[refpolicy] [PATCH 9/9] Add dirmngr support

From: bigon@debian.org (Laurent Bigonville)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 9/9] Add dirmngr support
Date: Tue,  4 Sep 2012 23:37:28 +0200	[thread overview]
Message-ID: <1346794648-27101-9-git-send-email-bigon@debian.org> (raw)
In-Reply-To: <1346794648-27101-1-git-send-email-bigon@debian.org>

From: Russell Coker <russell@coker.com.au>

---
 dirmngr.fc |    9 +++++++++
 dirmngr.if |    1 +
 dirmngr.te |   57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 67 insertions(+)
 create mode 100644 dirmngr.fc
 create mode 100644 dirmngr.if
 create mode 100644 dirmngr.te

diff --git a/dirmngr.fc b/dirmngr.fc
new file mode 100644
index 0000000..f4a88e0
--- /dev/null
+++ b/dirmngr.fc
@@ -0,0 +1,9 @@
+/etc/dirmngr(/.*)?		gen_context(system_u:object_r:dirmngr_conf_t,s0)
+
+/usr/bin/dirmngr		--	gen_context(system_u:object_r:dirmngr_exec_t,s0)
+
+# labelling for PID file that is created by init script
+/var/run/dirmngr\.pid	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/dirmngr(/.*)?		gen_context(system_u:object_r:dirmngr_var_run_t,s0)
+/var/log/dirmngr(/.*)?		gen_context(system_u:object_r:dirmngr_log_t,s0)
+/var/lib/dirmngr(/.*)?		gen_context(system_u:object_r:dirmngr_data_t,s0)
diff --git a/dirmngr.if b/dirmngr.if
new file mode 100644
index 0000000..3eb6a30
--- /dev/null
+++ b/dirmngr.if
@@ -0,0 +1 @@
+## <summary></summary>
diff --git a/dirmngr.te b/dirmngr.te
new file mode 100644
index 0000000..f7f7df3
--- /dev/null
+++ b/dirmngr.te
@@ -0,0 +1,57 @@
+policy_module(dirmngr, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+type dirmngr_t;
+type dirmngr_exec_t;
+init_daemon_domain(dirmngr_t, dirmngr_exec_t)
+
+# type for /var/cache/dirmngr
+type dirmngr_data_t;
+files_type(dirmngr_data_t)
+
+type dirmngr_conf_t;
+files_type(dirmngr_conf_t)
+
+type dirmngr_initrc_exec_t;
+init_script_file(dirmngr_initrc_exec_t)
+
+type dirmngr_log_t;
+logging_log_file(dirmngr_log_t)
+
+type dirmngr_var_run_t;
+files_pid_file(dirmngr_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow dirmngr_t dirmngr_var_run_t:sock_file manage_file_perms;
+allow dirmngr_t self:fifo_file rw_file_perms;
+files_list_var_lib(dirmngr_t)
+files_read_etc_files(dirmngr_t)
+files_read_var_files(dirmngr_t)
+kernel_read_crypto_sysctls(dirmngr_t)
+logging_read_generic_logs(dirmngr_t)
+miscfiles_read_localization(dirmngr_t)
+
+
+# Grant permissions to create, access, and delete cache files.
+manage_dirs_pattern(dirmngr_t, dirmngr_data_t, dirmngr_data_t)
+manage_files_pattern(dirmngr_t, dirmngr_data_t, dirmngr_data_t)
+manage_lnk_files_pattern(dirmngr_t, dirmngr_data_t, dirmngr_data_t)
+
+allow dirmngr_t dirmngr_conf_t:dir list_dir_perms;
+read_files_pattern(dirmngr_t, dirmngr_conf_t, dirmngr_conf_t)
+read_lnk_files_pattern(dirmngr_t, dirmngr_conf_t, dirmngr_conf_t)
+
+manage_dirs_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t)
+manage_files_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t)
+logging_log_filetrans(dirmngr_t, dirmngr_log_t, { file dir })
+
+manage_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
+files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { file sock_file })
-- 
1.7.10.4
