netlabel(gpg_pinentry_t)
	331	corenet_all_recvfrom_unlabeled(gpg_pinentry_t)
	332	corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t)
	333	corenet_tcp_bind_generic_node(gpg_pinentry_t)
	334	corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t)
	335	corenet_tcp_sendrecv_generic_if(gpg_pinentry_t)
	336	corenet_tcp_sendrecv_generic_node(gpg_pinentry_t)
	337	corenet_tcp_sendrecv_generic_port(gpg_pinentry_t)
	338
	339	dev_read_urand(gpg_pinentry_t)
	340	dev_read_rand(gpg_pinentry_t)
	341
296273a7 CP	342	files_read_usr_files(gpg_pinentry_t)
	343	# read /etc/X11/qtrc
	344	files_read_etc_files(gpg_pinentry_t)
	345
a3b0dc5b CP	346	fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
	347	fs_getattr_tmpfs(gpg_pinentry_t)
	348
	349	auth_use_nsswitch(gpg_pinentry_t)
	350
857d37e8 CP	351	logging_send_syslog_msg(gpg_pinentry_t)
857d37e8 CP	352
296273a7 CP	353	miscfiles_read_fonts(gpg_pinentry_t)
	354	miscfiles_read_localization(gpg_pinentry_t)
	355
	356	# for .Xauthority
	357	userdom_read_user_home_content_files(gpg_pinentry_t)
857d37e8	358	userdom_read_user_tmpfs_files(gpg_pinentry_t)
3eaa9939 DW	359	# Bug: user pulseaudio files need open,read and unlink:
	360	allow gpg_pinentry_t user_tmpfs_t:file unlink;
	361	userdom_signull_unpriv_users(gpg_pinentry_t)
296273a7 CP	362
	363	tunable_policy(`use_nfs_home_dirs',`
	364	fs_read_nfs_files(gpg_pinentry_t)
	365	')
	366
	367	tunable_policy(`use_samba_home_dirs',`
	368	fs_read_cifs_files(gpg_pinentry_t)
	369	')
d596371c DW	370
	371	optional_policy(`
	372	gnome_read_home_config(gpg_pinentry_t)
	373	')
296273a7 CP	374
296273a7 CP	375	optional_policy(`
857d37e8 CP	376	dbus_session_bus_client(gpg_pinentry_t)
	377	dbus_system_bus_client(gpg_pinentry_t)
	378	')
	379
3eaa9939 DW	380	optional_policy(`
	381	gnome_write_generic_cache_files(gpg_pinentry_t)
	382	gnome_read_generic_cache_files(gpg_pinentry_t)
	383	gnome_read_gconf_home_files(gpg_pinentry_t)
	384	')
	385
857d37e8 CP	386	optional_policy(`
857d37e8 CP	387	pulseaudio_exec(gpg_pinentry_t)
a3b0dc5b	388	pulseaudio_rw_home_files(gpg_pinentry_t)
857d37e8 CP	389	pulseaudio_setattr_home_dir(gpg_pinentry_t)
857d37e8 CP	390	pulseaudio_stream_connect(gpg_pinentry_t)
a3b0dc5b	391	pulseaudio_signull(gpg_pinentry_t)
857d37e8 CP	392	')
	393
	394	optional_policy(`
	395	xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
3eaa9939 DW	396
	397	')
	398
	399	#############################
	400	#
	401	# gpg web local policy
	402	#
	403
	404	allow gpg_web_t self:process setrlimit;
	405
	406	dev_read_rand(gpg_web_t)
	407	dev_read_urand(gpg_web_t)
	408
	409	can_exec(gpg_web_t, gpg_exec_t)
	410
	411	files_read_usr_files(gpg_web_t)
	412
	413	miscfiles_read_localization(gpg_web_t)
	414
	415	apache_dontaudit_rw_tmp_files(gpg_web_t)
	416	apache_manage_sys_content_rw(gpg_web_t)
	417
	418	tunable_policy(`gpg_web_anon_write',`
	419	miscfiles_manage_public_files(gpg_web_t)
296273a7	420	')