Blob Blame History Raw

#######################################
#
# Per user domain template for this module
#
# gpg_per_userdomain_template(userdomain_prefix)
#
define(`gpg_per_userdomain_template',`
requires_block_template(`$0'_depend)

########################################
#
# Declarations
#

type $1_gpg_t;
domain_make_domain($1_gpg_t)
domain_make_entrypoint_file($1_gpg_t,gpg_exec_t)
role $1_r types $1_gpg_t;

type $1_gpg_agent_t;
domain_make_domain($1_gpg_agent_t)
domain_make_entrypoint_file($1_gpg_agent_t,gpg_agent_exec_t)
role $1_r types $1_gpg_agent_t;

type $1_gpg_agent_tmp_t;
files_make_temporary_file($1_gpg_agent_tmp_t)

type $1_gpg_secret_t; #, $1_file_type;
files_make_file($1_gpg_secret_t)

type $1_gpg_helper_t;
domain_make_domain($1_gpg_helper_t)
role $1_r types $1_gpg_helper_t;

type $1_gpg_pinentry_t;
domain_make_domain($1_gpg_pinentry_t)
role $1_r types $1_gpg_pinentry_t;

########################################
#
# GPG local policy
#

# transition from the userdomain to the derived domain
allow $1_t $1_gpg_t:process transition;
allow $1_t gpg_exec_t:file { getattr read execute };
type_transition $1_t gpg_exec_t:process $1_gpg_t;
allow $1_t $1_gpg_t:fd use;
allow $1_gpg_t $1_t:fd use;
allow $1_gpg_t $1_t:fifo_file rw_file_perms;

allow $1_gpg_t self:capability { ipc_lock setuid };
allow { $1_t $1_gpg_t } $1_gpg_t:process signal;
# setrlimit is for ulimit -c 0
allow $1_gpg_t self:process { setrlimit setcap };

allow $1_gpg_t self:fifo_file { getattr read write };
allow $1_gpg_t self:tcp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };

allow $1_gpg_t $1_gpg_secret_t:dir { read getattr lock search ioctl add_name remove_name write };
allow $1_gpg_t $1_gpg_secret_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1_gpg_t $1_gpg_secret_t:lnk_file { create read getattr setattr link unlink rename };

corenetwork_network_tcp_on_all_interfaces($1_gpg_t)
corenetwork_network_raw_on_all_interfaces($1_gpg_t)
corenetwork_network_udp_on_all_interfaces($1_gpg_t)
corenetwork_network_tcp_on_all_nodes($1_gpg_t)
corenetwork_network_raw_on_all_nodes($1_gpg_t)
corenetwork_network_udp_on_all_nodes($1_gpg_t)
corenetwork_network_tcp_on_all_ports($1_gpg_t)
corenetwork_network_udp_on_all_ports($1_gpg_t)
corenetwork_bind_tcp_on_all_nodes($1_gpg_t)
corenetwork_bind_udp_on_all_nodes($1_gpg_t)

devices_get_random_data($1_gpg_t)
devices_get_pseudorandom_data($1_gpg_t)

filesystem_get_persistent_filesystem_attributes($1_gpg_t)

files_read_general_system_config($1_gpg_t)
files_read_general_application_resources($1_gpg_t)

libraries_use_shared_libraries($1_gpg_t)
libraries_use_dynamic_loader($1_gpg_t)

miscfiles_read_localization($1_gpg_t)

logging_send_system_log_message($1_gpg_t)

sysnetwork_read_network_config($1_gpg_t)

# Legacy
if (allow_gpg_execstack) {
allow $1_gpg_t self:process execmem;
libraries_legacy_use_shared_libraries($1_gpg_t)
libraries_legacy_use_dynamic_loader($1_gpg_t)
miscfiles_legacy_read_localization($1_gpg_t)
# Not quite sure why this is needed... 
allow $1_gpg_t gpg_exec_t:file execmod;
}

ifdef(`TODO',`

can_ypbind($1_gpg_t)

allow $1_t $1_gpg_secret_t:file getattr;

access_terminal($1_gpg_t, $1)
ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')

