]>
Commit | Line | Data |
---|---|---|
826d0142 | 1 | policy_module(gpg, 2.4.0) |
b2b38c78 CP |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
3eaa9939 | 7 | attribute gpgdomain; |
b2b38c78 | 8 | |
a42ce93a CP |
9 | ## <desc> |
10 | ## <p> | |
11 | ## Allow usage of the gpg-agent --write-env-file option. | |
12 | ## This also allows gpg-agent to manage user files. | |
13 | ## </p> | |
14 | ## </desc> | |
15 | gen_tunable(gpg_agent_env_file, false) | |
16 | ||
3eaa9939 DW |
17 | ## <desc> |
18 | ## <p> | |
19 | ## Allow gpg web domain to modify public files | |
20 | ## used for public file transfer services. | |
21 | ## </p> | |
22 | ## </desc> | |
23 | gen_tunable(gpg_web_anon_write, false) | |
24 | ||
25 | type gpg_t, gpgdomain; | |
b2b38c78 | 26 | type gpg_exec_t; |
296273a7 CP |
27 | typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t }; |
28 | typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t }; | |
29 | application_domain(gpg_t, gpg_exec_t) | |
30 | ubac_constrained(gpg_t) | |
857d37e8 | 31 | role system_r types gpg_t; |
b2b38c78 | 32 | |
296273a7 | 33 | type gpg_agent_t; |
b2b38c78 | 34 | type gpg_agent_exec_t; |
296273a7 CP |
35 | typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t }; |
36 | typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t }; | |
37 | application_domain(gpg_agent_t, gpg_agent_exec_t) | |
38 | ubac_constrained(gpg_agent_t) | |
39 | ||
40 | type gpg_agent_tmp_t; | |
41 | typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t }; | |
42 | typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t }; | |
43 | files_tmp_file(gpg_agent_tmp_t) | |
44 | ubac_constrained(gpg_agent_tmp_t) | |
45 | ||
46 | type gpg_secret_t; | |
47 | typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t }; | |
48 | typealias gpg_secret_t alias { auditadm_gpg_secret_t secadm_gpg_secret_t }; | |
49 | userdom_user_home_content(gpg_secret_t) | |
50 | ||
51 | type gpg_helper_t; | |
52 | type gpg_helper_exec_t; | |
53 | typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t }; | |
54 | typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t }; | |
55 | application_domain(gpg_helper_t, gpg_helper_exec_t) | |
56 | ubac_constrained(gpg_helper_t) | |
857d37e8 | 57 | role system_r types gpg_helper_t; |
b2b38c78 | 58 | |
296273a7 | 59 | type gpg_pinentry_t; |
b2b38c78 | 60 | type pinentry_exec_t; |
296273a7 CP |
61 | typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t }; |
62 | typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t }; | |
63 | application_domain(gpg_pinentry_t, pinentry_exec_t) | |
64 | ubac_constrained(gpg_pinentry_t) | |
65 | ||
857d37e8 CP |
66 | type gpg_pinentry_tmp_t; |
67 | files_tmp_file(gpg_pinentry_tmp_t) | |
68 | ubac_constrained(gpg_pinentry_tmp_t) | |
69 | ||
70 | type gpg_pinentry_tmpfs_t; | |
71 | files_tmpfs_file(gpg_pinentry_tmpfs_t) | |
72 | ubac_constrained(gpg_pinentry_tmpfs_t) | |
73 | ||
3eaa9939 DW |
74 | type gpg_web_t; |
75 | domain_type(gpg_web_t) | |
76 | gpg_entry_type(gpg_web_t) | |
77 | role system_r types gpg_web_t; | |
78 | ||
296273a7 CP |
79 | ######################################## |
80 | # | |
81 | # GPG local policy | |
82 | # | |
83 | ||
3eaa9939 DW |
84 | allow gpgdomain self:capability { ipc_lock setuid }; |
85 | allow gpgdomain self:process { getsched setsched }; | |
86 | #at setrlimit is for ulimit -c 0 | |
87 | allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid }; | |
