policy/modules/apps/gpg.te

   1 policy_module(gpg, 2.4.0)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7 attribute gpgdomain;
   8
   9 ## <desc>
  10 ## <p>
  11 ## Allow usage of the gpg-agent --write-env-file option.
  12 ## This also allows gpg-agent to manage user files.
  13 ## </p>
  14 ## </desc>
  15 gen_tunable(gpg_agent_env_file, false)
  16
  17 ## <desc>
  18 ## <p>
  19 ## Allow gpg web domain to modify public files
  20 ## used for public file transfer services.
  21 ## </p>
  22 ## </desc>
  23 gen_tunable(gpg_web_anon_write, false)
  24
  25 type gpg_t, gpgdomain;
  26 type gpg_exec_t;
  27 typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
  28 typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
  29 application_domain(gpg_t, gpg_exec_t)
  30 ubac_constrained(gpg_t)
  31 role system_r types gpg_t;
  32
  33 type gpg_agent_t;
  34 type gpg_agent_exec_t;
  35 typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t };
  36 typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t };
  37 application_domain(gpg_agent_t, gpg_agent_exec_t)
  38 ubac_constrained(gpg_agent_t)
  39
  40 type gpg_agent_tmp_t;
  41 typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t };
  42 typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t };
  43 files_tmp_file(gpg_agent_tmp_t)
  44 ubac_constrained(gpg_agent_tmp_t)
  45
  46 type gpg_secret_t;
  47 typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
  48 typealias gpg_secret_t alias { auditadm_gpg_secret_t secadm_gpg_secret_t };
  49 userdom_user_home_content(gpg_secret_t)
  50
  51 type gpg_helper_t;
  52 type gpg_helper_exec_t;
  53 typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t };
  54 typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t };
  55 application_domain(gpg_helper_t, gpg_helper_exec_t)
  56 ubac_constrained(gpg_helper_t)
  57 role system_r types gpg_helper_t;
  58
  59 type gpg_pinentry_t;
  60 type pinentry_exec_t;
  61 typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t };
  62 typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t };
  63 application_domain(gpg_pinentry_t, pinentry_exec_t)
  64 ubac_constrained(gpg_pinentry_t)
  65
  66 type gpg_pinentry_tmp_t;
  67 files_tmp_file(gpg_pinentry_tmp_t)
  68 ubac_constrained(gpg_pinentry_tmp_t)
  69
  70 type gpg_pinentry_tmpfs_t;
  71 files_tmpfs_file(gpg_pinentry_tmpfs_t)
  72 ubac_constrained(gpg_pinentry_tmpfs_t)
  73
  74 type gpg_web_t;
  75 domain_type(gpg_web_t)
  76 gpg_entry_type(gpg_web_t)
  77 role system_r types gpg_web_t;
  78
  79 ########################################
  80 #
  81 # GPG local policy
  82 #
  83
  84 allow gpgdomain self:capability { ipc_lock setuid };
  85 allow gpgdomain self:process { getsched setsched };
  86 #at setrlimit is for ulimit -c 0
  87 allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid };
  88 dontaudit gpgdomain self:netlink_audit_socket r_netlink_socket_perms;
  89
  90 allow gpgdomain self:fifo_file rw_fifo_file_perms;
  91 allow gpgdomain self:tcp_socket create_stream_socket_perms;
  92
  93 manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
  94 manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
  95 files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
  96
  97 domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
  98
  99 # transition from the gpg domain to the helper domain
 100 domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
 101
 102 allow gpg_t gpg_secret_t:dir create_dir_perms;
 103 manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
 104 manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
 105 userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
 106
 107 kernel_read_sysctl(gpg_t)
 108
 109 corecmd_exec_shell(gpg_t)
 110 corecmd_exec_bin(gpg_t)
 111
 112 corenet_all_recvfrom_unlabeled(gpg_t)
 113 corenet_all_recvfrom_netlabel(gpg_t)
 114 corenet_tcp_sendrecv_generic_if(gpg_t)
 115 corenet_udp_sendrecv_generic_if(gpg_t)
 116 corenet_tcp_sendrecv_generic_node(gpg_t)
 117 corenet_udp_sendrecv_generic_node(gpg_t)
 118 corenet_tcp_sendrecv_all_ports(gpg_t)
 119 corenet_udp_sendrecv_all_ports(gpg_t)
 120 corenet_tcp_connect_all_ports(gpg_t)
 121 corenet_sendrecv_all_client_packets(gpg_t)
 122
 123 dev_read_rand(gpg_t)
 124 dev_read_urand(gpg_t)
 125 dev_read_generic_usb_dev(gpg_t)
 126
 127 fs_getattr_xattr_fs(gpg_t)
