]>
Commit | Line | Data |
---|---|---|
b2b38c78 | 1 | |
29af4c13 | 2 | policy_module(gpg, 2.3.0) |
b2b38c78 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
a42ce93a CP |
9 | ## <desc> |
10 | ## <p> | |
11 | ## Allow usage of the gpg-agent --write-env-file option. | |
12 | ## This also allows gpg-agent to manage user files. | |
13 | ## </p> | |
14 | ## </desc> | |
15 | gen_tunable(gpg_agent_env_file, false) | |
16 | ||
296273a7 | 17 | type gpg_t; |
b2b38c78 | 18 | type gpg_exec_t; |
296273a7 CP |
19 | typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t }; |
20 | typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t }; | |
21 | application_domain(gpg_t, gpg_exec_t) | |
22 | ubac_constrained(gpg_t) | |
857d37e8 | 23 | role system_r types gpg_t; |
b2b38c78 | 24 | |
296273a7 | 25 | type gpg_agent_t; |
b2b38c78 | 26 | type gpg_agent_exec_t; |
296273a7 CP |
27 | typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t }; |
28 | typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t }; | |
29 | application_domain(gpg_agent_t, gpg_agent_exec_t) | |
30 | ubac_constrained(gpg_agent_t) | |
31 | ||
32 | type gpg_agent_tmp_t; | |
33 | typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t }; | |
34 | typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t }; | |
35 | files_tmp_file(gpg_agent_tmp_t) | |
36 | ubac_constrained(gpg_agent_tmp_t) | |
37 | ||
38 | type gpg_secret_t; | |
39 | typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t }; | |
40 | typealias gpg_secret_t alias { auditadm_gpg_secret_t secadm_gpg_secret_t }; | |
41 | userdom_user_home_content(gpg_secret_t) | |
42 | ||
43 | type gpg_helper_t; | |
44 | type gpg_helper_exec_t; | |
45 | typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t }; | |
46 | typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t }; | |
47 | application_domain(gpg_helper_t, gpg_helper_exec_t) | |
48 | ubac_constrained(gpg_helper_t) | |
857d37e8 | 49 | role system_r types gpg_helper_t; |
b2b38c78 | 50 | |
296273a7 | 51 | type gpg_pinentry_t; |
b2b38c78 | 52 | type pinentry_exec_t; |
296273a7 CP |
53 | typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t }; |
54 | typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t }; | |
55 | application_domain(gpg_pinentry_t, pinentry_exec_t) | |
56 | ubac_constrained(gpg_pinentry_t) | |
57 | ||
857d37e8 CP |
58 | type gpg_pinentry_tmp_t; |
59 | files_tmp_file(gpg_pinentry_tmp_t) | |
60 | ubac_constrained(gpg_pinentry_tmp_t) | |
61 | ||
62 | type gpg_pinentry_tmpfs_t; | |
63 | files_tmpfs_file(gpg_pinentry_tmpfs_t) | |
64 | ubac_constrained(gpg_pinentry_tmpfs_t) | |
65 | ||
296273a7 CP |
66 | ######################################## |
67 | # | |
68 | # GPG local policy | |
69 | # | |
70 | ||
71 | allow gpg_t self:capability { ipc_lock setuid }; | |
72 | # setrlimit is for ulimit -c 0 | |
857d37e8 | 73 | allow gpg_t self:process { signal signull setrlimit getcap setcap setpgid }; |
296273a7 CP |
74 | |
75 | allow gpg_t self:fifo_file rw_fifo_file_perms; | |
76 | allow gpg_t self:tcp_socket create_stream_socket_perms; | |
77 | ||
e4f73afb CP |
78 | manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) |
79 | manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) | |
80 | files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file }) | |
81 | ||
857d37e8 CP |
82 | domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) |
83 | ||
296273a7 CP |
84 | # transition from the gpg domain to the helper domain |