ee84ada8 | 88 | dontaudit gpgdomain self:netlink_audit_socket r_netlink_socket_perms; |
296273a7 | 89 | |
3eaa9939 DW |
90 | allow gpgdomain self:fifo_file rw_fifo_file_perms; |
91 | allow gpgdomain self:tcp_socket create_stream_socket_perms; | |
296273a7 | 92 | |
e4f73afb CP |
93 | manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) |
94 | manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) | |
95 | files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file }) | |
96 | ||
857d37e8 CP |
97 | domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) |
98 | ||
296273a7 CP |
99 | # transition from the gpg domain to the helper domain |
100 | domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) | |
101 | ||
102 | allow gpg_t gpg_secret_t:dir create_dir_perms; | |
103 | manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) | |
104 | manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) | |
105 | userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir) | |
106 | ||
e4f73afb CP |
107 | kernel_read_sysctl(gpg_t) |
108 | ||
857d37e8 CP |
109 | corecmd_exec_shell(gpg_t) |
110 | corecmd_exec_bin(gpg_t) | |
111 | ||
296273a7 CP |
112 | corenet_all_recvfrom_unlabeled(gpg_t) |
113 | corenet_all_recvfrom_netlabel(gpg_t) | |
668b3093 CP |
114 | corenet_tcp_sendrecv_generic_if(gpg_t) |
115 | corenet_udp_sendrecv_generic_if(gpg_t) | |
c1262146 CP |
116 | corenet_tcp_sendrecv_generic_node(gpg_t) |
117 | corenet_udp_sendrecv_generic_node(gpg_t) | |
296273a7 CP |
118 | corenet_tcp_sendrecv_all_ports(gpg_t) |
119 | corenet_udp_sendrecv_all_ports(gpg_t) | |
120 | corenet_tcp_connect_all_ports(gpg_t) | |
121 | corenet_sendrecv_all_client_packets(gpg_t) | |
122 | ||
123 | dev_read_rand(gpg_t) | |
124 | dev_read_urand(gpg_t) | |
ca7fa520 | 125 | dev_read_generic_usb_dev(gpg_t) |
296273a7 CP |
126 | |
127 | fs_getattr_xattr_fs(gpg_t) | |
857d37e8 | 128 | fs_list_inotifyfs(gpg_t) |
296273a7 CP |
129 | |
130 | domain_use_interactive_fds(gpg_t) | |
131 | ||
132 | files_read_etc_files(gpg_t) | |
133 | files_read_usr_files(gpg_t) | |
134 | files_dontaudit_search_var(gpg_t) | |
135 | ||
e4f73afb CP |
136 | auth_use_nsswitch(gpg_t) |
137 | ||
296273a7 CP |
138 | logging_send_syslog_msg(gpg_t) |
139 | ||
36ded4bd CP |
140 | miscfiles_read_localization(gpg_t) |
141 | ||
296273a7 | 142 | userdom_use_user_terminals(gpg_t) |
36ded4bd | 143 | # sign/encrypt user files |
47de8acb DW |
144 | userdom_manage_all_user_tmp_content(gpg_t) |
145 | userdom_manage_user_home_content(gpg_t) | |
857d37e8 | 146 | userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) |
3eaa9939 | 147 | userdom_stream_connect(gpg_t) |
36ded4bd CP |
148 | |
149 | mta_write_config(gpg_t) | |
150 | ||
151 | tunable_policy(`use_nfs_home_dirs',` | |
152 | fs_manage_nfs_dirs(gpg_t) | |
153 | fs_manage_nfs_files(gpg_t) | |
154 | ') | |
155 | ||
156 | tunable_policy(`use_samba_home_dirs',` | |
157 | fs_manage_cifs_dirs(gpg_t) | |
158 | fs_manage_cifs_files(gpg_t) | |
159 | ') | |
160 | ||
3eaa9939 DW |
161 | optional_policy(` |
162 | gnome_read_config(gpg_t) | |
b46c3dcf | 163 | gnome_stream_connect_gkeyringd(gpg_t) |
3eaa9939 DW |
164 | ') |
165 | ||
857d37e8 CP |
166 | optional_policy(` |
167 | mozilla_read_user_home_files(gpg_t) | |
168 | mozilla_write_user_home_files(gpg_t) | |
169 | ') | |
170 | ||
36ded4bd CP |
171 | optional_policy(` |
