1 policy_module(gpg, 2.4.0)
3 ########################################
11 ## Allow usage of the gpg-agent --write-env-file option.
12 ## This also allows gpg-agent to manage user files.
15 gen_tunable(gpg_agent_env_file, false)
19 ## Allow gpg web domain to modify public files
20 ## used for public file transfer services.
23 gen_tunable(gpg_web_anon_write, false)
25 type gpg_t, gpgdomain;
27 typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
28 typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
29 application_domain(gpg_t, gpg_exec_t)
30 ubac_constrained(gpg_t)
31 role system_r types gpg_t;
34 type gpg_agent_exec_t;
35 typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t };
36 typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t };
37 application_domain(gpg_agent_t, gpg_agent_exec_t)
38 ubac_constrained(gpg_agent_t)
41 typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t };
42 typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t };
43 files_tmp_file(gpg_agent_tmp_t)
44 ubac_constrained(gpg_agent_tmp_t)
47 typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
48 typealias gpg_secret_t alias { auditadm_gpg_secret_t secadm_gpg_secret_t };
49 userdom_user_home_content(gpg_secret_t)
52 type gpg_helper_exec_t;
53 typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t };
54 typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t };
55 application_domain(gpg_helper_t, gpg_helper_exec_t)
56 ubac_constrained(gpg_helper_t)
57 role system_r types gpg_helper_t;
61 typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t };
62 typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t };
63 application_domain(gpg_pinentry_t, pinentry_exec_t)
64 ubac_constrained(gpg_pinentry_t)
66 type gpg_pinentry_tmp_t;
67 files_tmp_file(gpg_pinentry_tmp_t)
68 ubac_constrained(gpg_pinentry_tmp_t)
70 type gpg_pinentry_tmpfs_t;
71 files_tmpfs_file(gpg_pinentry_tmpfs_t)
72 ubac_constrained(gpg_pinentry_tmpfs_t)
75 domain_type(gpg_web_t)
76 gpg_entry_type(gpg_web_t)
77 role system_r types gpg_web_t;
79 ########################################
84 allow gpgdomain self:capability { ipc_lock setuid };
85 allow gpgdomain self:process { getsched setsched };
86 #at setrlimit is for ulimit -c 0
87 allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid };
88 dontaudit gpgdomain self:netlink_audit_socket r_netlink_socket_perms;
90 allow gpgdomain self:fifo_file rw_fifo_file_perms;
91 allow gpgdomain self:tcp_socket create_stream_socket_perms;
93 manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
94 manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
95 files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
97 domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
99 # transition from the gpg domain to the helper domain
100 domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
102 allow gpg_t gpg_secret_t:dir create_dir_perms;
103 manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
104 manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
105 userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
107 kernel_read_sysctl(gpg_t)
109 corecmd_exec_shell(gpg_t)
110 corecmd_exec_bin(gpg_t)
112 corenet_all_recvfrom_unlabeled(gpg_t)
113 corenet_all_recvfrom_netlabel(gpg_t)
114 corenet_tcp_sendrecv_generic_if(gpg_t)
115 corenet_udp_sendrecv_generic_if(gpg_t)
116 corenet_tcp_sendrecv_generic_node(gpg_t)
117 corenet_udp_sendrecv_generic_node(gpg_t)
118 corenet_tcp_sendrecv_all_ports(gpg_t)
119 corenet_udp_sendrecv_all_ports(gpg_t)
120 corenet_tcp_connect_all_ports(gpg_t)
121 corenet_sendrecv_all_client_packets(gpg_t)
124 dev_read_urand(gpg_t)
125 dev_read_generic_usb_dev(gpg_t)
127 fs_getattr_xattr_fs(gpg_t)
128 fs_list_inotifyfs(gpg_t)
130 domain_use_interactive_fds(gpg_t)
