[DSE-Dev] refpolicy: patch for gpg-agent
Václav Ovsík
vaclav.ovsik at i.cz
Mon May 12 13:32:56 UTC 2008
Hi,
On Thu, Apr 24, 2008 at 02:25:48PM -0400, Daniel J Walsh wrote:
...
> Current Fedora allows gpg_t to manage files in the homedirs, since it
> needs to be able to read/write files in the homedir. No reason to
> isolate it.
>
> The reason for this patch being large is that Fedora no longer separates
> homedir labeling via Prefix, since this concept will not work in a
> distributed homedir environment.
...
My patch was about gpg-agent (gpg_agent_t) and not gpg itself (gpg_t).
Thanks for the Fedora gpg patch. It is quite big. I must keep the change
small to be acceptable by Christopher :).
On Tue, May 06, 2008 at 01:33:35PM -0400, Christopher J. PeBenito wrote:
...
> I've been kicking this one around in my head for a while since this
> doesn't seem clear cut. I think adding another type is too much for
> such a file, so I still think the best choice is to have a tunable that
> allows writing to $1_home_t files, as I suggested before.
OK. This time I attached a patch with a tunable (shared by all roles).
The tunable (gpg_agent_manage_user_files) defaults to false.
Maybe names should be corrected.
> Another suggestion that was made to me would be to use the same type
> used by the socket ($1_gpg_agent_tmp_t). I'm not convinced there
> actually a security equivalence, but if you can come up with a good
> argument, then I'm open to it. If that happens the type will have to be
> renamed since creating a *_tmp_t file in a user home directory is
> confusing.
I hope the above will be sufficient. My original meaning was less
tunables the better (less possibility to miss-configure something...)
and therefore I wrote the patch without tunable first.
Best Regards
--
Zito
-------------- next part --------------
Index: policy/modules/apps/gpg.if
===================================================================
--- policy/modules/apps/gpg.if.orig 2008-05-12 09:14:15.000000000 +0200
+++ policy/modules/apps/gpg.if 2008-05-12 14:51:23.000000000 +0200
@@ -212,6 +212,15 @@
manage_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
manage_lnk_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
+ tunable_policy(`gpg_agent_manage_user_files',`
+ # write ~/.gpg-agent-info or a similar to the users home dir
+ # or subdir (gpg-agent --write-env-file option)
+ #
+ userdom_user_home_dir_filetrans_user_home_content($1,$1_gpg_agent_t,file)
+ userdom_manage_user_home_content_dirs($1,$1_gpg_agent_t)
+ userdom_manage_user_home_content_files($1,$1_gpg_agent_t)
+ ')
+
# allow gpg to connect to the gpg agent
stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t)
@@ -219,11 +228,18 @@
ps_process_pattern($2,$1_gpg_agent_t)
# Allow the user shell to signal the gpg-agent program.
- allow $2 $1_gpg_agent_t:process { signal sigkill };
+ allow $2 $1_gpg_agent_t:process { signal sigkill signull };
+ # Allow the user to manage gpg-agent tmp files (socket)
manage_dirs_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
manage_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
manage_sock_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
+
+ # Allow the gpg-agent to manage its tmp files (socket)
+ manage_dirs_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
+ manage_files_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
+ manage_sock_files_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
+
files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
# Transition from the user domain to the derived domain.
Index: policy/modules/apps/gpg.te
===================================================================
--- policy/modules/apps/gpg.te.orig 2008-05-12 09:14:15.000000000 +0200
+++ policy/modules/apps/gpg.te 2008-05-12 09:14:28.000000000 +0200
@@ -6,6 +6,13 @@
# Declarations
#
+## <desc>
+## <p>
+## Allow gpg-agent to manage user files.
+## </p>
+## </desc>
+gen_tunable(gpg_agent_manage_user_files,false)
+
# Type for gpg or pgp executables.
type gpg_exec_t;
type gpg_helper_exec_t;
-------------- next part --------------
Index: refpolicy-svn/policy/modules/apps/gpg.if
===================================================================
--- refpolicy-svn.orig/policy/modules/apps/gpg.if 2008-05-12 14:51:48.000000000 +0200
+++ refpolicy-svn/policy/modules/apps/gpg.if 2008-05-12 14:51:48.000000000 +0200
@@ -230,11 +230,6 @@
# Allow the user shell to signal the gpg-agent program.
allow $2 $1_gpg_agent_t:process { signal sigkill signull };
- # Allow the user to manage gpg-agent tmp files (socket)
- manage_dirs_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
- manage_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
- manage_sock_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
-
# Allow the gpg-agent to manage its tmp files (socket)
manage_dirs_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
manage_files_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
More information about the SELinux-devel
mailing list