Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx> --- policy/modules/services/tpm2_abrmd.fc | 3 ++ policy/modules/services/tpm2_abrmd.if | 58 +++++++++++++++++++++++++++ policy/modules/services/tpm2_abrmd.te | 29 ++++++++++++++ 3 files changed, 90 insertions(+) create mode 100644 policy/modules/services/tpm2_abrmd.fc create mode 100644 policy/modules/services/tpm2_abrmd.if create mode 100644 policy/modules/services/tpm2_abrmd.te diff --git a/policy/modules/services/tpm2_abrmd.fc b/policy/modules/services/tpm2_abrmd.fc new file mode 100644 index 00000000..4ccf2f25 --- /dev/null +++ b/policy/modules/services/tpm2_abrmd.fc @@ -0,0 +1,3 @@ +/usr/sbin/tpm2-abrmd -- gen_context(system_u:object_r:tpm2_abrmd_exec_t,s0) + +/usr/lib/systemd/system/[^/]*tpm2-abrmd\.service -- gen_context(system_u:object_r:tpm2_abrmd_unit_t,s0) diff --git a/policy/modules/services/tpm2_abrmd.if b/policy/modules/services/tpm2_abrmd.if new file mode 100644 index 00000000..dabb4a65 --- /dev/null +++ b/policy/modules/services/tpm2_abrmd.if @@ -0,0 +1,58 @@ +## <summary>TPM2 Access Broker and Resource Management daemon.</summary> + +######################################## +## <summary> +## Allow specified domain to enable/disable tpm2-abrmd unit +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tpm2_abrmd_enabledisable',` + gen_require(` + type tpm2_abrmd_unit_t; + class service { enable disable }; + ') + + allow $1 tpm2_abrmd_unit_t:service { enable disable }; +') + +######################################## +## <summary> +## Allow specified domain to start/stop tpm2-abrmd unit +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tpm2_abrmd_startstop',` + gen_require(` + type tpm2_abrmd_unit_t; + class service { start stop }; + ') + + allow $1 tpm2_abrmd_unit_t:service { start stop }; +') + +######################################## +## <summary> +## Allow specified domain to get status of tpm2-abrmd unit +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tpm2_abrmd_status',` + gen_require(` + type tpm2_abrmd_unit_t; + class service status; + ') + + allow $1 tpm2_abrmd_unit_t:service status; +') diff --git a/policy/modules/services/tpm2_abrmd.te b/policy/modules/services/tpm2_abrmd.te new file mode 100644 index 00000000..8a8ba5f0 --- /dev/null +++ b/policy/modules/services/tpm2_abrmd.te @@ -0,0 +1,29 @@ +policy_module(tpm2_abrmd, 1.0.0) + +######################################## +# +# Declarations +# + +type tpm2_abrmd_t; +type tpm2_abrmd_exec_t; +init_daemon_domain(tpm2_abrmd_t, tpm2_abrmd_exec_t) + +type tpm2_abrmd_unit_t; +init_unit_file(tpm2_abrmd_unit_t) + +######################################## +# +# Local policy +# + +allow tpm2_abrmd_t self:process signal; +allow tpm2_abrmd_t self:unix_stream_socket create_socket_perms; + +dev_rw_tpm(tpm2_abrmd_t) + +kernel_read_crypto_sysctls(tpm2_abrmd_t) +kernel_read_system_state(tpm2_abrmd_t) + +dbus_system_bus_client(tpm2_abrmd_t) +dbus_connect_system_bus(tpm2_abrmd_t) -- 2.21.0