## Server for managing and downloading certificate revocation lists. ############################################################ ## ## Role access for dirmngr. ## ## ## ## The prefix of the user role (e.g., user ## is the prefix for user_r). ## ## ## ## ## User domain for the role. ## ## ## ## ## User exec domain for execute and transition access. ## ## ## ## ## Role allowed access ## ## # template(`dirmngr_role',` gen_require(` type dirmngr_t, dirmngr_exec_t; type dirmngr_tmp_t; ') role $4 types dirmngr_t; domtrans_pattern($3, dirmngr_exec_t, dirmngr_t) allow $3 dirmngr_t:process { ptrace signal_perms }; ps_process_pattern($3, dirmngr_t) allow dirmngr_t $3:fd use; allow dirmngr_t $3:fifo_file rw_inherited_fifo_file_perms; allow $2 dirmngr_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; optional_policy(` systemd_user_app_status($1, dirmngr_t) ') ') ######################################## ## ## Execute dirmngr in the dirmngr domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`dirmngr_domtrans',` gen_require(` type dirmngr_t, dirmngr_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, dirmngr_exec_t, dirmngr_t) ') ######################################## ## ## Execute the dirmngr in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`dirmngr_exec',` gen_require(` type dirmngr_exec_t; ') corecmd_search_bin($1) can_exec($1, dirmngr_exec_t) ') ######################################## ## ## Connect to dirmngr socket ## ## ## ## Domain allowed access. ## ## # interface(`dirmngr_stream_connect',` gen_require(` type dirmngr_t, dirmngr_tmp_t; ') gpg_search_agent_tmp_dirs($1) allow $1 dirmngr_tmp_t:sock_file rw_sock_file_perms; allow $1 dirmngr_t:unix_stream_socket connectto; userdom_search_user_runtime($1) userdom_search_user_home_dirs($1) ') ######################################## ## ## All of the rules required to ## administrate an dirmngr environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # interface(`dirmngr_admin',` gen_require(` type dirmngr_t, dirmngr_initrc_exec_t, dirmngr_runtime_t; type dirmngr_conf_t, dirmngr_var_lib_t, dirmngr_log_t; ') allow $1 dirmngr_t:process { ptrace signal_perms }; ps_process_pattern($1, dirmngr_t) init_startstop_service($1, $2, dirmngr_t, dirmngr_initrc_exec_t) files_search_etc($1) admin_pattern($1, dirmngr_conf_t) logging_search_logs($1) admin_pattern($1, dirmngr_log_t) files_search_runtime($1) admin_pattern($1, dirmngr_runtime_t) files_search_var_lib($1) admin_pattern($1, dirmngr_var_lib_t) ')