# Inherit and use descriptors
allow $1_gpg_t { privfd $1_t }:fd use;

# allow ps to show gpg
can_ps($1_t, $1_gpg_t)

# should not need read access...
allow $1_gpg_t home_root_t:dir { read search };

# use $1_gpg_secret_t for files it creates
# NB we are doing the type transition for directory creation only!
# so ~/.gnupg will be of $1_gpg_secret_t, then files created under it such as
# secring.gpg will be of $1_gpg_secret_t too.  But when you use gpg to decrypt
# a file and write output to your home directory it will use user_home_t.
file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_gpg_secret_t, dir)

file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_home_t, file)
create_dir_file($1_gpg_t, $1_home_t)

# allow the usual access to /tmp
file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t)

if (use_nfs_home_dirs) {
create_dir_file($1_gpg_t, nfs_t)
}
if (use_samba_home_dirs) {
create_dir_file($1_gpg_t, cifs_t)
}

rw_dir_create_file($1_gpg_t, $1_file_type)

allow $1_t $1_gpg_secret_t:dir rw_dir_perms;

dontaudit $1_gpg_t var_t:dir search;
') dnl end TODO

########################################
#
# GPG helper local policy
#

# for helper programs (which automatically fetch keys)
# Note: this is only tested with the hkp interface. If you use eg the 
# mail interface you will likely need additional permissions.

# transition from the gpg domain to the helper domain
allow $1_gpg_t $1_gpg_helper_t:process transition;
allow $1_gpg_t gpg_helper_exec_t:file { getattr read execute };
type_transition $1_gpg_t gpg_helper_exec_t:process $1_gpg_helper_t;
allow $1_gpg_t $1_gpg_helper_t:fd use;
allow $1_gpg_helper_t $1_t:fd use;
allow $1_gpg_helper_t $1_t:fifo_file rw_file_perms;

allow $1_gpg_helper_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };

allow $1_gpg_helper_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
allow $1_gpg_helper_t self:udp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };

dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;

corenetwork_network_tcp_on_all_interfaces($1_gpg_helper_t)
corenetwork_network_raw_on_all_interfaces($1_gpg_helper_t)
corenetwork_network_udp_on_all_interfaces($1_gpg_helper_t)
corenetwork_network_tcp_on_all_nodes($1_gpg_helper_t)
corenetwork_network_udp_on_all_nodes($1_gpg_helper_t)
corenetwork_network_raw_on_all_nodes($1_gpg_helper_t)
corenetwork_network_tcp_on_all_ports($1_gpg_helper_t)
corenetwork_network_udp_on_all_ports($1_gpg_helper_t)
corenetwork_bind_tcp_on_all_nodes($1_gpg_helper_t)
corenetwork_bind_udp_on_all_nodes($1_gpg_helper_t)

devices_get_pseudorandom_data($1_gpg_helper_t)

files_read_general_system_config($1_gpg_helper_t)
# for nscd
files_ignore_search_system_state_data_directory($1_gpg_helper_t)

libraries_use_dynamic_loader($1_gpg_helper_t)
libraries_use_shared_libraries($1_gpg_helper_t)

sysnetwork_read_network_config($1_gpg_helper_t)

ifdef(`TODO',`

if (use_nfs_home_dirs) {
dontaudit $1_gpg_helper_t nfs_t:file { read write };
}
if (use_samba_home_dirs) {
dontaudit $1_gpg_helper_t cifs_t:file { read write };
}

# communicate with the user 
allow $1_gpg_helper_t $1_t:fd use;
allow $1_gpg_helper_t $1_t:fifo_file write;

ifdef(`xdm.te', `
dontaudit $1_gpg_t xdm_t:fd use;
dontaudit $1_gpg_t xdm_t:fifo_file read;
')
') dnl end TODO