85 | domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) | |
86 | ||
87 | allow gpg_t gpg_secret_t:dir create_dir_perms; | |
88 | manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) | |
89 | manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) | |
90 | userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir) | |
91 | ||
e4f73afb CP |
92 | kernel_read_sysctl(gpg_t) |
93 | ||
857d37e8 CP |
94 | corecmd_exec_shell(gpg_t) |
95 | corecmd_exec_bin(gpg_t) | |
96 | ||
296273a7 CP |
97 | corenet_all_recvfrom_unlabeled(gpg_t) |
98 | corenet_all_recvfrom_netlabel(gpg_t) | |
668b3093 CP |
99 | corenet_tcp_sendrecv_generic_if(gpg_t) |
100 | corenet_udp_sendrecv_generic_if(gpg_t) | |
c1262146 CP |
101 | corenet_tcp_sendrecv_generic_node(gpg_t) |
102 | corenet_udp_sendrecv_generic_node(gpg_t) | |
296273a7 CP |
103 | corenet_tcp_sendrecv_all_ports(gpg_t) |
104 | corenet_udp_sendrecv_all_ports(gpg_t) | |
105 | corenet_tcp_connect_all_ports(gpg_t) | |
106 | corenet_sendrecv_all_client_packets(gpg_t) | |
107 | ||
108 | dev_read_rand(gpg_t) | |
109 | dev_read_urand(gpg_t) | |
ca7fa520 | 110 | dev_read_generic_usb_dev(gpg_t) |
296273a7 CP |
111 | |
112 | fs_getattr_xattr_fs(gpg_t) | |
857d37e8 | 113 | fs_list_inotifyfs(gpg_t) |
296273a7 CP |
114 | |
115 | domain_use_interactive_fds(gpg_t) | |
116 | ||
117 | files_read_etc_files(gpg_t) | |
118 | files_read_usr_files(gpg_t) | |
119 | files_dontaudit_search_var(gpg_t) | |
120 | ||
e4f73afb CP |
121 | auth_use_nsswitch(gpg_t) |
122 | ||
296273a7 CP |
123 | logging_send_syslog_msg(gpg_t) |
124 | ||
36ded4bd CP |
125 | miscfiles_read_localization(gpg_t) |
126 | ||
296273a7 | 127 | userdom_use_user_terminals(gpg_t) |
36ded4bd CP |
128 | # sign/encrypt user files |
129 | userdom_manage_user_tmp_files(gpg_t) | |
130 | userdom_manage_user_home_content_files(gpg_t) | |
857d37e8 | 131 | userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) |
36ded4bd CP |
132 | |
133 | mta_write_config(gpg_t) | |
134 | ||
135 | tunable_policy(`use_nfs_home_dirs',` | |
136 | fs_manage_nfs_dirs(gpg_t) | |
137 | fs_manage_nfs_files(gpg_t) | |
138 | ') | |
139 | ||
140 | tunable_policy(`use_samba_home_dirs',` | |
141 | fs_manage_cifs_dirs(gpg_t) | |
142 | fs_manage_cifs_files(gpg_t) | |
143 | ') | |
144 | ||
857d37e8 CP |
145 | optional_policy(` |
146 | mozilla_read_user_home_files(gpg_t) | |
147 | mozilla_write_user_home_files(gpg_t) | |
148 | ') | |
149 | ||
36ded4bd CP |
150 | optional_policy(` |
151 | xserver_use_xdm_fds(gpg_t) | |
152 | xserver_rw_xdm_pipes(gpg_t) | |
153 | ') | |
154 | ||
155 | optional_policy(` | |
156 | cron_system_entry(gpg_t, gpg_exec_t) | |
157 | cron_read_system_job_tmp_files(gpg_t) | |
158 | ') | |
296273a7 | 159 | |
296273a7 CP |
160 | ######################################## |
161 | # | |
162 | # GPG helper local policy | |
163 | # | |
164 | ||
e4f73afb CP |
165 | allow gpg_helper_t self:process { getsched setsched }; |
166 | ||
296273a7 | 167 | # for helper programs (which automatically fetch keys) |
857d37e8 | 168 | # Note: this is only tested with the hkp interface. If you use eg the |
296273a7 CP |
169 | # mail interface you will likely need additional permissions. |
170 | ||
171 | allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms; | |
172 | allow gpg_helper_t self:tcp_socket { connect connected_socket_perms }; | |
173 | allow gpg_helper_t self:udp_socket { connect connected_socket_perms }; | |
174 | ||
175 | dontaudit gpg_helper_t gpg_secret_t:file read; | |
176 | ||
