[selinux-policy: 2159/3172] gpg patch from dan
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:11:51 UTC 2010
commit e4f73afb8ee1bd324b82470bbf4c5882fec86cb2
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Jul 21 10:07:38 2009 -0400
gpg patch from dan
policy/modules/apps/gpg.fc | 4 ++--
policy/modules/apps/gpg.if | 11 ++++++++++-
policy/modules/apps/gpg.te | 28 +++++++++++++++-------------
3 files changed, 27 insertions(+), 16 deletions(-)
---
diff --git a/policy/modules/apps/gpg.fc b/policy/modules/apps/gpg.fc
index 3a42f2a..e9853d4 100644
--- a/policy/modules/apps/gpg.fc
+++ b/policy/modules/apps/gpg.fc
@@ -5,5 +5,5 @@ HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
/usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0)
-/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
-/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
+/usr/lib(64)?/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if
index f6a5c8e..f264608 100644
--- a/policy/modules/apps/gpg.if
+++ b/policy/modules/apps/gpg.if
@@ -30,7 +30,7 @@ interface(`gpg_role',`
# allow ps to show gpg
ps_process_pattern($2, gpg_t)
- allow $2 gpg_t:process signal;
+ allow $2 gpg_t:process { signal sigkill };
# communicate with the user
allow gpg_helper_t $2:fd use;
@@ -49,6 +49,15 @@ interface(`gpg_role',`
# Transition from the user domain to the agent domain.
domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
+
+ ifdef(`hide_broken_symptoms',`
+ #Leaked File Descriptors
+ dontaudit gpg_t $2:fifo_file rw_fifo_file_perms;
+ dontaudit gpg_t $2:tcp_socket rw_socket_perms;
+ dontaudit gpg_t $2:udp_socket rw_socket_perms;
+ dontaudit gpg_t $2:unix_stream_socket rw_socket_perms;
+ dontaudit gpg_t $2:unix_dgram_socket rw_socket_perms;
+ ')
')
########################################
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
index 1c19eb6..71bf261 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -1,5 +1,5 @@
-policy_module(gpg, 2.0.2)
+policy_module(gpg, 2.0.3)
########################################
#
@@ -60,11 +60,15 @@ ubac_constrained(gpg_pinentry_t)
allow gpg_t self:capability { ipc_lock setuid };
# setrlimit is for ulimit -c 0
-allow gpg_t self:process { signal setrlimit setcap setpgid };
+allow gpg_t self:process { signal setrlimit getcap setcap setpgid };
allow gpg_t self:fifo_file rw_fifo_file_perms;
allow gpg_t self:tcp_socket create_stream_socket_perms;
+manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
+
# transition from the gpg domain to the helper domain
domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
@@ -73,6 +77,8 @@ manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
+kernel_read_sysctl(gpg_t)
+
corenet_all_recvfrom_unlabeled(gpg_t)
corenet_all_recvfrom_netlabel(gpg_t)
corenet_tcp_sendrecv_generic_if(gpg_t)
@@ -95,23 +101,21 @@ files_read_etc_files(gpg_t)
files_read_usr_files(gpg_t)
files_dontaudit_search_var(gpg_t)
+auth_use_nsswitch(gpg_t)
+
miscfiles_read_localization(gpg_t)
logging_send_syslog_msg(gpg_t)
-sysnet_read_config(gpg_t)
-
userdom_use_user_terminals(gpg_t)
-optional_policy(`
- nis_use_ypbind(gpg_t)
-')
-
########################################
#
# GPG helper local policy
#
+allow gpg_helper_t self:process { getsched setsched };
+
# for helper programs (which automatically fetch keys)
# Note: this is only tested with the hkp interface. If you use eg the
# mail interface you will likely need additional permissions.
@@ -136,13 +140,11 @@ corenet_tcp_bind_generic_node(gpg_helper_t)
corenet_udp_bind_generic_node(gpg_helper_t)
corenet_tcp_connect_all_ports(gpg_helper_t)
-dev_read_urand(gpg_helper_t)
-
files_read_etc_files(gpg_helper_t)
-# for nscd
-files_dontaudit_search_var(gpg_helper_t)
-sysnet_read_config(gpg_helper_t)
+auth_use_nsswitch(gpg_helper_t)
+
+userdom_use_user_terminals(gpg_helper_t)
tunable_policy(`use_nfs_home_dirs',`
fs_dontaudit_rw_nfs_files(gpg_helper_t)
More information about the scm-commits
mailing list