diff --git a/refpolicy/policy/modules/apps/games.te b/refpolicy/policy/modules/apps/games.te index 786c5d1..e0b6974 100644 --- a/refpolicy/policy/modules/apps/games.te +++ b/refpolicy/policy/modules/apps/games.te @@ -75,10 +75,3 @@ optional_policy(` optional_policy(` udev_read_db(games_t) ') - -ifdef(`TODO',` - #WHY!!! - #allow initrc_t games_data_t:dir r_dir_perms; - #allow initrc_t games_data_t:file r_file_perms; - #allow initrc_t games_data_t:lnk_file { getattr read }; -') diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if index d0a3bed..9d49603 100644 --- a/refpolicy/policy/modules/apps/gpg.if +++ b/refpolicy/policy/modules/apps/gpg.if @@ -76,14 +76,6 @@ template(`gpg_per_userdomain_template',` # GPG local policy # - # transition from the userdomain to the derived domain - domain_auto_trans($2,gpg_exec_t,$1_gpg_t) - - allow $2 $1_gpg_t:fd use; - allow $1_gpg_t $2:fd use; - allow $1_gpg_t $2:fifo_file rw_file_perms; - allow $1_gpg_t $2:process sigchld; - allow $1_gpg_t self:capability { ipc_lock setuid }; allow { $2 $1_gpg_t } $1_gpg_t:process signal; # setrlimit is for ulimit -c 0 @@ -96,6 +88,17 @@ template(`gpg_per_userdomain_template',` allow $1_gpg_t $1_gpg_secret_t:file create_file_perms; allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms; + # transition from the userdomain to the derived domain + domain_auto_trans($2,gpg_exec_t,$1_gpg_t) + allow $1_gpg_t $2:fd use; + allow $1_gpg_t $2:fifo_file rw_file_perms; + allow $1_gpg_t $2:process sigchld; + + # allow ps to show gpg + allow $2 $1_gpg_t:dir { search getattr read }; + allow $2 $1_gpg_t:{ file lnk_file } { read getattr }; + allow $2 $1_gpg_t:process getattr; + corenet_non_ipsec_sendrecv($1_gpg_t) corenet_tcp_sendrecv_all_if($1_gpg_t) corenet_udp_sendrecv_all_if($1_gpg_t) @@ -138,12 +141,6 @@ template(`gpg_per_userdomain_template',` # Write content to encrypt/decrypt/sign write_trusted($1_gpg_t, $1) - - ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;') - - # allow ps to show gpg - can_ps($1_t, $1_gpg_t) - ') dnl end TODO ######################################## @@ -161,8 +158,6 @@ template(`gpg_per_userdomain_template',` # transition from the gpg domain to the helper domain domain_auto_trans($1_gpg_t,gpg_helper_exec_t,$1_gpg_helper_t) - - allow $1_gpg_t $1_gpg_helper_t:fd use; allow $1_gpg_helper_t $1_gpg_t:fd use; allow $1_gpg_helper_t $1_gpg_t:fifo_file rw_file_perms; allow $1_gpg_helper_t $1_gpg_t:process sigchld; @@ -206,12 +201,10 @@ template(`gpg_per_userdomain_template',` fs_dontaudit_rw_cifs_files($1_gpg_helper_t) ') - ifdef(`TODO',` - - ifdef(`xdm.te',` - can_pipe_xdm($1_gpg_t) + optional_policy(` + xserver_use_xdm_fds($1_gpg_t) + xserver_rw_xdm_pipes($1_gpg_t) ') - ') dnl end TODO ######################################## # @@ -234,6 +227,11 @@ template(`gpg_per_userdomain_template',` allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write; allow $1_gpg_t $1_gpg_agent_t:unix_stream_socket connectto; + # allow ps to show gpg-agent + allow $2 $1_gpg_agent_t:dir { search getattr read }; + allow $2 $1_gpg_agent_t:{ file lnk_file } { read getattr }; + allow $2 $1_gpg_agent_t:process getattr; + # Allow the user shell to signal the gpg-agent program. allow $2 $1_gpg_agent_t:process { signal sigkill }; @@ -242,10 +240,13 @@ template(`gpg_per_userdomain_template',` allow $2 $1_gpg_agent_tmp_t:sock_file create_file_perms; files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir }) - corecmd_search_bin($1_gpg_agent_t) - # Transition from the user domain to the derived domain. domain_auto_trans($2, gpg_agent_exec_t, $1_gpg_agent_t) + allow $1_gpg_agent_t $2:fd use; + allow $1_gpg_agent_t $2:fifo_file rw_file_perms; + allow $1_gpg_agent_t $2:process sigchld; + + corecmd_search_bin($1_gpg_agent_t) domain_use_interactive_fds($1_gpg_agent_t) @@ -256,6 +257,8 @@ template(`gpg_per_userdomain_template',` # Write to the user domain tty. userdom_use_user_terminals($1,$1_gpg_agent_t) + # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) + userdom_search_user_home_dirs($1,$1_gpg_agent_t) tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs($1_gpg_agent_t) @@ -269,19 +272,6 @@ template(`gpg_per_userdomain_template',` fs_manage_cifs_symlinks($1_gpg_agent_t) ') - ifdef(`TODO',` - - # allow ps to show gpg-agent - can_ps($1_t, $1_gpg_agent_t) - - allow $1_gpg_agent_t proc_t:dir search; - allow $1_gpg_agent_t proc_t:lnk_file read; - - # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) - allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search; - - ') dnl endif TODO - ############################## # # Pinentry local policy @@ -290,8 +280,6 @@ template(`gpg_per_userdomain_template',` # we need to allow gpg-agent to call pinentry so it can get the passphrase # from the user. domain_auto_trans($1_gpg_agent_t,pinentry_exec_t,$1_gpg_pinentry_t) - - allow $1_gpg_pinentry_t $1_gpg_agent_t:fd use; allow $1_gpg_agent_t $1_gpg_pinentry_t:fd use; allow $1_gpg_agent_t $1_gpg_pinentry_t:fifo_file rw_file_perms; allow $1_gpg_agent_t $1_gpg_pinentry_t:process sigchld; @@ -312,6 +300,9 @@ template(`gpg_per_userdomain_template',` miscfiles_read_fonts($1_gpg_pinentry_t) miscfiles_read_localization($1_gpg_pinentry_t) + # for .Xauthority + userdom_read_user_home_content_files($1,$1_gpg_pinentry_t) + tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files($1_gpg_pinentry_t) ') @@ -320,19 +311,13 @@ template(`gpg_per_userdomain_template',` fs_read_cifs_files($1_gpg_pinentry_t) ') - ifdef(`TODO',` - - ifdef(`xdm.te', ` - allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search; - allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write }; - allow $1_gpg_pinentry_t xdm_xserver_t:unix_stream_socket connectto; + optional_policy(` + xserver_stream_connect_xdm_xserver($1_gpg_pinentry_t) ') - allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search }; + ifdef(`TODO',` + allow $1_gpg_pinentry_t tmp_t:dir { getattr search }; - # for .Xauthority - allow $1_gpg_pinentry_t $1_home_dir_t:dir { getattr search }; - allow $1_gpg_pinentry_t $1_home_t:file r_file_perms; # wants to put some lock files into the user home dir, seems to work fine without dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write }; dontaudit $1_gpg_pinentry_t $1_home_t:file write; diff --git a/refpolicy/policy/modules/apps/gpg.te b/refpolicy/policy/modules/apps/gpg.te index 830326e..07760d0 100644 --- a/refpolicy/policy/modules/apps/gpg.te +++ b/refpolicy/policy/modules/apps/gpg.te @@ -1,5 +1,5 @@ -policy_module(gpg, 1.0.3) +policy_module(gpg, 1.0.4) ######################################## # diff --git a/refpolicy/policy/modules/kernel/domain.te b/refpolicy/policy/modules/kernel/domain.te index c58cb7b..f0e07f2 100644 --- a/refpolicy/policy/modules/kernel/domain.te +++ b/refpolicy/policy/modules/kernel/domain.te @@ -1,5 +1,5 @@ -policy_module(domain,1.1.2) +policy_module(domain,1.1.3) ######################################## # @@ -71,10 +71,11 @@ neverallow ~{ domain unlabeled_t } *:process *; # Rules applied to all domains # -# read /proc/pid entries +# read /proc/(pid|self) entries allow domain self:dir r_dir_perms; allow domain self:lnk_file r_file_perms; allow domain self:file rw_file_perms; +kernel_read_proc_symlinks(domain) # create child processes in the domain allow domain self:process { fork sigchld }; diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index 6a21bb7..209101a 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -1,5 +1,5 @@ -policy_module(authlogin,1.3.6) +policy_module(authlogin,1.3.7) ######################################## # @@ -311,8 +311,7 @@ optional_policy(` nscd_socket_use(utempter_t) ') -ifdef(`TODO',` optional_policy(` - can_pipe_xdm(utempter_t) -') + xserver_use_xdm_fds(utempter_t) + xserver_rw_xdm_pipes(utempter_t) ') diff --git a/refpolicy/policy/modules/system/raid.te b/refpolicy/policy/modules/system/raid.te index 44db206..8e18595 100644 --- a/refpolicy/policy/modules/system/raid.te +++ b/refpolicy/policy/modules/system/raid.te @@ -82,8 +82,3 @@ optional_policy(` optional_policy(` udev_read_db(mdadm_t) ') - -ifdef(`TODO',` -# Ignore attempts to read every device file -dontaudit mdadm_t device_t:{ fifo_file file chr_file blk_file } { read getattr }; -') dnl TODO