 128 fs_list_inotifyfs(gpg_t)
 129
 130 domain_use_interactive_fds(gpg_t)
 131
 132 files_read_etc_files(gpg_t)
 133 files_read_usr_files(gpg_t)
 134 files_dontaudit_search_var(gpg_t)
 135
 136 auth_use_nsswitch(gpg_t)
 137
 138 logging_send_syslog_msg(gpg_t)
 139
 140 miscfiles_read_localization(gpg_t)
 141
 142 userdom_use_inherited_user_terminals(gpg_t)
 143 # sign/encrypt user files
 144 userdom_manage_all_user_tmp_content(gpg_t)
 145 #userdom_manage_user_home_content(gpg_t)
 146 userdom_manage_user_home_content_files(gpg_t)
 147 userdom_manage_user_home_content_dirs(gpg_t)
 148 userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
 149 userdom_stream_connect(gpg_t)
 150
 151 mta_write_config(gpg_t)
 152
 153 userdom_home_manager(gpg_t)
 154
 155 optional_policy(`
 156         gnome_read_config(gpg_t)
 157         gnome_stream_connect_gkeyringd(gpg_t)
 158 ')
 159
 160 optional_policy(`
 161         mta_read_spool(gpg_t)
 162 ')
 163
 164 optional_policy(`
 165         spamassassin_read_spamd_tmp_files(gpg_t)
 166 ')
 167
 168 optional_policy(`
 169         xserver_use_xdm_fds(gpg_t)
 170         xserver_rw_xdm_pipes(gpg_t)
 171 ')
 172
 173 #optional_policy(`
 174 #       cron_system_entry(gpg_t, gpg_exec_t)
 175 #       cron_read_system_job_tmp_files(gpg_t)
 176 #')
 177
 178 ########################################
 179 #
 180 # GPG helper local policy
 181 #
 182
 183 allow gpg_helper_t self:process { getsched setsched };
 184
 185 # for helper programs (which automatically fetch keys)
 186 # Note: this is only tested with the hkp interface. If you use eg the
 187 # mail interface you will likely need additional permissions.
 188
 189 allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
 190 allow gpg_helper_t self:tcp_socket { connect connected_socket_perms };
 191 allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
 192
 193 dontaudit gpg_helper_t gpg_secret_t:file read;
 194
 195 corenet_all_recvfrom_unlabeled(gpg_helper_t)
 196 corenet_all_recvfrom_netlabel(gpg_helper_t)
 197 corenet_tcp_sendrecv_generic_if(gpg_helper_t)
 198 corenet_raw_sendrecv_generic_if(gpg_helper_t)
 199 corenet_udp_sendrecv_generic_if(gpg_helper_t)
 200 corenet_tcp_sendrecv_generic_node(gpg_helper_t)
 201 corenet_udp_sendrecv_generic_node(gpg_helper_t)
 202 corenet_raw_sendrecv_generic_node(gpg_helper_t)
 203 corenet_tcp_sendrecv_all_ports(gpg_helper_t)
 204 corenet_udp_sendrecv_all_ports(gpg_helper_t)
 205 corenet_tcp_bind_generic_node(gpg_helper_t)
 206 corenet_udp_bind_generic_node(gpg_helper_t)
 207 corenet_tcp_connect_all_ports(gpg_helper_t)
 208
 209 files_read_etc_files(gpg_helper_t)
 210
 211 auth_use_nsswitch(gpg_helper_t)
 212
 213 userdom_use_inherited_user_terminals(gpg_helper_t)
 214
 215 tunable_policy(`use_nfs_home_dirs',`
 216         fs_dontaudit_rw_nfs_files(gpg_helper_t)
 217 ')
 218
 219 tunable_policy(`use_samba_home_dirs',`
 220         fs_dontaudit_rw_cifs_files(gpg_helper_t)
 221 ')
 222
 223 ########################################
 224 #
 225 # GPG agent local policy
 226 #
 227 domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
 228
 229 # rlimit: gpg-agent wants to prevent coredumps
 230 allow gpg_agent_t self:process setrlimit;
 231
 232 allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto } ;
 233 allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
 234
 235 # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
 236 manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
 237 manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
 238 manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
 239
 240 # Allow the gpg-agent to manage its tmp files (socket)
 241 manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 242 manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 243 manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 244 files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
 245
 246 # allow gpg to connect to the gpg agent
 247 stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
 248
 249 corecmd_read_bin_symlinks(gpg_agent_t)
 250 corecmd_search_bin(gpg_agent_t)
 251 corecmd_exec_shell(gpg_agent_t)
 252
 253 dev_read_urand(gpg_agent_t)
 254
 255 domain_use_interactive_fds(gpg_agent_t)
 256
 257 fs_dontaudit_list_inotifyfs(gpg_agent_t)
 258
 259 miscfiles_read_localization(gpg_agent_t)
 260
 261 # Write to the user domain tty.