177 | corenet_all_recvfrom_unlabeled(gpg_helper_t) | |
178 | corenet_all_recvfrom_netlabel(gpg_helper_t) | |
668b3093 CP |
179 | corenet_tcp_sendrecv_generic_if(gpg_helper_t) |
180 | corenet_raw_sendrecv_generic_if(gpg_helper_t) | |
181 | corenet_udp_sendrecv_generic_if(gpg_helper_t) | |
c1262146 CP |
182 | corenet_tcp_sendrecv_generic_node(gpg_helper_t) |
183 | corenet_udp_sendrecv_generic_node(gpg_helper_t) | |
184 | corenet_raw_sendrecv_generic_node(gpg_helper_t) | |
296273a7 CP |
185 | corenet_tcp_sendrecv_all_ports(gpg_helper_t) |
186 | corenet_udp_sendrecv_all_ports(gpg_helper_t) | |
c1262146 CP |
187 | corenet_tcp_bind_generic_node(gpg_helper_t) |
188 | corenet_udp_bind_generic_node(gpg_helper_t) | |
296273a7 CP |
189 | corenet_tcp_connect_all_ports(gpg_helper_t) |
190 | ||
296273a7 | 191 | files_read_etc_files(gpg_helper_t) |
296273a7 | 192 | |
e4f73afb CP |
193 | auth_use_nsswitch(gpg_helper_t) |
194 | ||
195 | userdom_use_user_terminals(gpg_helper_t) | |
296273a7 CP |
196 | |
197 | tunable_policy(`use_nfs_home_dirs',` | |
36ded4bd | 198 | fs_dontaudit_rw_nfs_files(gpg_helper_t) |
296273a7 CP |
199 | ') |
200 | ||
201 | tunable_policy(`use_samba_home_dirs',` | |
36ded4bd | 202 | fs_dontaudit_rw_cifs_files(gpg_helper_t) |
296273a7 CP |
203 | ') |
204 | ||
205 | ######################################## | |
206 | # | |
207 | # GPG agent local policy | |
208 | # | |
209 | ||
210 | # rlimit: gpg-agent wants to prevent coredumps | |
211 | allow gpg_agent_t self:process setrlimit; | |
212 | ||
213 | allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ; | |
214 | allow gpg_agent_t self:fifo_file rw_fifo_file_perms; | |
215 | ||
216 | # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) | |
217 | manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) | |
218 | manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) | |
219 | manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) | |
220 | ||
221 | # Allow the gpg-agent to manage its tmp files (socket) | |
222 | manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) | |
223 | manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) | |
224 | manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) | |
225 | files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) | |
226 | ||
227 | # allow gpg to connect to the gpg agent | |
228 | stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t) | |
229 | ||
230 | corecmd_search_bin(gpg_agent_t) | |
857d37e8 | 231 | corecmd_exec_shell(gpg_agent_t) |
296273a7 CP |
232 | |
233 | domain_use_interactive_fds(gpg_agent_t) | |
234 | ||
235 | miscfiles_read_localization(gpg_agent_t) | |
236 | ||
237 | # Write to the user domain tty. | |
238 | userdom_use_user_terminals(gpg_agent_t) | |
239 | # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) | |
240 | userdom_search_user_home_dirs(gpg_agent_t) | |
241 | ||
242 | tunable_policy(`gpg_agent_env_file',` | |
243 | # write ~/.gpg-agent-info or a similar to the users home dir | |
244 | # or subdir (gpg-agent --write-env-file option) | |
245 | # | |
246 | userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file) | |
247 | userdom_manage_user_home_content_dirs(gpg_agent_t) | |
248 | userdom_manage_user_home_content_files(gpg_agent_t) | |
249 | ') | |
250 | ||
251 | tunable_policy(`use_nfs_home_dirs',` | |
252 | fs_manage_nfs_dirs(gpg_agent_t) | |
253 | fs_manage_nfs_files(gpg_agent_t) | |
254 | fs_manage_nfs_symlinks(gpg_agent_t) | |
255 | ') | |
256 | ||
257 | tunable_policy(`use_samba_home_dirs',` | |
