From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 59016139085 for ; Fri, 13 Jan 2017 18:43:46 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 783A1234142; Fri, 13 Jan 2017 18:43:23 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 49D35234142 for ; Fri, 13 Jan 2017 18:43:18 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 64BC1341808 for ; Fri, 13 Jan 2017 18:43:15 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 19A372642 for ; Fri, 13 Jan 2017 18:43:11 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1484332924.d49992a94bdadb621c569535a9c2b20fdd273cd7.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/gpg.fc policy/modules/contrib/gpg.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: d49992a94bdadb621c569535a9c2b20fdd273cd7 X-VCS-Branch: master Date: Fri, 13 Jan 2017 18:43:11 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 89bdbadb-9da0-423c-8798-e12da986eae7 X-Archives-Hash: 3c33593cebbcb516ffeccb7e1aae72a9 commit: d49992a94bdadb621c569535a9c2b20fdd273cd7 Author: cgzones googlemail com> AuthorDate: Sun Jan 8 14:10:29 2017 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Fri Jan 13 18:42:04 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d49992a9 update gpg module * remove dead type aliases * prefix pinentry_exec_t with gpg module name policy/modules/contrib/gpg.fc | 22 +++++++++++----------- policy/modules/contrib/gpg.te | 23 +++++++---------------- 2 files changed, 18 insertions(+), 27 deletions(-) diff --git a/policy/modules/contrib/gpg.fc b/policy/modules/contrib/gpg.fc index da72db0..c428eb5 100644 --- a/policy/modules/contrib/gpg.fc +++ b/policy/modules/contrib/gpg.fc @@ -1,14 +1,14 @@ -HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) -HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0) -HOME_DIR/\.gnupg/S\.gpg-agent.* -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0) -HOME_DIR/\.gnupg/S\.scdaemon -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0) +HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) +HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0) +HOME_DIR/\.gnupg/S\.gpg-agent.* -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0) +HOME_DIR/\.gnupg/S\.scdaemon -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0) -/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) -/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0) -/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) -/usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0) +/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) +/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0) +/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) +/usr/bin/pinentry.* -- gen_context(system_u:object_r:gpg_pinentry_exec_t,s0) -/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) -/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) +/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) +/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) -/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_agent_tmp_t,s0) +/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_agent_tmp_t,s0) diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te index 62f5827..dca3a22 100644 --- a/policy/modules/contrib/gpg.te +++ b/policy/modules/contrib/gpg.te @@ -26,40 +26,29 @@ attribute_role gpg_pinentry_roles; type gpg_t; type gpg_exec_t; -typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t }; -typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t }; userdom_user_application_domain(gpg_t, gpg_exec_t) role gpg_roles types gpg_t; type gpg_agent_t; type gpg_agent_exec_t; -typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t }; -typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t }; userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t) role gpg_agent_roles types gpg_agent_t; type gpg_agent_tmp_t; -typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t }; -typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t }; userdom_user_tmp_file(gpg_agent_tmp_t) type gpg_secret_t; -typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t }; -typealias gpg_secret_t alias { auditadm_gpg_secret_t secadm_gpg_secret_t }; userdom_user_home_content(gpg_secret_t) type gpg_helper_t; type gpg_helper_exec_t; -typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t }; -typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t }; userdom_user_application_domain(gpg_helper_t, gpg_helper_exec_t) role gpg_helper_roles types gpg_helper_t; type gpg_pinentry_t; -type pinentry_exec_t; -typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t }; -typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t }; -userdom_user_application_domain(gpg_pinentry_t, pinentry_exec_t) +type gpg_pinentry_exec_t; +typealias gpg_pinentry_exec_t alias pinentry_exec_t; # 20170105 +userdom_user_application_domain(gpg_pinentry_t, gpg_pinentry_exec_t) role gpg_pinentry_roles types gpg_pinentry_t; type gpg_pinentry_tmp_t; @@ -99,6 +88,8 @@ domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) kernel_read_sysctl(gpg_t) +# read /proc/cpuinfo +kernel_read_system_state(gpg_t) corecmd_exec_shell(gpg_t) corecmd_exec_bin(gpg_t) @@ -235,7 +226,7 @@ filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg- filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.gpg-agent.ssh") filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "S.scdaemon") -domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t) +domtrans_pattern(gpg_agent_t, gpg_pinentry_exec_t, gpg_pinentry_t) kernel_dontaudit_search_sysctl(gpg_agent_t) kernel_read_core_if(gpg_agent_t) @@ -305,7 +296,7 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) -can_exec(gpg_pinentry_t, pinentry_exec_t) +can_exec(gpg_pinentry_t, gpg_pinentry_exec_t) kernel_read_system_state(gpg_pinentry_t)