psss / rpms / selinux-policy

Forked from rpms/selinux-policy 5 years ago
Clone
Source Code
GIT

Files

  1.   e38bdeffa070b45bbdee9f0fe6fa5cf336f8d606
  2.   gpg.if
Blob Blame History Raw 
## <summary>Policy for GNU Privacy Guard and related programs.</summary>

############################################################
## <summary>
##	Role access for gpg.
## </summary>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <param name="domain">
##	<summary>
##	User domain for the role.
##	</summary>
## </param>
#
interface(`gpg_role',`
	gen_require(`
		attribute_role gpg_roles, gpg_agent_roles, gpg_helper_roles, gpg_pinentry_roles;
		type gpg_t, gpg_exec_t, gpg_agent_t;
		type gpg_agent_exec_t, gpg_agent_tmp_t, gpg_helper_t;
		type gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_secret_t;
	')

	roleattribute $1 gpg_roles;
	roleattribute $1 gpg_agent_roles;
	roleattribute $1 gpg_helper_roles;
	roleattribute $1 gpg_pinentry_roles;

	domtrans_pattern($2, gpg_exec_t, gpg_t)
	domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)

	allow $2 { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }:process { ptrace signal_perms };
	ps_process_pattern($2, { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t })

	allow gpg_pinentry_t $2:process signull;
	allow gpg_helper_t $2:fd use;
	allow { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t } $2:fifo_file { read write };

	allow $2 { gpg_agent_tmp_t gpg_secret_t }:dir { manage_dir_perms relabel_dir_perms };
	allow $2 { gpg_agent_tmp_t gpg_secret_t }:file { manage_file_perms relabel_file_perms };
	allow $2 gpg_secret_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
	allow $2 { gpg_agent_tmp_t gpg_pinentry_tmp_t gpg_secret_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
	filetrans_pattern($2, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
	userdom_user_home_dir_filetrans($2, gpg_secret_t, dir, ".gnupg")

	optional_policy(`
		gpg_pinentry_dbus_chat($2)
	')
')

########################################
## <summary>
##	Execute the gpg in the gpg domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`gpg_domtrans',`
	gen_require(`
		type gpg_t, gpg_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, gpg_exec_t, gpg_t)
')

########################################
## <summary>
##	Execute the gpg in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gpg_exec',`
	gen_require(`
		type gpg_exec_t;
	')

	corecmd_search_bin($1)
	can_exec($1, gpg_exec_t)
')

########################################
## <summary>
##	Execute gpg in a specified domain.
## </summary>
## <desc>
##	<p>
##	Execute gpg in a specified domain.
##	</p>
##	<p>
##	No interprocess communication (signals, pipes,
##	etc.) is provided by this interface since
##	the domains are not owned by this module.
##	</p>
## </desc>
## <param name="source_domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
## <param name="target_domain">
##	<summary>
##	Domain to transition to.
##	</summary>
## </param>
#
interface(`gpg_spec_domtrans',`
	gen_require(`
		type gpg_exec_t;
	')

	corecmd_search_bin($1)
	domain_auto_trans($1, gpg_exec_t, $2)
')

######################################
## <summary>
##	Execute gpg in the gpg web domain.  (Deprecated)
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`gpg_domtrans_web',`
	refpolicywarn(`$0($*) has been deprecated.')
')

######################################
## <summary>
##	Make gpg executable files an
##	entrypoint for the specified domain.
## </summary>
## <param name="domain">
##	<summary>
##	The domain for which gpg_exec_t is an entrypoint.
##	</summary>
## </param>
#
interface(`gpg_entry_type',`
	gen_require(`
		type gpg_exec_t;
	')

	domain_entry_file($1, gpg_exec_t)
')

########################################
## <summary>
##	Send generic signals to gpg.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gpg_signal',`
	gen_require(`
		type gpg_t;
	')

	allow $1 gpg_t:process signal;
')

########################################
## <summary>
##	Read and write gpg agent pipes.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gpg_rw_agent_pipes',`
	gen_require(`
		type gpg_agent_t;
	')

	allow $1 gpg_agent_t:fifo_file rw_fifo_file_perms;
')

########################################
## <summary>
##	Send messages to and from gpg
##	pinentry over DBUS.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gpg_pinentry_dbus_chat',`
	gen_require(`
		type gpg_pinentry_t;
		class dbus send_msg;
	')

	allow $1 gpg_pinentry_t:dbus send_msg;
	allow gpg_pinentry_t $1:dbus send_msg;
')

########################################
## <summary>
##	List gpg user secrets.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gpg_list_user_secrets',`
	gen_require(`
		type gpg_secret_t;
	')

	list_dirs_pattern($1, gpg_secret_t, gpg_secret_t)
	userdom_search_user_home_dirs($1)
')
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.