########################################
#
# GPG agent local policy
#

# rlimit: gpg-agent wants to prevent coredumps
allow $1_gpg_agent_t self:process setrlimit;

allow $1_gpg_agent_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
allow $1_gpg_agent_t self:fifo_file { getattr read write };

allow $1_t $1_gpg_agent_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
allow $1_t $1_gpg_agent_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1_t $1_gpg_agent_tmp_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
files_create_private_tmp_data($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })

domain_use_widely_inheritable_file_descriptors($1_gpg_agent_t)

libraries_use_dynamic_loader($1_gpg_agent_t)
libraries_use_shared_libraries($1_gpg_agent_t)

miscfiles_read_localization($1_gpg_agent_t)

ifdef(`TODO',`
# Transition from the user domain to the derived domain.
domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)

allow $1_gpg_agent_t xdm_t:fd use;

# Write to the user domain tty.
access_terminal($1_gpg_agent_t, $1)

# Allow the user shell to signal the gpg-agent program.
allow $1_t $1_gpg_agent_t:process { signal sigkill };
# allow ps to show gpg-agent
can_ps($1_t, $1_gpg_agent_t)

allow $1_gpg_agent_t proc_t:dir search;
allow $1_gpg_agent_t proc_t:lnk_file read;

allow $1_gpg_agent_t device_t:dir { getattr read };

# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
create_dir_file($1_gpg_agent_t, $1_gpg_secret_t)
if (use_nfs_home_dirs) {
create_dir_file($1_gpg_agent_t, nfs_t)
}
if (use_samba_home_dirs) {
create_dir_file($1_gpg_agent_t, cifs_t)
}

# gpg connect
allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write;
can_unix_connect($1_gpg_t, $1_gpg_agent_t)
') dnl endif TODO

##############################
#
# Pinentry local policy
#

# we need to allow gpg-agent to call pinentry so it can get the passphrase 
# from the user.
allow $1_gpg_agent_t $1_gpg_pinentry_t:process transition;
allow $1_gpg_agent_t pinentry_exec_t:file { getattr read execute };
type_transition $1_gpg_agent_t pinentry_exec_t:process $1_gpg_pinentry_t;
allow $1_gpg_pinentry_t $1_gpg_agent_t:fd use;
allow $1_gpg_agent_t $1_gpg_pinentry_t:fd use;
allow $1_gpg_agent_t $1_gpg_pinentry_t:fifo_file rw_file_perms;

allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
allow $1_gpg_pinentry_t self:fifo_file { getattr read write };

# read /proc/meminfo
kernel_read_system_state($1_gpg_pinentry_t)

files_read_general_application_resources($1_gpg_pinentry_t)
# read /etc/X11/qtrc
files_read_general_system_config($1_gpg_pinentry_t)

libraries_use_dynamic_loader($1_gpg_pinentry_t)
libraries_use_shared_libraries($1_gpg_pinentry_t)

miscfiles_read_fonts($1_gpg_pinentry_t)
miscfiles_read_localization($1_gpg_pinentry_t)

ifdef(`TODO',`

allow $1_gpg_agent_t bin_t:dir search;

ifdef(`xdm.te', `
allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search;
allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write };
can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t)
allow $1_gpg_pinentry_t xdm_t:fd use;
')dnl end ig xdm.te

allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search };

# for .Xauthority
allow $1_gpg_pinentry_t $1_home_dir_t:dir { getattr search };
allow $1_gpg_pinentry_t $1_home_t:file { getattr read };
# wants to put some lock files into the user home dir, seems to work fine without
dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
dontaudit $1_gpg_pinentry_t $1_home_t:file write;

if (use_nfs_home_dirs) {
allow $1_gpg_pinentry_t nfs_t:dir { getattr search };
allow $1_gpg_pinentry_t nfs_t:file { getattr read };
dontaudit $1_gpg_pinentry_t nfs_t:dir { read write };
dontaudit $1_gpg_pinentry_t nfs_t:file write;
}

if (use_samba_home_dirs) {
allow $1_gpg_pinentry_t cifs_t:dir { getattr search };
allow $1_gpg_pinentry_t cifs_t:file { getattr read };
dontaudit $1_gpg_pinentry_t cifs_t:dir { read write };
dontaudit $1_gpg_pinentry_t cifs_t:file write;
}

dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search };
') dnl end TODO
') dnl end gpg_per_userdomain_template