policy_module(gpg, 2.7.3)

########################################
#
# Declarations
#
attribute gpgdomain;

## <desc>
##	<p>
##	Determine whether GPG agent can manage
##	generic user home content files. This is
##	required by the --write-env-file option.
##	</p>
## </desc>
gen_tunable(gpg_agent_env_file, false)

<<<<<<< HEAD
## <desc>
## <p>
## Allow gpg web domain to modify public files
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(gpg_web_anon_write, false)

type gpg_t, gpgdomain;
type gpg_exec_t;
typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
application_domain(gpg_t, gpg_exec_t)
ubac_constrained(gpg_t)
role system_r types gpg_t;
=======
attribute_role gpg_roles;
roleattribute system_r gpg_roles;

attribute_role gpg_agent_roles;

attribute_role gpg_helper_roles;
roleattribute system_r gpg_helper_roles;

attribute_role gpg_pinentry_roles;

type gpg_t;
type gpg_exec_t;
typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
userdom_user_application_domain(gpg_t, gpg_exec_t)
role gpg_roles types gpg_t;
>>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a

type gpg_agent_t;
type gpg_agent_exec_t;
typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t };
typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t };
<<<<<<< HEAD
application_domain(gpg_agent_t, gpg_agent_exec_t)
ubac_constrained(gpg_agent_t)
=======
userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t)
role gpg_agent_roles types gpg_agent_t;
>>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a

type gpg_agent_tmp_t;
typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t };
typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t };
files_tmp_file(gpg_agent_tmp_t)
ubac_constrained(gpg_agent_tmp_t)

type gpg_secret_t;
typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
typealias gpg_secret_t alias { auditadm_gpg_secret_t secadm_gpg_secret_t };
userdom_user_home_content(gpg_secret_t)

type gpg_helper_t;
type gpg_helper_exec_t;
typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t };
typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t };
<<<<<<< HEAD
application_domain(gpg_helper_t, gpg_helper_exec_t)
ubac_constrained(gpg_helper_t)
role system_r types gpg_helper_t;
=======
userdom_user_application_domain(gpg_helper_t, gpg_helper_exec_t)
role gpg_helper_roles types gpg_helper_t;
>>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a

type gpg_pinentry_t;
type pinentry_exec_t;
typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t };
typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t };
<<<<<<< HEAD
application_domain(gpg_pinentry_t, pinentry_exec_t)
ubac_constrained(gpg_pinentry_t)
=======
userdom_user_application_domain(gpg_pinentry_t, pinentry_exec_t)
role gpg_pinentry_roles types gpg_pinentry_t;
>>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a

type gpg_pinentry_tmp_t;
files_tmp_file(gpg_pinentry_tmp_t)
ubac_constrained(gpg_pinentry_tmp_t)

type gpg_pinentry_tmpfs_t;
files_tmpfs_file(gpg_pinentry_tmpfs_t)
ubac_constrained(gpg_pinentry_tmpfs_t)

type gpg_web_t;
domain_type(gpg_web_t)
gpg_entry_type(gpg_web_t)
role system_r types gpg_web_t;

optional_policy(`
	pulseaudio_tmpfs_content(gpg_pinentry_tmpfs_t)
')

########################################
#
# Local policy
#

<<<<<<< HEAD
allow gpgdomain self:capability { ipc_lock setuid };
allow gpgdomain self:process { getsched setsched };
#at setrlimit is for ulimit -c 0
allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid };
dontaudit gpgdomain self:netlink_audit_socket r_netlink_socket_perms;

allow gpgdomain self:fifo_file rw_fifo_file_perms;
allow gpgdomain self:tcp_socket create_stream_socket_perms;
=======
allow gpg_t self:capability { ipc_lock setuid };
allow gpg_t self:process { signal signull setrlimit getcap setcap getsched setsched setpgid };
dontaudit gpg_t self:netlink_audit_socket r_netlink_socket_perms;
allow gpg_t self:fifo_file rw_fifo_file_perms;
allow gpg_t self:tcp_socket { accept listen };
>>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a

manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })

<<<<<<< HEAD
domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)

