[refpolicy] [PATCH 1/5] gssproxy: allow kerberos nfs filetrans

[refpolicy] [PATCH 1/5] gssproxy: allow kerberos nfs filetrans

[Jason Zaman]

---
 gssproxy.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gssproxy.te b/gssproxy.te
index c1dcc55..dc7f0e6 100644
--- a/gssproxy.te
+++ b/gssproxy.te
@@ -63,4 +63,5 @@ optional_policy(`
 	kerberos_manage_host_rcache(gssproxy_t)
 	kerberos_read_keytab(gssproxy_t)
 	kerberos_use(gssproxy_t)
+	kerberos_tmp_filetrans_host_rcache(gssproxy_t, file, "nfs_0")
 ')
-- 
2.13.6

[refpolicy] [PATCH 2/5] dirmngr: allow filetrans in gpg_runtime_t

[Jason Zaman]

commit 1b9cd3bd9c44732bdf756301408582bcfe9073c9
("gpg: manage user runtime socket files and directories")
changed /run/user/%{USERID}/gnupg/ to gpg_runtime_t, so the filetrans
for gpg_agent_tmp_t needs updating.
---
 dirmngr.te |  3 +++
 gpg.if     | 19 +++++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/dirmngr.te b/dirmngr.te
index 8f4cb99..75833a4 100644
--- a/dirmngr.te
+++ b/dirmngr.te
@@ -69,6 +69,7 @@ dev_read_rand(dirmngr_t)
 sysnet_dns_name_resolve(dirmngr_t)
 
 corenet_tcp_connect_pgpkeyserver_port(dirmngr_t)
+corenet_udp_bind_generic_node(dirmngr_t)
 
 files_read_etc_files(dirmngr_t)
 
@@ -81,5 +82,7 @@ userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
 
 optional_policy(`
 	gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
+	gpg_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
 	gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
+	gpg_stream_connect_agent(dirmngr_t)
 ')
diff --git a/gpg.if b/gpg.if
index 6266019..359560f 100644
--- a/gpg.if
+++ b/gpg.if
@@ -239,6 +239,25 @@ interface(`gpg_agent_tmp_filetrans',`
 
 ########################################
 ## <summary>
+##	filetrans in gpg_runtime_t dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gpg_runtime_filetrans',`
+	gen_require(`
+		type gpg_runtime_t;
+	')
+
+	filetrans_pattern($1, gpg_runtime_t, $2, $3, $4)
+	userdom_search_user_runtime($1)
+')
+
+########################################
+## <summary>
 ##	filetrans in gpg_secret_t dirs
 ## </summary>
 ## <param name="domain">
-- 
2.13.6

[refpolicy] [PATCH 3/5] gpg: Add gpg_agent_use_card boolean for OpenPGP cards

[Jason Zaman]

---
 gpg.te | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/gpg.te b/gpg.te
index 619fdb4..0ad774e 100644
--- a/gpg.te
+++ b/gpg.te
@@ -14,6 +14,14 @@ policy_module(gpg, 2.12.3)
 ## </desc>
 gen_tunable(gpg_agent_env_file, false)
 
+## <desc>
+##	<p>
+##	Determine whether GPG agent can use OpenPGP
+##	cards or Yubikeys over USB
+##	</p>
+## </desc>
+gen_tunable(gpg_agent_use_card, false)
+
 attribute_role gpg_roles;
 roleattribute system_r gpg_roles;
 
@@ -274,6 +282,11 @@ tunable_policy(`gpg_agent_env_file',`
 	userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
 ')
 
+tunable_policy(`gpg_agent_use_card',`
+	dev_read_sysfs(gpg_agent_t)
+	dev_rw_generic_usb_dev(gpg_agent_t)
+')
+
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(gpg_agent_t)
 	fs_manage_nfs_files(gpg_agent_t)
-- 
2.13.6

[refpolicy] [PATCH 4/5] cachefilesd: make cachefilesd_cache_t a mountpoint

[Jason Zaman]

---
 cachefilesd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cachefilesd.te b/cachefilesd.te
index d225d74..d09ac56 100644
--- a/cachefilesd.te
+++ b/cachefilesd.te
@@ -13,7 +13,7 @@ type cachefilesd_initrc_exec_t;
 init_script_file(cachefilesd_initrc_exec_t)
 
 type cachefilesd_cache_t;
-files_type(cachefilesd_cache_t)
+files_mountpoint(cachefilesd_cache_t)
 
 type cachefilesd_var_run_t;
 files_pid_file(cachefilesd_var_run_t)
-- 
2.13.6

[refpolicy] [PATCH 5/5] Set user_runtime_content_type for all remaining types in /run/user/%{UID}/

[Jason Zaman]

---
 dbus.te       | 1 +
 dirmngr.te    | 1 +
 gnome.te      | 2 ++
 gpg.te        | 2 ++
 pulseaudio.te | 1 +
 5 files changed, 7 insertions(+)

diff --git a/dbus.te b/dbus.te
index 05c4652..8c9288b 100644
--- a/dbus.te
+++ b/dbus.te
@@ -49,6 +49,7 @@ init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus")
 
 type session_dbusd_runtime_t;
 files_pid_file(session_dbusd_runtime_t)
+userdom_user_runtime_content(session_dbusd_runtime_t)
 
 ifdef(`enable_mcs',`
 	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
diff --git a/dirmngr.te b/dirmngr.te
index 75833a4..fa5898e 100644
--- a/dirmngr.te
+++ b/dirmngr.te
@@ -20,6 +20,7 @@ logging_log_file(dirmngr_log_t)
 
 type dirmngr_tmp_t;
 userdom_user_tmp_file(dirmngr_tmp_t)
+userdom_user_runtime_content(dirmngr_tmp_t)
 
 type dirmngr_var_lib_t;
 files_type(dirmngr_var_lib_t)
diff --git a/gnome.te b/gnome.te
index d87daab..b816175 100644
--- a/gnome.te
+++ b/gnome.te
@@ -45,9 +45,11 @@ userdom_user_home_content(gnome_keyring_home_t)
 
 type gnome_keyring_tmp_t;
 userdom_user_tmp_file(gnome_keyring_tmp_t)
+userdom_user_runtime_content(gnome_keyring_tmp_t)
 
 type gstreamer_orcexec_t;
 application_executable_file(gstreamer_orcexec_t)
+userdom_user_runtime_content(gstreamer_orcexec_t)
 
 ##############################
 #
diff --git a/gpg.te b/gpg.te
index 0ad774e..6fc19ca 100644
--- a/gpg.te
+++ b/gpg.te
@@ -39,6 +39,7 @@ role gpg_roles types gpg_t;
 
 type gpg_runtime_t;
 files_pid_file(gpg_runtime_t)
+userdom_user_runtime_content(gpg_runtime_t)
 
 type gpg_agent_t;
 type gpg_agent_exec_t;
@@ -47,6 +48,7 @@ role gpg_agent_roles types gpg_agent_t;
 
 type gpg_agent_tmp_t;
 userdom_user_tmp_file(gpg_agent_tmp_t)
+userdom_user_runtime_content(gpg_agent_tmp_t)
 
 type gpg_secret_t;
 userdom_user_home_content(gpg_secret_t)
diff --git a/pulseaudio.te b/pulseaudio.te
index 441d058..8c8e21e 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
@@ -29,6 +29,7 @@ userdom_user_home_content(pulseaudio_home_t)
 
 type pulseaudio_tmp_t;
 userdom_user_tmp_file(pulseaudio_tmp_t)
+userdom_user_runtime_content(pulseaudio_tmp_t)
 
 type pulseaudio_tmpfs_t;
 userdom_user_tmpfs_file(pulseaudio_tmpfs_t)
-- 
2.13.6

[refpolicy] [PATCH 1/5] gssproxy: allow kerberos nfs filetrans

[Chris PeBenito]

On 12/13/2017 01:17 PM, Jason Zaman wrote:
> ---
>   gssproxy.te | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/gssproxy.te b/gssproxy.te
> index c1dcc55..dc7f0e6 100644
> --- a/gssproxy.te
> +++ b/gssproxy.te
> @@ -63,4 +63,5 @@ optional_policy(`
>   	kerberos_manage_host_rcache(gssproxy_t)
>   	kerberos_read_keytab(gssproxy_t)
>   	kerberos_use(gssproxy_t)
> +	kerberos_tmp_filetrans_host_rcache(gssproxy_t, file, "nfs_0")
>   ')

Is there a reason it has to be limited to only nfs_0? I didn't notice 
any type transition conflicts.

-- 
Chris PeBenito

[refpolicy] [PATCH 2/5] dirmngr: allow filetrans in gpg_runtime_t

[Chris PeBenito]

On 12/13/2017 01:17 PM, Jason Zaman wrote:
> commit 1b9cd3bd9c44732bdf756301408582bcfe9073c9
> ("gpg: manage user runtime socket files and directories")
> changed /run/user/%{USERID}/gnupg/ to gpg_runtime_t, so the filetrans
> for gpg_agent_tmp_t needs updating.
> ---
>   dirmngr.te |  3 +++
>   gpg.if     | 19 +++++++++++++++++++
>   2 files changed, 22 insertions(+)
> 
> diff --git a/dirmngr.te b/dirmngr.te
> index 8f4cb99..75833a4 100644
> --- a/dirmngr.te
> +++ b/dirmngr.te
> @@ -69,6 +69,7 @@ dev_read_rand(dirmngr_t)
>   sysnet_dns_name_resolve(dirmngr_t)
>   
>   corenet_tcp_connect_pgpkeyserver_port(dirmngr_t)
> +corenet_udp_bind_generic_node(dirmngr_t)
>   
>   files_read_etc_files(dirmngr_t)
>   
> @@ -81,5 +82,7 @@ userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
>   
>   optional_policy(`
>   	gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
> +	gpg_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
>   	gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
> +	gpg_stream_connect_agent(dirmngr_t)
>   ')
> diff --git a/gpg.if b/gpg.if
> index 6266019..359560f 100644
> --- a/gpg.if
> +++ b/gpg.if
> @@ -239,6 +239,25 @@ interface(`gpg_agent_tmp_filetrans',`
>   
>   ########################################
>   ## <summary>
> +##	filetrans in gpg_runtime_t dirs
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`gpg_runtime_filetrans',`
> +	gen_require(`
> +		type gpg_runtime_t;
> +	')
> +
> +	filetrans_pattern($1, gpg_runtime_t, $2, $3, $4)
> +	userdom_search_user_runtime($1)
> +')
> +
> +########################################
> +## <summary>
>   ##	filetrans in gpg_secret_t dirs
>   ## </summary>
>   ## <param name="domain">

Merged.

-- 
Chris PeBenito

[refpolicy] [PATCH 3/5] gpg: Add gpg_agent_use_card boolean for OpenPGP cards

[Chris PeBenito]

On 12/13/2017 01:17 PM, Jason Zaman wrote:
> ---
>   gpg.te | 13 +++++++++++++
>   1 file changed, 13 insertions(+)
> 
> diff --git a/gpg.te b/gpg.te
> index 619fdb4..0ad774e 100644
> --- a/gpg.te
> +++ b/gpg.te
> @@ -14,6 +14,14 @@ policy_module(gpg, 2.12.3)
>   ## </desc>
>   gen_tunable(gpg_agent_env_file, false)
>   
> +## <desc>
> +##	<p>
> +##	Determine whether GPG agent can use OpenPGP
> +##	cards or Yubikeys over USB
> +##	</p>
> +## </desc>
> +gen_tunable(gpg_agent_use_card, false)
> +
>   attribute_role gpg_roles;
>   roleattribute system_r gpg_roles;
>   
> @@ -274,6 +282,11 @@ tunable_policy(`gpg_agent_env_file',`
>   	userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
>   ')
>   
> +tunable_policy(`gpg_agent_use_card',`
> +	dev_read_sysfs(gpg_agent_t)
> +	dev_rw_generic_usb_dev(gpg_agent_t)
> +')
> +
>   tunable_policy(`use_nfs_home_dirs',`
>   	fs_manage_nfs_dirs(gpg_agent_t)
>   	fs_manage_nfs_files(gpg_agent_t)

Merged.

-- 
Chris PeBenito

[refpolicy] [PATCH 4/5] cachefilesd: make cachefilesd_cache_t a mountpoint

[Chris PeBenito]

On 12/13/2017 01:17 PM, Jason Zaman wrote:
> ---
>   cachefilesd.te | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/cachefilesd.te b/cachefilesd.te
> index d225d74..d09ac56 100644
> --- a/cachefilesd.te
> +++ b/cachefilesd.te
> @@ -13,7 +13,7 @@ type cachefilesd_initrc_exec_t;
>   init_script_file(cachefilesd_initrc_exec_t)
>   
>   type cachefilesd_cache_t;
> -files_type(cachefilesd_cache_t)
> +files_mountpoint(cachefilesd_cache_t)
>   
>   type cachefilesd_var_run_t;
>   files_pid_file(cachefilesd_var_run_t)

Merged.

-- 
Chris PeBenito

[refpolicy] [PATCH 5/5] Set user_runtime_content_type for all remaining types in /run/user/%{UID}/

[Chris PeBenito]

On 12/13/2017 01:17 PM, Jason Zaman wrote:
> ---
>   dbus.te       | 1 +
>   dirmngr.te    | 1 +
>   gnome.te      | 2 ++
>   gpg.te        | 2 ++
>   pulseaudio.te | 1 +
>   5 files changed, 7 insertions(+)
> 
> diff --git a/dbus.te b/dbus.te
> index 05c4652..8c9288b 100644
> --- a/dbus.te
> +++ b/dbus.te
> @@ -49,6 +49,7 @@ init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus")
>   
>   type session_dbusd_runtime_t;
>   files_pid_file(session_dbusd_runtime_t)
> +userdom_user_runtime_content(session_dbusd_runtime_t)
>   
>   ifdef(`enable_mcs',`
>   	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
> diff --git a/dirmngr.te b/dirmngr.te
> index 75833a4..fa5898e 100644
> --- a/dirmngr.te
> +++ b/dirmngr.te
> @@ -20,6 +20,7 @@ logging_log_file(dirmngr_log_t)
>   
>   type dirmngr_tmp_t;
>   userdom_user_tmp_file(dirmngr_tmp_t)
> +userdom_user_runtime_content(dirmngr_tmp_t)
>   
>   type dirmngr_var_lib_t;
>   files_type(dirmngr_var_lib_t)
> diff --git a/gnome.te b/gnome.te
> index d87daab..b816175 100644
> --- a/gnome.te
> +++ b/gnome.te
> @@ -45,9 +45,11 @@ userdom_user_home_content(gnome_keyring_home_t)
>   
>   type gnome_keyring_tmp_t;
>   userdom_user_tmp_file(gnome_keyring_tmp_t)
> +userdom_user_runtime_content(gnome_keyring_tmp_t)
>   
>   type gstreamer_orcexec_t;
>   application_executable_file(gstreamer_orcexec_t)
> +userdom_user_runtime_content(gstreamer_orcexec_t)
>   
>   ##############################
>   #
> diff --git a/gpg.te b/gpg.te
> index 0ad774e..6fc19ca 100644
> --- a/gpg.te
> +++ b/gpg.te
> @@ -39,6 +39,7 @@ role gpg_roles types gpg_t;
>   
>   type gpg_runtime_t;
>   files_pid_file(gpg_runtime_t)
> +userdom_user_runtime_content(gpg_runtime_t)
>   
>   type gpg_agent_t;
>   type gpg_agent_exec_t;
> @@ -47,6 +48,7 @@ role gpg_agent_roles types gpg_agent_t;
>   
>   type gpg_agent_tmp_t;
>   userdom_user_tmp_file(gpg_agent_tmp_t)
> +userdom_user_runtime_content(gpg_agent_tmp_t)
>   
>   type gpg_secret_t;
>   userdom_user_home_content(gpg_secret_t)
> diff --git a/pulseaudio.te b/pulseaudio.te
> index 441d058..8c8e21e 100644
> --- a/pulseaudio.te
> +++ b/pulseaudio.te
> @@ -29,6 +29,7 @@ userdom_user_home_content(pulseaudio_home_t)
>   
>   type pulseaudio_tmp_t;
>   userdom_user_tmp_file(pulseaudio_tmp_t)
> +userdom_user_runtime_content(pulseaudio_tmp_t)
>   
>   type pulseaudio_tmpfs_t;
>   userdom_user_tmpfs_file(pulseaudio_tmpfs_t)

Merged.

-- 
Chris PeBenito

[refpolicy] [PATCH 1/5] gssproxy: allow kerberos nfs filetrans

[Jason Zaman]

On Wed, Dec 13, 2017 at 06:18:59PM -0500, Chris PeBenito wrote:
> On 12/13/2017 01:17 PM, Jason Zaman wrote:
> > ---
> >   gssproxy.te | 1 +
> >   1 file changed, 1 insertion(+)
> > 
> > diff --git a/gssproxy.te b/gssproxy.te
> > index c1dcc55..dc7f0e6 100644
> > --- a/gssproxy.te
> > +++ b/gssproxy.te
> > @@ -63,4 +63,5 @@ optional_policy(`
> >   	kerberos_manage_host_rcache(gssproxy_t)
> >   	kerberos_read_keytab(gssproxy_t)
> >   	kerberos_use(gssproxy_t)
> > +	kerberos_tmp_filetrans_host_rcache(gssproxy_t, file, "nfs_0")
> >   ')
> 
> Is there a reason it has to be limited to only nfs_0? I didn't notice 
> any type transition conflicts.

No reason other than bad copy paste, i've sent a new version.

-- Jason
> 
> -- 
> Chris PeBenito