172 | xserver_use_xdm_fds(gpg_t) | |
173 | xserver_rw_xdm_pipes(gpg_t) | |
174 | ') | |
175 | ||
3eaa9939 DW |
176 | #optional_policy(` |
177 | # cron_system_entry(gpg_t, gpg_exec_t) | |
178 | # cron_read_system_job_tmp_files(gpg_t) | |
179 | #') | |
296273a7 | 180 | |
296273a7 CP |
181 | ######################################## |
182 | # | |
183 | # GPG helper local policy | |
184 | # | |
185 | ||
e4f73afb CP |
186 | allow gpg_helper_t self:process { getsched setsched }; |
187 | ||
296273a7 | 188 | # for helper programs (which automatically fetch keys) |
857d37e8 | 189 | # Note: this is only tested with the hkp interface. If you use eg the |
296273a7 CP |
190 | # mail interface you will likely need additional permissions. |
191 | ||
192 | allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms; | |
193 | allow gpg_helper_t self:tcp_socket { connect connected_socket_perms }; | |
194 | allow gpg_helper_t self:udp_socket { connect connected_socket_perms }; | |
195 | ||
196 | dontaudit gpg_helper_t gpg_secret_t:file read; | |
197 | ||
198 | corenet_all_recvfrom_unlabeled(gpg_helper_t) | |
199 | corenet_all_recvfrom_netlabel(gpg_helper_t) | |
668b3093 CP |
200 | corenet_tcp_sendrecv_generic_if(gpg_helper_t) |
201 | corenet_raw_sendrecv_generic_if(gpg_helper_t) | |
202 | corenet_udp_sendrecv_generic_if(gpg_helper_t) | |
c1262146 CP |
203 | corenet_tcp_sendrecv_generic_node(gpg_helper_t) |
204 | corenet_udp_sendrecv_generic_node(gpg_helper_t) | |
205 | corenet_raw_sendrecv_generic_node(gpg_helper_t) | |
296273a7 CP |
206 | corenet_tcp_sendrecv_all_ports(gpg_helper_t) |
207 | corenet_udp_sendrecv_all_ports(gpg_helper_t) | |
c1262146 CP |
208 | corenet_tcp_bind_generic_node(gpg_helper_t) |
209 | corenet_udp_bind_generic_node(gpg_helper_t) | |
296273a7 CP |
210 | corenet_tcp_connect_all_ports(gpg_helper_t) |
211 | ||
296273a7 | 212 | files_read_etc_files(gpg_helper_t) |
296273a7 | 213 | |
e4f73afb CP |
214 | auth_use_nsswitch(gpg_helper_t) |
215 | ||
216 | userdom_use_user_terminals(gpg_helper_t) | |
296273a7 CP |
217 | |
218 | tunable_policy(`use_nfs_home_dirs',` | |
36ded4bd | 219 | fs_dontaudit_rw_nfs_files(gpg_helper_t) |
296273a7 CP |
220 | ') |
221 | ||
222 | tunable_policy(`use_samba_home_dirs',` | |
36ded4bd | 223 | fs_dontaudit_rw_cifs_files(gpg_helper_t) |
296273a7 CP |
224 | ') |
225 | ||
226 | ######################################## | |
227 | # | |
228 | # GPG agent local policy | |
229 | # | |
3eaa9939 | 230 | domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) |
296273a7 CP |
231 | |
232 | # rlimit: gpg-agent wants to prevent coredumps | |
233 | allow gpg_agent_t self:process setrlimit; | |
234 | ||
235 | allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ; | |
236 | allow gpg_agent_t self:fifo_file rw_fifo_file_perms; | |
237 | ||
238 | # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) | |
239 | manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) | |
240 | manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) | |
241 | manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) | |
242 | ||
243 | # Allow the gpg-agent to manage its tmp files (socket) | |
244 | manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) | |
245 | manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) | |
246 | manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) | |
247 | files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) | |
