refpolicy: patch for gpg-agent

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,
I'm running HEAD refpolicy on Debian Sid, but this patch is not
Debian-specific this time.
Having a copy of my std bash profile on the testing machine with
a snippet (from gpg-agent man page):

    if test -f $HOME/.gpg-agent-info \
	     && kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info` 2>/dev/null
    then
	. $HOME/.gpg-agent-info
	export GPG_AGENT_INFO
	export SSH_AUTH_SOCK
	export SSH_AGENT_PID
    else
	eval `gpg-agent --daemon --write-env-file`
    fi

I got a number of denials for this snippet of commands.

1. Found a typo for permissions to create socket in the /tmp.
2. Added permission to send signal 0 by the user (see above).
3. Added permissions for writing agent info file into users home
   directory.

Regards
-- 
Zito

Index: policy/modules/apps/gpg.if
===================================================================
--- policy/modules/apps/gpg.if	(revision 2617)
+++ policy/modules/apps/gpg.if	(working copy)
@@ -212,6 +212,12 @@
 	manage_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
 	manage_lnk_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
 
+	# write ~/.gpg-agent-info (gpg-agent --write-env-file option)
+	allow $1_gpg_agent_t { $1_home_dir_t $1_home_t }:dir add_entry_dir_perms;
+	type_transition $1_gpg_agent_t $1_home_dir_t:file $1_home_t;
+	allow $1_gpg_agent_t $1_home_t:file create_file_perms;
+	allow $1_gpg_agent_t $1_home_t:file write_file_perms;
+
 	# allow gpg to connect to the gpg agent
 	stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t)
 
@@ -219,11 +225,11 @@
 	ps_process_pattern($2,$1_gpg_agent_t)
 
 	# Allow the user shell to signal the gpg-agent program.
-	allow $2 $1_gpg_agent_t:process { signal sigkill };
+	allow $2 $1_gpg_agent_t:process { signal sigkill signull };
 
-	manage_dirs_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
-	manage_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
-	manage_sock_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
+	manage_dirs_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
+	manage_files_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
+	manage_sock_files_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
 	files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
 
 	# Transition from the user domain to the derived domain.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux