selinux-policy-ubuntu-dev 0.2.20091117-0ubuntu2 / usr / share / selinux / ubuntu / include / apps / gpg.if

This file is indexed.

/usr/share/selinux/ubuntu/include/apps/gpg.if is in selinux-policy-ubuntu-dev 0.2.20091117-0ubuntu2.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
## <summary>Policy for GNU Privacy Guard and related programs.</summary>

############################################################
## <summary>
##	Role access for gpg
## </summary>
## <param name="role">
##	<summary>
##	Role allowed access
##	</summary>
## </param>
## <param name="domain">
##	<summary>
##	User domain for the role
##	</summary>
## </param>
#
interface(`gpg_role',`
	gen_require(`
		type gpg_t, gpg_exec_t;
		type gpg_agent_t, gpg_agent_exec_t;
		type gpg_agent_tmp_t;
		type gpg_helper_t, gpg_pinentry_t;
	')

	role $1 types { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t };

	# transition from the userdomain to the derived domain
	domtrans_pattern($2, gpg_exec_t, gpg_t)

	# allow ps to show gpg
	ps_process_pattern($2, gpg_t)
	allow $2 gpg_t:process { signull sigstop signal sigkill };

	# communicate with the user 
	allow gpg_helper_t $2:fd use;
	allow gpg_helper_t $2:fifo_file write;

	# allow ps to show gpg-agent
	ps_process_pattern($2, gpg_agent_t)

	# Allow the user shell to signal the gpg-agent program.
	allow $2 gpg_agent_t:process { signal sigkill };

	manage_dirs_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
	manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
	manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
	files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })

	# Transition from the user domain to the agent domain.
	domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)

	ifdef(`hide_broken_symptoms',`
		#Leaked File Descriptors
		dontaudit gpg_t $2:fifo_file rw_fifo_file_perms;
		dontaudit gpg_t $2:tcp_socket rw_socket_perms;
		dontaudit gpg_t $2:udp_socket rw_socket_perms;
		dontaudit gpg_t $2:unix_stream_socket rw_socket_perms;
		dontaudit gpg_t $2:unix_dgram_socket rw_socket_perms;
	')
')

########################################
## <summary>
##	Transition to a user gpg domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gpg_domtrans',`
	gen_require(`
		type gpg_t, gpg_exec_t;
	')

	domtrans_pattern($1, gpg_exec_t, gpg_t)
')

########################################
## <summary>
##	Send generic signals to user gpg processes.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`gpg_signal',`
	gen_require(`
		type gpg_t;
	')

	allow $1 gpg_t:process signal;
')

APT Browse - Built by Thomas Orozco.