258 | fs_manage_cifs_dirs(gpg_agent_t) | |
259 | fs_manage_cifs_files(gpg_agent_t) | |
260 | fs_manage_cifs_symlinks(gpg_agent_t) | |
261 | ') | |
262 | ||
263 | ############################## | |
264 | # | |
265 | # Pinentry local policy | |
266 | # | |
267 | ||
857d37e8 | 268 | allow gpg_pinentry_t self:process { getcap getsched setsched signal }; |
296273a7 | 269 | allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms; |
857d37e8 CP |
270 | allow gpg_pinentry_t self:netlink_route_socket create_netlink_socket_perms; |
271 | allow gpg_pinentry_t self:shm create_shm_perms; | |
272 | allow gpg_pinentry_t self:tcp_socket create_stream_socket_perms; | |
273 | allow gpg_pinentry_t self:unix_dgram_socket sendto; | |
274 | allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; | |
296273a7 | 275 | |
857d37e8 CP |
276 | can_exec(gpg_pinentry_t, pinentry_exec_t) |
277 | ||
278 | # we need to allow gpg-agent to call pinentry so it can get the passphrase | |
296273a7 CP |
279 | # from the user. |
280 | domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t) | |
281 | ||
857d37e8 CP |
282 | manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) |
283 | userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file) | |
284 | ||
285 | manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) | |
286 | manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) | |
287 | fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) | |
288 | fs_getattr_tmpfs(gpg_pinentry_t) | |
289 | ||
296273a7 CP |
290 | # read /proc/meminfo |
291 | kernel_read_system_state(gpg_pinentry_t) | |
292 | ||
857d37e8 CP |
293 | corecmd_exec_bin(gpg_pinentry_t) |
294 | ||
295 | corenet_all_recvfrom_netlabel(gpg_pinentry_t) | |
296 | corenet_all_recvfrom_unlabeled(gpg_pinentry_t) | |
297 | corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t) | |
298 | corenet_tcp_bind_generic_node(gpg_pinentry_t) | |
299 | corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t) | |
300 | corenet_tcp_sendrecv_generic_if(gpg_pinentry_t) | |
301 | corenet_tcp_sendrecv_generic_node(gpg_pinentry_t) | |
302 | corenet_tcp_sendrecv_generic_port(gpg_pinentry_t) | |
303 | ||
304 | dev_read_urand(gpg_pinentry_t) | |
305 | dev_read_rand(gpg_pinentry_t) | |
306 | ||
296273a7 CP |
307 | files_read_usr_files(gpg_pinentry_t) |
308 | # read /etc/X11/qtrc | |
309 | files_read_etc_files(gpg_pinentry_t) | |
310 | ||
857d37e8 CP |
311 | logging_send_syslog_msg(gpg_pinentry_t) |
312 | ||
296273a7 CP |
313 | miscfiles_read_fonts(gpg_pinentry_t) |
314 | miscfiles_read_localization(gpg_pinentry_t) | |
315 | ||
316 | # for .Xauthority | |
317 | userdom_read_user_home_content_files(gpg_pinentry_t) | |
857d37e8 | 318 | userdom_read_user_tmpfs_files(gpg_pinentry_t) |
296273a7 CP |
319 | |
320 | tunable_policy(`use_nfs_home_dirs',` | |
321 | fs_read_nfs_files(gpg_pinentry_t) | |
322 | ') | |
323 | ||
324 | tunable_policy(`use_samba_home_dirs',` | |
325 | fs_read_cifs_files(gpg_pinentry_t) | |
326 | ') | |
327 | ||
328 | optional_policy(` | |
857d37e8 CP |
329 | dbus_session_bus_client(gpg_pinentry_t) |
330 | dbus_system_bus_client(gpg_pinentry_t) | |
331 | ') | |
332 | ||
333 | optional_policy(` | |
334 | pulseaudio_exec(gpg_pinentry_t) | |
335 | pulseaudio_setattr_home_dir(gpg_pinentry_t) | |
336 | pulseaudio_stream_connect(gpg_pinentry_t) | |
337 | ') | |
338 | ||
339 | optional_policy(` | |
340 | xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) | |
296273a7 | 341 | ') |