132 files_read_etc_files(gpg_t)
133 files_read_usr_files(gpg_t)
134 files_dontaudit_search_var(gpg_t)
136 auth_use_nsswitch(gpg_t)
138 logging_send_syslog_msg(gpg_t)
140 miscfiles_read_localization(gpg_t)
142 userdom_use_inherited_user_terminals(gpg_t)
143 # sign/encrypt user files
144 userdom_manage_all_user_tmp_content(gpg_t)
145 #userdom_manage_user_home_content(gpg_t)
146 userdom_manage_user_home_content_files(gpg_t)
147 userdom_manage_user_home_content_dirs(gpg_t)
148 userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
149 userdom_stream_connect(gpg_t)
151 mta_write_config(gpg_t)
153 userdom_home_manager(gpg_t)
156 gnome_read_config(gpg_t)
157 gnome_stream_connect_gkeyringd(gpg_t)
161 mta_read_spool(gpg_t)
165 spamassassin_read_spamd_tmp_files(gpg_t)
169 xserver_use_xdm_fds(gpg_t)
170 xserver_rw_xdm_pipes(gpg_t)
174 # cron_system_entry(gpg_t, gpg_exec_t)
175 # cron_read_system_job_tmp_files(gpg_t)
178 ########################################
180 # GPG helper local policy
183 allow gpg_helper_t self:process { getsched setsched };
185 # for helper programs (which automatically fetch keys)
186 # Note: this is only tested with the hkp interface. If you use eg the
187 # mail interface you will likely need additional permissions.
189 allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
190 allow gpg_helper_t self:tcp_socket { connect connected_socket_perms };
191 allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
193 dontaudit gpg_helper_t gpg_secret_t:file read;
195 corenet_all_recvfrom_unlabeled(gpg_helper_t)
196 corenet_all_recvfrom_netlabel(gpg_helper_t)
197 corenet_tcp_sendrecv_generic_if(gpg_helper_t)
198 corenet_raw_sendrecv_generic_if(gpg_helper_t)
199 corenet_udp_sendrecv_generic_if(gpg_helper_t)
200 corenet_tcp_sendrecv_generic_node(gpg_helper_t)
201 corenet_udp_sendrecv_generic_node(gpg_helper_t)
202 corenet_raw_sendrecv_generic_node(gpg_helper_t)
203 corenet_tcp_sendrecv_all_ports(gpg_helper_t)
204 corenet_udp_sendrecv_all_ports(gpg_helper_t)
205 corenet_tcp_bind_generic_node(gpg_helper_t)
206 corenet_udp_bind_generic_node(gpg_helper_t)
207 corenet_tcp_connect_all_ports(gpg_helper_t)
209 files_read_etc_files(gpg_helper_t)
211 auth_use_nsswitch(gpg_helper_t)
213 userdom_use_inherited_user_terminals(gpg_helper_t)
215 tunable_policy(`use_nfs_home_dirs',`
216 fs_dontaudit_rw_nfs_files(gpg_helper_t)
219 tunable_policy(`use_samba_home_dirs',`
220 fs_dontaudit_rw_cifs_files(gpg_helper_t)
223 ########################################
225 # GPG agent local policy
227 domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
229 # rlimit: gpg-agent wants to prevent coredumps
230 allow gpg_agent_t self:process setrlimit;
232 allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto } ;
233 allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
235 # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
236 manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
237 manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
238 manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
240 # Allow the gpg-agent to manage its tmp files (socket)
241 manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
242 manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
243 manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
244 files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
246 # allow gpg to connect to the gpg agent
247 stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
249 corecmd_read_bin_symlinks(gpg_agent_t)
250 corecmd_search_bin(gpg_agent_t)
251 corecmd_exec_shell(gpg_agent_t)
253 dev_read_urand(gpg_agent_t)
255 domain_use_interactive_fds(gpg_agent_t)
257 fs_dontaudit_list_inotifyfs(gpg_agent_t)
259 miscfiles_read_localization(gpg_agent_t)
261 # Write to the user domain tty.
