Blob Blame History Raw

policy_module(gpg, 2.0.0)

########################################
#
# Declarations
#

## <desc>
## <p>
## Allow usage of the gpg-agent --write-env-file option.
## This also allows gpg-agent to manage user files.
## </p>
## </desc>
gen_tunable(gpg_agent_env_file, false)

type gpg_t;
type gpg_exec_t;
typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
application_domain(gpg_t, gpg_exec_t)
ubac_constrained(gpg_t)

type gpg_agent_t;
type gpg_agent_exec_t;
typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t };
typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t };
application_domain(gpg_agent_t, gpg_agent_exec_t)
ubac_constrained(gpg_agent_t)

type gpg_agent_tmp_t;
typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t };
typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t };
files_tmp_file(gpg_agent_tmp_t)
ubac_constrained(gpg_agent_tmp_t)

type gpg_secret_t;
typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
typealias gpg_secret_t alias { auditadm_gpg_secret_t secadm_gpg_secret_t };
userdom_user_home_content(gpg_secret_t)

type gpg_helper_t;
type gpg_helper_exec_t;
typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t };
typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t };
application_domain(gpg_helper_t, gpg_helper_exec_t)
ubac_constrained(gpg_helper_t)

type gpg_pinentry_t;
type pinentry_exec_t;
typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t };
typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t };
application_domain(gpg_pinentry_t, pinentry_exec_t)
ubac_constrained(gpg_pinentry_t)

########################################
#
# GPG local policy
#

allow gpg_t self:capability { ipc_lock setuid };
# setrlimit is for ulimit -c 0
allow gpg_t self:process { signal setrlimit setcap setpgid };

allow gpg_t self:fifo_file rw_fifo_file_perms;
allow gpg_t self:tcp_socket create_stream_socket_perms;

# transition from the gpg domain to the helper domain
domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)

allow gpg_t gpg_secret_t:dir create_dir_perms;
manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)

corenet_all_recvfrom_unlabeled(gpg_t)
corenet_all_recvfrom_netlabel(gpg_t)
corenet_tcp_sendrecv_all_if(gpg_t)
corenet_udp_sendrecv_all_if(gpg_t)
corenet_tcp_sendrecv_all_nodes(gpg_t)
corenet_udp_sendrecv_all_nodes(gpg_t)
corenet_tcp_sendrecv_all_ports(gpg_t)
corenet_udp_sendrecv_all_ports(gpg_t)
corenet_tcp_connect_all_ports(gpg_t)
corenet_sendrecv_all_client_packets(gpg_t)

dev_read_rand(gpg_t)
dev_read_urand(gpg_t)

fs_getattr_xattr_fs(gpg_t)

domain_use_interactive_fds(gpg_t)

files_read_etc_files(gpg_t)
files_read_usr_files(gpg_t)
files_dontaudit_search_var(gpg_t)

miscfiles_read_localization(gpg_t)

logging_send_syslog_msg(gpg_t)

sysnet_read_config(gpg_t)

userdom_use_user_terminals(gpg_t)

optional_policy(`
	nis_use_ypbind(gpg_t)
')

########################################
#
# GPG helper local policy
#

# for helper programs (which automatically fetch keys)
# Note: this is only tested with the hkp interface. If you use eg the 
# mail interface you will likely need additional permissions.

allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
allow gpg_helper_t self:tcp_socket { connect connected_socket_perms };
allow gpg_helper_t self:udp_socket { connect connected_socket_perms };

dontaudit gpg_helper_t gpg_secret_t:file read;

corenet_all_recvfrom_unlabeled(gpg_helper_t)
corenet_all_recvfrom_netlabel(gpg_helper_t)
corenet_tcp_sendrecv_all_if(gpg_helper_t)
corenet_raw_sendrecv_all_if(gpg_helper_t)
corenet_udp_sendrecv_all_if(gpg_helper_t)
corenet_tcp_sendrecv_all_nodes(gpg_helper_t)
corenet_udp_sendrecv_all_nodes(gpg_helper_t)
corenet_raw_sendrecv_all_nodes(gpg_helper_t)
corenet_tcp_sendrecv_all_ports(gpg_helper_t)
corenet_udp_sendrecv_all_ports(gpg_helper_t)
corenet_tcp_bind_all_nodes(gpg_helper_t)
corenet_udp_bind_all_nodes(gpg_helper_t)
corenet_tcp_connect_all_ports(gpg_helper_t)

dev_read_urand(gpg_helper_t)

files_read_etc_files(gpg_helper_t)
# for nscd
files_dontaudit_search_var(gpg_helper_t)

sysnet_read_config(gpg_helper_t)

tunable_policy(`use_nfs_home_dirs',`
	fs_dontaudit_rw_nfs_files(gpg_helper_t)
')

tunable_policy(`use_samba_home_dirs',`
	fs_dontaudit_rw_cifs_files(gpg_helper_t)
')

optional_policy(`
	xserver_use_xdm_fds(gpg_t)
	xserver_rw_xdm_pipes(gpg_t)
')

########################################
#
# GPG agent local policy
#

# rlimit: gpg-agent wants to prevent coredumps
allow gpg_agent_t self:process setrlimit;

allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
allow gpg_agent_t self:fifo_file rw_fifo_file_perms;

# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)

# Allow the gpg-agent to manage its tmp files (socket)
manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })

# allow gpg to connect to the gpg agent
stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)

corecmd_search_bin(gpg_agent_t)

domain_use_interactive_fds(gpg_agent_t)

miscfiles_read_localization(gpg_agent_t)

# Write to the user domain tty.
userdom_use_user_terminals(gpg_agent_t)
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
userdom_search_user_home_dirs(gpg_agent_t)

tunable_policy(`gpg_agent_env_file',`
	# write ~/.gpg-agent-info or a similar to the users home dir
	# or subdir (gpg-agent --write-env-file option)
	#
	userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
	userdom_manage_user_home_content_dirs(gpg_agent_t)
	userdom_manage_user_home_content_files(gpg_agent_t)
')

tunable_policy(`use_nfs_home_dirs',`
	fs_manage_nfs_dirs(gpg_agent_t)
	fs_manage_nfs_files(gpg_agent_t)
	fs_manage_nfs_symlinks(gpg_agent_t)
')

tunable_policy(`use_samba_home_dirs',`
	fs_manage_cifs_dirs(gpg_agent_t)
	fs_manage_cifs_files(gpg_agent_t)
	fs_manage_cifs_symlinks(gpg_agent_t)
')

##############################
#
# Pinentry local policy
#

allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;

# we need to allow gpg-agent to call pinentry so it can get the passphrase 
# from the user.
domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)

# read /proc/meminfo
kernel_read_system_state(gpg_pinentry_t)

files_read_usr_files(gpg_pinentry_t)
# read /etc/X11/qtrc
files_read_etc_files(gpg_pinentry_t)

miscfiles_read_fonts(gpg_pinentry_t)
miscfiles_read_localization(gpg_pinentry_t)

# for .Xauthority
userdom_read_user_home_content_files(gpg_pinentry_t)

tunable_policy(`use_nfs_home_dirs',`
	fs_read_nfs_files(gpg_pinentry_t)
')

tunable_policy(`use_samba_home_dirs',`
	fs_read_cifs_files(gpg_pinentry_t)
')

optional_policy(`
	xserver_stream_connect(gpg_pinentry_t)
')