# transition from the gpg domain to the helper domain
domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)

allow gpg_t gpg_secret_t:dir create_dir_perms;
=======
manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
>>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir, ".gnupg")

stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)

domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)

kernel_read_sysctl(gpg_t)

corecmd_exec_shell(gpg_t)
corecmd_exec_bin(gpg_t)

corenet_all_recvfrom_netlabel(gpg_t)
corenet_tcp_sendrecv_generic_if(gpg_t)
corenet_tcp_sendrecv_generic_node(gpg_t)

corenet_sendrecv_all_client_packets(gpg_t)
corenet_tcp_connect_all_ports(gpg_t)
corenet_tcp_sendrecv_all_ports(gpg_t)

dev_read_generic_usb_dev(gpg_t)
dev_read_rand(gpg_t)
dev_read_urand(gpg_t)

files_read_usr_files(gpg_t)
files_dontaudit_search_var(gpg_t)

fs_getattr_xattr_fs(gpg_t)
fs_list_inotifyfs(gpg_t)

domain_use_interactive_fds(gpg_t)

<<<<<<< HEAD
files_read_usr_files(gpg_t)
files_dontaudit_search_var(gpg_t)

=======
>>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
auth_use_nsswitch(gpg_t)

logging_send_syslog_msg(gpg_t)

<<<<<<< HEAD
userdom_use_inherited_user_terminals(gpg_t)
# sign/encrypt user files
userdom_manage_all_user_tmp_content(gpg_t)
#userdom_manage_user_home_content(gpg_t)
=======
miscfiles_read_localization(gpg_t)

userdom_use_user_terminals(gpg_t)

userdom_manage_user_tmp_files(gpg_t)
>>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
userdom_manage_user_home_content_files(gpg_t)
userdom_manage_user_home_content_dirs(gpg_t)
userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
userdom_stream_connect(gpg_t)

<<<<<<< HEAD
mta_manage_config(gpg_t)
mta_read_spool(gpg_t)

userdom_home_manager(gpg_t)
=======
tunable_policy(`use_nfs_home_dirs',`
	fs_manage_nfs_dirs(gpg_t)
	fs_manage_nfs_files(gpg_t)
')
>>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a

optional_policy(`
	gnome_read_config(gpg_t)
	gnome_stream_connect_gkeyringd(gpg_t)
')

optional_policy(`
	gnome_read_generic_home_content(gpg_t)
	gnome_stream_connect_all_gkeyringd(gpg_t)
')

optional_policy(`
<<<<<<< HEAD
=======
	mozilla_dontaudit_rw_user_home_files(gpg_t)
')

optional_policy(`
	mta_read_spool_files(gpg_t)
	mta_write_config(gpg_t)
')

optional_policy(`
>>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
	spamassassin_read_spamd_tmp_files(gpg_t)
')

optional_policy(`
	xserver_use_xdm_fds(gpg_t)
	xserver_rw_xdm_pipes(gpg_t)
')

<<<<<<< HEAD
#optional_policy(`
#	cron_system_entry(gpg_t, gpg_exec_t)
#	cron_read_system_job_tmp_files(gpg_t)
#')
=======
optional_policy(`
	xserver_use_xdm_fds(gpg_t)
	xserver_rw_xdm_pipes(gpg_t)
')
>>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a

########################################
#
# Helper local policy
#

allow gpg_helper_t self:process { getsched setsched };
allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms;

dontaudit gpg_helper_t gpg_secret_t:file read_file_perms;

corenet_all_recvfrom_netlabel(gpg_helper_t)
corenet_tcp_sendrecv_generic_if(gpg_helper_t)
corenet_tcp_sendrecv_generic_node(gpg_helper_t)
corenet_tcp_sendrecv_all_ports(gpg_helper_t)

<<<<<<< HEAD
=======
corenet_sendrecv_all_client_packets(gpg_helper_t)
corenet_tcp_connect_all_ports(gpg_helper_t)
>>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a

auth_use_nsswitch(gpg_helper_t)

userdom_use_inherited_user_terminals(gpg_helper_t)

tunable_policy(`use_nfs_home_dirs',`
	fs_dontaudit_rw_nfs_files(gpg_helper_t)
')

tunable_policy(`use_samba_home_dirs',`
	fs_dontaudit_rw_cifs_files(gpg_helper_t)
')

########################################
#
# Agent local policy
#
domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)

allow gpg_agent_t self:process setrlimit;
<<<<<<< HEAD

allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto } ;
=======
allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
>>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
allow gpg_agent_t self:fifo_file rw_fifo_file_perms;

manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)

manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })

filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")

domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)

kernel_dontaudit_search_sysctl(gpg_agent_t)

corecmd_exec_shell(gpg_agent_t)

dev_read_rand(gpg_agent_t)
dev_read_urand(gpg_agent_t)

domain_use_interactive_fds(gpg_agent_t)

fs_dontaudit_list_inotifyfs(gpg_agent_t)