 262 userdom_use_inherited_user_terminals(gpg_agent_t)
 263 # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
 264 userdom_search_user_home_dirs(gpg_agent_t)
 265
 266 ifdef(`hide_broken_symptoms',`
 267         userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
 268         userdom_dontaudit_write_user_tmp_files(gpg_agent_t)
 269 ')
 270
 271 tunable_policy(`gpg_agent_env_file',`
 272         # write ~/.gpg-agent-info or a similar to the users home dir
 273         # or subdir (gpg-agent --write-env-file option)
 274         #
 275         userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, { dir file })
 276         userdom_manage_user_home_content_dirs(gpg_agent_t)
 277         userdom_manage_user_home_content_files(gpg_agent_t)
 278 ')
 279
 280 userdom_home_manager(gpg_agent_t)
 281
 282 ##############################
 283 #
 284 # Pinentry local policy
 285 #
 286
 287 allow gpg_pinentry_t self:process { getcap getsched setsched signal };
 288 allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
 289 allow gpg_pinentry_t self:netlink_route_socket create_netlink_socket_perms;
 290 allow gpg_pinentry_t self:shm create_shm_perms;
 291 allow gpg_pinentry_t self:tcp_socket create_stream_socket_perms;
 292 allow gpg_pinentry_t self:unix_dgram_socket sendto;
 293 allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
 294
 295 can_exec(gpg_pinentry_t, pinentry_exec_t)
 296
 297 # we need to allow gpg-agent to call pinentry so it can get the passphrase
 298 # from the user.
 299 domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
 300
 301 manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
 302 userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
 303
 304 manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
 305 manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
 306 fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
 307
 308 # read /proc/meminfo
 309 kernel_read_system_state(gpg_pinentry_t)
 310
 311 corecmd_exec_bin(gpg_pinentry_t)
 312
 313 corenet_all_recvfrom_netlabel(gpg_pinentry_t)
 314 corenet_all_recvfrom_unlabeled(gpg_pinentry_t)
 315 corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t)
 316 corenet_tcp_bind_generic_node(gpg_pinentry_t)
 317 corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t)
 318 corenet_tcp_sendrecv_generic_if(gpg_pinentry_t)
 319 corenet_tcp_sendrecv_generic_node(gpg_pinentry_t)
 320 corenet_tcp_sendrecv_generic_port(gpg_pinentry_t)
 321
 322 dev_read_urand(gpg_pinentry_t)
 323 dev_read_rand(gpg_pinentry_t)
 324
 325 files_read_usr_files(gpg_pinentry_t)
 326 # read /etc/X11/qtrc
 327 files_read_etc_files(gpg_pinentry_t)
 328
 329 fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
 330 fs_getattr_tmpfs(gpg_pinentry_t)
 331
 332 auth_use_nsswitch(gpg_pinentry_t)
 333
 334 logging_send_syslog_msg(gpg_pinentry_t)
 335
 336 miscfiles_read_fonts(gpg_pinentry_t)
 337 miscfiles_read_localization(gpg_pinentry_t)
 338
 339 # for .Xauthority
 340 userdom_read_user_home_content_files(gpg_pinentry_t)
 341 userdom_read_user_tmpfs_files(gpg_pinentry_t)
 342 # Bug: user pulseaudio files need open,read and unlink:
 343 allow gpg_pinentry_t user_tmpfs_t:file unlink;
 344 userdom_signull_unpriv_users(gpg_pinentry_t)
 345 userdom_use_user_terminals(gpg_pinentry_t)
 346
 347 userdom_home_reader(gpg_pinentry_t)
 348
 349 optional_policy(`
 350         gnome_read_home_config(gpg_pinentry_t)
 351 ')
 352
 353 optional_policy(`
 354         dbus_session_bus_client(gpg_pinentry_t)
 355         dbus_system_bus_client(gpg_pinentry_t)
 356 ')
 357
 358 optional_policy(`
 359         gnome_write_generic_cache_files(gpg_pinentry_t)
 360         gnome_read_generic_cache_files(gpg_pinentry_t)
 361         gnome_read_gconf_home_files(gpg_pinentry_t)
 362 ')
 363
 364 optional_policy(`
 365         pulseaudio_exec(gpg_pinentry_t)
 366         pulseaudio_rw_home_files(gpg_pinentry_t)
 367         pulseaudio_setattr_home_dir(gpg_pinentry_t)
 368         pulseaudio_stream_connect(gpg_pinentry_t)
 369         pulseaudio_signull(gpg_pinentry_t)
 370 ')
 371
 372 optional_policy(`
 373         xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
 374
 375 ')
 376
 377 #############################
 378 #
 379 # gpg web local policy
 380 #
 381
 382 allow gpg_web_t self:process setrlimit;
 383
 384 dev_read_rand(gpg_web_t)
 385 dev_read_urand(gpg_web_t)
 386
 387 can_exec(gpg_web_t, gpg_exec_t)
 388
 389 files_read_usr_files(gpg_web_t)
 390
 391 miscfiles_read_localization(gpg_web_t)
 392
 393 apache_dontaudit_rw_tmp_files(gpg_web_t)
 394 apache_manage_sys_content_rw(gpg_web_t)
 395
 396 tunable_policy(`gpg_web_anon_write',`
 397     miscfiles_manage_public_files(gpg_web_t)
 398 ')