Blob Blame History Raw
#
# Macros for gpg and pgp
#
# Author:  Russell Coker <russell@coker.com.au>
#
# based on the work of:
# Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
#

#
# gpg_domain(domain_prefix)
#
# Define a derived domain for the gpg/pgp program when executed by
# a user domain.
#
# The type declaration for the executable type for this program is
# provided separately in domains/program/gpg.te.
#
define(`gpg_domain', `
# Derived domain based on the calling user domain and the program.
type $1_gpg_t, domain, privlog;
type $1_gpg_secret_t, file_type, $1_file_type, sysadmfile;

# Transition from the user domain to the derived domain.
domain_auto_trans($1_t, gpg_exec_t, $1_gpg_t)
role $1_r types $1_gpg_t;

can_network($1_gpg_t)
allow $1_gpg_t port_type:tcp_socket name_connect;
can_ypbind($1_gpg_t)

# for a bug in kmail
dontaudit $1_gpg_t $1_t:unix_stream_socket { getattr read write };

allow $1_gpg_t device_t:dir r_dir_perms;
allow $1_gpg_t { random_device_t urandom_device_t }:chr_file r_file_perms;

allow $1_gpg_t etc_t:file r_file_perms;

allow $1_gpg_t self:unix_stream_socket create_stream_socket_perms;
allow $1_gpg_t self:tcp_socket create_stream_socket_perms;

access_terminal($1_gpg_t, $1)
ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')

# Inherit and use descriptors
allow $1_gpg_t { privfd $1_t }:fd use;
allow { $1_t $1_gpg_t } $1_gpg_t:process signal;

# setrlimit is for ulimit -c 0
allow $1_gpg_t self:process { setrlimit setcap setpgid };

# allow ps to show gpg
can_ps($1_t, $1_gpg_t)

uses_shlib($1_gpg_t)

# Access .gnupg
rw_dir_create_file($1_gpg_t, $1_gpg_secret_t)

# Read content to encrypt/decrypt/sign
read_content($1_gpg_t, $1)

# Write content to encrypt/decrypt/sign
write_trusted($1_gpg_t, $1)

allow $1_gpg_t self:capability { ipc_lock setuid };

allow $1_gpg_t { etc_t usr_t }:dir r_dir_perms;
allow $1_gpg_t fs_t:filesystem getattr;
allow $1_gpg_t usr_t:file r_file_perms;
read_locale($1_gpg_t)

dontaudit $1_gpg_t var_t:dir search;

ifdef(`gpg-agent.te', `gpg_agent_domain($1)')

# for helper programs (which automatically fetch keys)
# Note: this is only tested with the hkp interface. If you use eg the 
# mail interface you will likely need additional permissions.
type $1_gpg_helper_t, domain;
role $1_r types $1_gpg_helper_t;

domain_auto_trans($1_gpg_t, gpg_helper_exec_t, $1_gpg_helper_t)
uses_shlib($1_gpg_helper_t)

# allow gpg to fork so it can call the helpers
allow $1_gpg_t self:process { fork sigchld };
allow $1_gpg_t self:fifo_file { getattr read write };

dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
if (use_nfs_home_dirs) {
dontaudit $1_gpg_helper_t nfs_t:file { read write };
}
if (use_samba_home_dirs) {
dontaudit $1_gpg_helper_t cifs_t:file { read write };
}

# communicate with the user 
allow $1_gpg_helper_t $1_t:fd use;
allow $1_gpg_helper_t $1_t:fifo_file write;
# get keys from the network
can_network_client($1_gpg_helper_t)
allow $1_gpg_helper_t port_type:tcp_socket name_connect;
allow $1_gpg_helper_t etc_t:file { getattr read };
allow $1_gpg_helper_t urandom_device_t:chr_file read;
allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
# for nscd
dontaudit $1_gpg_helper_t var_t:dir search;

ifdef(`xdm.te', `
can_pipe_xdm($1_gpg_t)
')

')dnl end gpg_domain definition