<<<<<<< HEAD
# Write to the user domain tty.
userdom_use_inherited_user_terminals(gpg_agent_t)
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
=======
userdom_use_user_terminals(gpg_agent_t)
>>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
userdom_search_user_home_dirs(gpg_agent_t)

ifdef(`hide_broken_symptoms',`
	userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
	userdom_dontaudit_write_user_tmp_files(gpg_agent_t)
')

tunable_policy(`gpg_agent_env_file',`
<<<<<<< HEAD
	# write ~/.gpg-agent-info or a similar to the users home dir
	# or subdir (gpg-agent --write-env-file option)
	#
	userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, { dir file })
=======
>>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
	userdom_manage_user_home_content_dirs(gpg_agent_t)
	userdom_manage_user_home_content_files(gpg_agent_t)
	userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
')

userdom_home_manager(gpg_agent_t)

optional_policy(`
	mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
')

##############################
#
# Pinentry local policy
#

allow gpg_pinentry_t self:process { getcap getsched setsched signal };
allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
allow gpg_pinentry_t self:shm create_shm_perms;
allow gpg_pinentry_t self:tcp_socket { accept listen };

manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)

manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })

can_exec(gpg_pinentry_t, pinentry_exec_t)

kernel_read_system_state(gpg_pinentry_t)

corecmd_exec_shell(gpg_pinentry_t)
corecmd_exec_bin(gpg_pinentry_t)

corenet_all_recvfrom_netlabel(gpg_pinentry_t)
<<<<<<< HEAD
corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t)
corenet_tcp_bind_generic_node(gpg_pinentry_t)
corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t)
=======
corenet_all_recvfrom_unlabeled(gpg_pinentry_t)
>>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
corenet_tcp_sendrecv_generic_if(gpg_pinentry_t)
corenet_tcp_sendrecv_generic_node(gpg_pinentry_t)

dev_read_urand(gpg_pinentry_t)
dev_read_rand(gpg_pinentry_t)

domain_use_interactive_fds(gpg_pinentry_t)

files_read_usr_files(gpg_pinentry_t)
<<<<<<< HEAD
# read /etc/X11/qtrc
=======
>>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a

fs_dontaudit_list_inotifyfs(gpg_pinentry_t)

auth_use_nsswitch(gpg_pinentry_t)

logging_send_syslog_msg(gpg_pinentry_t)

miscfiles_read_fonts(gpg_pinentry_t)

<<<<<<< HEAD
# for .Xauthority
userdom_read_user_home_content_files(gpg_pinentry_t)
userdom_read_user_tmpfs_files(gpg_pinentry_t)
# Bug: user pulseaudio files need open,read and unlink:
allow gpg_pinentry_t user_tmpfs_t:file unlink;
userdom_signull_unpriv_users(gpg_pinentry_t)
=======
>>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
userdom_use_user_terminals(gpg_pinentry_t)

userdom_home_reader(gpg_pinentry_t)

optional_policy(`
	gnome_read_home_config(gpg_pinentry_t)
')

optional_policy(`
	dbus_all_session_bus_client(gpg_pinentry_t)
	dbus_system_bus_client(gpg_pinentry_t)
')

optional_policy(`
<<<<<<< HEAD
	gnome_write_generic_cache_files(gpg_pinentry_t)
	gnome_read_generic_cache_files(gpg_pinentry_t)
	gnome_read_gconf_home_files(gpg_pinentry_t)
')

optional_policy(`
	pulseaudio_exec(gpg_pinentry_t)
	pulseaudio_rw_home_files(gpg_pinentry_t)
	pulseaudio_setattr_home_dir(gpg_pinentry_t)
	pulseaudio_stream_connect(gpg_pinentry_t)
	pulseaudio_signull(gpg_pinentry_t)
=======
	pulseaudio_run(gpg_pinentry_t, gpg_pinentry_roles)
>>>>>>> 662a00bca8f52af8056f41abd0fdec77ea835b2a
')

optional_policy(`
	xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)

')

#############################
#
# gpg web local policy
#

allow gpg_web_t self:process setrlimit;

dev_read_rand(gpg_web_t)
dev_read_urand(gpg_web_t)

can_exec(gpg_web_t, gpg_exec_t)

files_read_usr_files(gpg_web_t)


apache_dontaudit_rw_tmp_files(gpg_web_t)
apache_manage_sys_content_rw(gpg_web_t)

tunable_policy(`gpg_web_anon_write',`
    miscfiles_manage_public_files(gpg_web_t)
')