commit: c9989029f0a837b7512f7b076fc5e5db711e1b38 Author: Jason Zaman <jason <AT> perfinion <DOT> com> AuthorDate: Thu Mar 30 04:58:28 2017 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Thu Mar 30 16:50:40 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c9989029
dirmngr: add to roles and allow gpg to domtrans policy/modules/contrib/dirmngr.if | 69 +++++++++++++++++++++++++++++++++++++++ policy/modules/contrib/gpg.te | 4 +++ 2 files changed, 73 insertions(+) diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if index 4cd2810e..2f6875a6 100644 --- a/policy/modules/contrib/dirmngr.if +++ b/policy/modules/contrib/dirmngr.if @@ -1,5 +1,74 @@ ## <summary>Server for managing and downloading certificate revocation lists.</summary> +############################################################ +## <summary> +## Role access for dirmngr. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`dirmngr_role',` + gen_require(` + type dirmngr_t, dirmngr_exec_t; + ') + + role $1 types dirmngr_t; + + domtrans_pattern($2, dirmngr_exec_t, dirmngr_t) + + allow $2 dirmngr_t:process { ptrace signal_perms }; + ps_process_pattern($2, dirmngr_t) + + allow dirmngr_t $2:fd use; + allow dirmngr_t $2:fifo_file { read write }; +') + +######################################## +## <summary> +## Execute dirmngr in the dirmngr domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`dirmngr_domtrans',` + gen_require(` + type dirmngr_t, dirmngr_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, dirmngr_exec_t, dirmngr_t) +') + +######################################## +## <summary> +## Execute the dirmngr in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dirmngr_exec',` + gen_require(` + type dirmngr_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, dirmngr_exec_t) +') + ######################################## ## <summary> ## All of the rules required to diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te index 4345bd08..160c5f85 100644 --- a/policy/modules/contrib/gpg.te +++ b/policy/modules/contrib/gpg.te @@ -138,6 +138,10 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` + dirmngr_domtrans(gpg_t) +') + +optional_policy(` evolution_read_orbit_tmp_files(gpg_t) ')