commit: df8fecccf2694a0351ce8bdb03e1a0abc7845984
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Mar 30 04:58:28 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:31:51 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=df8feccc
dirmngr: add to roles and allow gpg to domtrans
policy/modules/contrib/dirmngr.if | 69 +++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/gpg.te | 4 +++
2 files changed, 73 insertions(+)
diff --git a/policy/modules/contrib/dirmngr.if
b/policy/modules/contrib/dirmngr.if
index 4cd2810e..2f6875a6 100644
--- a/policy/modules/contrib/dirmngr.if
+++ b/policy/modules/contrib/dirmngr.if
@@ -1,5 +1,74 @@
## <summary>Server for managing and downloading certificate revocation
lists.</summary>
+############################################################
+## <summary>
+## Role access for dirmngr.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`dirmngr_role',`
+ gen_require(`
+ type dirmngr_t, dirmngr_exec_t;
+ ')
+
+ role $1 types dirmngr_t;
+
+ domtrans_pattern($2, dirmngr_exec_t, dirmngr_t)
+
+ allow $2 dirmngr_t:process { ptrace signal_perms };
+ ps_process_pattern($2, dirmngr_t)
+
+ allow dirmngr_t $2:fd use;
+ allow dirmngr_t $2:fifo_file { read write };
+')
+
+########################################
+## <summary>
+## Execute dirmngr in the dirmngr domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dirmngr_domtrans',`
+ gen_require(`
+ type dirmngr_t, dirmngr_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dirmngr_exec_t, dirmngr_t)
+')
+
+########################################
+## <summary>
+## Execute the dirmngr in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirmngr_exec',`
+ gen_require(`
+ type dirmngr_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, dirmngr_exec_t)
+')
+
########################################
## <summary>
## All of the rules required to
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index c145fb4c..1b8448c7 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -139,6 +139,10 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ dirmngr_domtrans(gpg_t)
+')
+
+optional_policy(`
evolution_read_orbit_tmp_files(gpg_t)
')
