## Server for managing and downloading certificate revocation lists.
############################################################
##
## Role access for dirmngr.
##
##
##
## The prefix of the user role (e.g., user
## is the prefix for user_r).
##
##
##
##
## User domain for the role.
##
##
##
##
## User exec domain for execute and transition access.
##
##
##
##
## Role allowed access
##
##
#
template(`dirmngr_role',`
gen_require(`
type dirmngr_t, dirmngr_exec_t;
type dirmngr_tmp_t;
')
role $4 types dirmngr_t;
domtrans_pattern($3, dirmngr_exec_t, dirmngr_t)
allow $3 dirmngr_t:process { ptrace signal_perms };
ps_process_pattern($3, dirmngr_t)
allow dirmngr_t $3:fd use;
allow dirmngr_t $3:fifo_file rw_inherited_fifo_file_perms;
allow $2 dirmngr_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
optional_policy(`
systemd_user_app_status($1, dirmngr_t)
')
')
########################################
##
## Execute dirmngr in the dirmngr domain.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`dirmngr_domtrans',`
gen_require(`
type dirmngr_t, dirmngr_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, dirmngr_exec_t, dirmngr_t)
')
########################################
##
## Execute the dirmngr in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
interface(`dirmngr_exec',`
gen_require(`
type dirmngr_exec_t;
')
corecmd_search_bin($1)
can_exec($1, dirmngr_exec_t)
')
########################################
##
## Connect to dirmngr socket
##
##
##
## Domain allowed access.
##
##
#
interface(`dirmngr_stream_connect',`
gen_require(`
type dirmngr_t, dirmngr_tmp_t;
')
gpg_search_agent_tmp_dirs($1)
allow $1 dirmngr_tmp_t:sock_file rw_sock_file_perms;
allow $1 dirmngr_t:unix_stream_socket connectto;
userdom_search_user_runtime($1)
userdom_search_user_home_dirs($1)
')
########################################
##
## All of the rules required to
## administrate an dirmngr environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
interface(`dirmngr_admin',`
gen_require(`
type dirmngr_t, dirmngr_initrc_exec_t, dirmngr_runtime_t;
type dirmngr_conf_t, dirmngr_var_lib_t, dirmngr_log_t;
')
allow $1 dirmngr_t:process { ptrace signal_perms };
ps_process_pattern($1, dirmngr_t)
init_startstop_service($1, $2, dirmngr_t, dirmngr_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, dirmngr_conf_t)
logging_search_logs($1)
admin_pattern($1, dirmngr_log_t)
files_search_runtime($1)
admin_pattern($1, dirmngr_runtime_t)
files_search_var_lib($1)
admin_pattern($1, dirmngr_var_lib_t)
')