248 | ||
249 | # allow gpg to connect to the gpg agent | |
250 | stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t) | |
251 | ||
a3b0dc5b | 252 | corecmd_read_bin_symlinks(gpg_agent_t) |
296273a7 | 253 | corecmd_search_bin(gpg_agent_t) |
857d37e8 | 254 | corecmd_exec_shell(gpg_agent_t) |
296273a7 | 255 | |
a3b0dc5b CP |
256 | dev_read_urand(gpg_agent_t) |
257 | ||
296273a7 CP |
258 | domain_use_interactive_fds(gpg_agent_t) |
259 | ||
a3b0dc5b CP |
260 | fs_dontaudit_list_inotifyfs(gpg_agent_t) |
261 | ||
296273a7 CP |
262 | miscfiles_read_localization(gpg_agent_t) |
263 | ||
264 | # Write to the user domain tty. | |
265 | userdom_use_user_terminals(gpg_agent_t) | |
266 | # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) | |
267 | userdom_search_user_home_dirs(gpg_agent_t) | |
268 | ||
a3b0dc5b CP |
269 | ifdef(`hide_broken_symptoms',` |
270 | userdom_dontaudit_read_user_tmp_files(gpg_agent_t) | |
3eaa9939 | 271 | userdom_dontaudit_write_user_tmp_files(gpg_agent_t) |
a3b0dc5b CP |
272 | ') |
273 | ||
296273a7 CP |
274 | tunable_policy(`gpg_agent_env_file',` |
275 | # write ~/.gpg-agent-info or a similar to the users home dir | |
276 | # or subdir (gpg-agent --write-env-file option) | |
277 | # | |
278 | userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file) | |
279 | userdom_manage_user_home_content_dirs(gpg_agent_t) | |
280 | userdom_manage_user_home_content_files(gpg_agent_t) | |
281 | ') | |
282 | ||
283 | tunable_policy(`use_nfs_home_dirs',` | |
284 | fs_manage_nfs_dirs(gpg_agent_t) | |
285 | fs_manage_nfs_files(gpg_agent_t) | |
286 | fs_manage_nfs_symlinks(gpg_agent_t) | |
287 | ') | |
288 | ||
289 | tunable_policy(`use_samba_home_dirs',` | |
290 | fs_manage_cifs_dirs(gpg_agent_t) | |
291 | fs_manage_cifs_files(gpg_agent_t) | |
292 | fs_manage_cifs_symlinks(gpg_agent_t) | |
293 | ') | |
294 | ||
a3b0dc5b CP |
295 | optional_policy(` |
296 | mozilla_dontaudit_rw_user_home_files(gpg_agent_t) | |
297 | ') | |
298 | ||
296273a7 CP |
299 | ############################## |
300 | # | |
301 | # Pinentry local policy | |
302 | # | |
303 | ||
857d37e8 | 304 | allow gpg_pinentry_t self:process { getcap getsched setsched signal }; |
296273a7 | 305 | allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms; |
857d37e8 CP |
306 | allow gpg_pinentry_t self:netlink_route_socket create_netlink_socket_perms; |
307 | allow gpg_pinentry_t self:shm create_shm_perms; | |
308 | allow gpg_pinentry_t self:tcp_socket create_stream_socket_perms; | |
309 | allow gpg_pinentry_t self:unix_dgram_socket sendto; | |
310 | allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; | |
296273a7 | 311 | |
857d37e8 CP |
312 | can_exec(gpg_pinentry_t, pinentry_exec_t) |
313 | ||
314 | # we need to allow gpg-agent to call pinentry so it can get the passphrase | |
296273a7 CP |
315 | # from the user. |
316 | domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t) | |
317 | ||
857d37e8 CP |
318 | manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) |
319 | userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file) | |
320 | ||
321 | manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) | |
322 | manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) | |
323 | fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) | |
857d37e8 | 324 | |
296273a7 CP |
325 | # read /proc/meminfo |
326 | kernel_read_system_state(gpg_pinentry_t) | |