262 userdom_use_inherited_user_terminals(gpg_agent_t)
263 # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
264 userdom_search_user_home_dirs(gpg_agent_t)
266 ifdef(`hide_broken_symptoms',`
267 userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
268 userdom_dontaudit_write_user_tmp_files(gpg_agent_t)
271 tunable_policy(`gpg_agent_env_file',`
272 # write ~/.gpg-agent-info or a similar to the users home dir
273 # or subdir (gpg-agent --write-env-file option)
275 userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, { dir file })
276 userdom_manage_user_home_content_dirs(gpg_agent_t)
277 userdom_manage_user_home_content_files(gpg_agent_t)
280 userdom_home_manager(gpg_agent_t)
282 ##############################
284 # Pinentry local policy
287 allow gpg_pinentry_t self:process { getcap getsched setsched signal };
288 allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
289 allow gpg_pinentry_t self:netlink_route_socket create_netlink_socket_perms;
290 allow gpg_pinentry_t self:shm create_shm_perms;
291 allow gpg_pinentry_t self:tcp_socket create_stream_socket_perms;
292 allow gpg_pinentry_t self:unix_dgram_socket sendto;
293 allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
295 can_exec(gpg_pinentry_t, pinentry_exec_t)
297 # we need to allow gpg-agent to call pinentry so it can get the passphrase
299 domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
301 manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
302 userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
304 manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
305 manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
306 fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
309 kernel_read_system_state(gpg_pinentry_t)
311 corecmd_exec_bin(gpg_pinentry_t)
313 corenet_all_recvfrom_netlabel(gpg_pinentry_t)
314 corenet_all_recvfrom_unlabeled(gpg_pinentry_t)
315 corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t)
316 corenet_tcp_bind_generic_node(gpg_pinentry_t)
317 corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t)
318 corenet_tcp_sendrecv_generic_if(gpg_pinentry_t)
319 corenet_tcp_sendrecv_generic_node(gpg_pinentry_t)
320 corenet_tcp_sendrecv_generic_port(gpg_pinentry_t)
322 dev_read_urand(gpg_pinentry_t)
323 dev_read_rand(gpg_pinentry_t)
325 files_read_usr_files(gpg_pinentry_t)
327 files_read_etc_files(gpg_pinentry_t)
329 fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
330 fs_getattr_tmpfs(gpg_pinentry_t)
332 auth_use_nsswitch(gpg_pinentry_t)
334 logging_send_syslog_msg(gpg_pinentry_t)
336 miscfiles_read_fonts(gpg_pinentry_t)
337 miscfiles_read_localization(gpg_pinentry_t)
340 userdom_read_user_home_content_files(gpg_pinentry_t)
341 userdom_read_user_tmpfs_files(gpg_pinentry_t)
342 # Bug: user pulseaudio files need open,read and unlink:
343 allow gpg_pinentry_t user_tmpfs_t:file unlink;
344 userdom_signull_unpriv_users(gpg_pinentry_t)
345 userdom_use_user_terminals(gpg_pinentry_t)
347 userdom_home_reader(gpg_pinentry_t)
350 gnome_read_home_config(gpg_pinentry_t)
354 dbus_session_bus_client(gpg_pinentry_t)
355 dbus_system_bus_client(gpg_pinentry_t)
359 gnome_write_generic_cache_files(gpg_pinentry_t)
360 gnome_read_generic_cache_files(gpg_pinentry_t)
361 gnome_read_gconf_home_files(gpg_pinentry_t)
365 pulseaudio_exec(gpg_pinentry_t)
366 pulseaudio_rw_home_files(gpg_pinentry_t)
367 pulseaudio_setattr_home_dir(gpg_pinentry_t)
368 pulseaudio_stream_connect(gpg_pinentry_t)
369 pulseaudio_signull(gpg_pinentry_t)
373 xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
377 #############################
379 # gpg web local policy
382 allow gpg_web_t self:process setrlimit;
384 dev_read_rand(gpg_web_t)
385 dev_read_urand(gpg_web_t)
387 can_exec(gpg_web_t, gpg_exec_t)
389 files_read_usr_files(gpg_web_t)
391 miscfiles_read_localization(gpg_web_t)
393 apache_dontaudit_rw_tmp_files(gpg_web_t)
394 apache_manage_sys_content_rw(gpg_web_t)
396 tunable_policy(`gpg_web_anon_write',`
397 miscfiles_manage_public_files(gpg_web_t)