327 | ||
857d37e8 CP |
328 | corecmd_exec_bin(gpg_pinentry_t) |
329 | ||
330 | corenet_all_recvfrom_netlabel(gpg_pinentry_t) | |
331 | corenet_all_recvfrom_unlabeled(gpg_pinentry_t) | |
332 | corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t) | |
333 | corenet_tcp_bind_generic_node(gpg_pinentry_t) | |
334 | corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t) | |
335 | corenet_tcp_sendrecv_generic_if(gpg_pinentry_t) | |
336 | corenet_tcp_sendrecv_generic_node(gpg_pinentry_t) | |
337 | corenet_tcp_sendrecv_generic_port(gpg_pinentry_t) | |
338 | ||
339 | dev_read_urand(gpg_pinentry_t) | |
340 | dev_read_rand(gpg_pinentry_t) | |
341 | ||
296273a7 CP |
342 | files_read_usr_files(gpg_pinentry_t) |
343 | # read /etc/X11/qtrc | |
344 | files_read_etc_files(gpg_pinentry_t) | |
345 | ||
a3b0dc5b CP |
346 | fs_dontaudit_list_inotifyfs(gpg_pinentry_t) |
347 | fs_getattr_tmpfs(gpg_pinentry_t) | |
348 | ||
349 | auth_use_nsswitch(gpg_pinentry_t) | |
350 | ||
857d37e8 CP |
351 | logging_send_syslog_msg(gpg_pinentry_t) |
352 | ||
296273a7 CP |
353 | miscfiles_read_fonts(gpg_pinentry_t) |
354 | miscfiles_read_localization(gpg_pinentry_t) | |
355 | ||
356 | # for .Xauthority | |
357 | userdom_read_user_home_content_files(gpg_pinentry_t) | |
857d37e8 | 358 | userdom_read_user_tmpfs_files(gpg_pinentry_t) |
3eaa9939 DW |
359 | # Bug: user pulseaudio files need open,read and unlink: |
360 | allow gpg_pinentry_t user_tmpfs_t:file unlink; | |
361 | userdom_signull_unpriv_users(gpg_pinentry_t) | |
296273a7 CP |
362 | |
363 | tunable_policy(`use_nfs_home_dirs',` | |
364 | fs_read_nfs_files(gpg_pinentry_t) | |
365 | ') | |
366 | ||
367 | tunable_policy(`use_samba_home_dirs',` | |
368 | fs_read_cifs_files(gpg_pinentry_t) | |
369 | ') | |
d596371c DW |
370 | |
371 | optional_policy(` | |
372 | gnome_read_home_config(gpg_pinentry_t) | |
373 | ') | |
296273a7 CP |
374 | |
375 | optional_policy(` | |
857d37e8 CP |
376 | dbus_session_bus_client(gpg_pinentry_t) |
377 | dbus_system_bus_client(gpg_pinentry_t) | |
378 | ') | |
379 | ||
3eaa9939 DW |
380 | optional_policy(` |
381 | gnome_write_generic_cache_files(gpg_pinentry_t) | |
382 | gnome_read_generic_cache_files(gpg_pinentry_t) | |
383 | gnome_read_gconf_home_files(gpg_pinentry_t) | |
384 | ') | |
385 | ||
857d37e8 CP |
386 | optional_policy(` |
387 | pulseaudio_exec(gpg_pinentry_t) | |
a3b0dc5b | 388 | pulseaudio_rw_home_files(gpg_pinentry_t) |
857d37e8 CP |
389 | pulseaudio_setattr_home_dir(gpg_pinentry_t) |
390 | pulseaudio_stream_connect(gpg_pinentry_t) | |
a3b0dc5b | 391 | pulseaudio_signull(gpg_pinentry_t) |
857d37e8 CP |
392 | ') |
393 | ||
394 | optional_policy(` | |
395 | xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) | |
3eaa9939 DW |
396 | |
397 | ') | |
398 | ||
399 | ############################# | |
400 | # | |
401 | # gpg web local policy | |
402 | # | |
403 | ||
404 | allow gpg_web_t self:process setrlimit; | |
405 | ||
406 | dev_read_rand(gpg_web_t) | |
407 | dev_read_urand(gpg_web_t) | |
408 | ||
409 | can_exec(gpg_web_t, gpg_exec_t) | |
410 | ||
411 | files_read_usr_files(gpg_web_t) | |
412 | ||
413 | miscfiles_read_localization(gpg_web_t) | |
414 | ||
415 | apache_dontaudit_rw_tmp_files(gpg_web_t) | |
416 | apache_manage_sys_content_rw(gpg_web_t) | |
417 | ||
418 | tunable_policy(`gpg_web_anon_write',` | |
419 | miscfiles_manage_public_files(gpg_web_t) | |
296273a7 | 420 | ') |