diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index eb38aca05..bd424b608 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -201,6 +201,10 @@ optional_policy(`
seutil_sigchld_newrole(system_dbusd_t)
')
+optional_policy(`
+ tpm2_rw_abrmd_pipes(system_dbusd_t)
+')
+
optional_policy(`
udev_read_db(system_dbusd_t)
')
diff --git a/policy/modules/services/tpm2.fc b/policy/modules/services/tpm2.fc
index 64937df4f..ab1c0dc19 100644
--- a/policy/modules/services/tpm2.fc
+++ b/policy/modules/services/tpm2.fc
@@ -1,4 +1,5 @@
/usr/bin/tpm2-abrmd -- gen_context(system_u:object_r:tpm2_abrmd_exec_t,s0)
+/usr/bin/tpm2_[^/]+ -- gen_context(system_u:object_r:tpm2_exec_t,s0)
/usr/sbin/tpm2-abrmd -- gen_context(system_u:object_r:tpm2_abrmd_exec_t,s0)
diff --git a/policy/modules/services/tpm2.if b/policy/modules/services/tpm2.if
index 55133e4a5..0945b494d 100644
--- a/policy/modules/services/tpm2.if
+++ b/policy/modules/services/tpm2.if
@@ -1,5 +1,94 @@
## Trusted Platform Module 2.0
+########################################
+##
+## Execute tpm2_* processes
+## in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`tpm2_exec',`
+ gen_require(`
+ type tpm2_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, tpm2_exec_t)
+')
+
+########################################
+##
+## Execute tpm2_* processes in the tpm2 domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`tpm2_domtrans',`
+ gen_require(`
+ type tpm2_t, tpm2_exec_t;
+ ')
+
+ allow tpm2_t $1:fd use;
+ allow tpm2_t $1:fifo_file rw_file_perms;
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, tpm2_exec_t, tpm2_t)
+')
+
+########################################
+##
+## Execute tpm2_* processes in the tpm2
+## domain and allow the specified role
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`tpm2_run',`
+ gen_require(`
+ type tpm2_t;
+ ')
+
+ role $2 types tpm2_t;
+
+ tpm2_domtrans($1)
+')
+
+########################################
+##
+## Send and receive messages from
+## tpm2-abrmd over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`tpm2_dbus_chat_abrmd',`
+ gen_require(`
+ type tpm2_abrmd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 tpm2_abrmd_t:dbus send_msg;
+ allow tpm2_abrmd_t $1:dbus send_msg;
+')
+
########################################
##
## Allow specified domain to enable/disable tpm2-abrmd unit
@@ -56,3 +145,23 @@ interface(`tpm2_status_abrmd',`
allow $1 tpm2_abrmd_unit_t:service status;
')
+
+########################################
+##
+## access tpm2-abrmd fifos
+##
+##
+##
+## Domain allowed access
+##
+##
+#
+interface(`tpm2_rw_abrmd_pipes',`
+ gen_require(`
+ type tpm2_abrmd_t;
+ ')
+
+ allow $1 tpm2_abrmd_t:fd use;
+ allow $1 tpm2_abrmd_t:fifo_file rw_file_perms;
+')
+
diff --git a/policy/modules/services/tpm2.te b/policy/modules/services/tpm2.te
index b18680997..15e3f51e0 100644
--- a/policy/modules/services/tpm2.te
+++ b/policy/modules/services/tpm2.te
@@ -12,13 +12,18 @@ init_daemon_domain(tpm2_abrmd_t, tpm2_abrmd_exec_t)
type tpm2_abrmd_unit_t;
init_unit_file(tpm2_abrmd_unit_t)
+type tpm2_t;
+type tpm2_exec_t;
+application_domain(tpm2_t, tpm2_exec_t)
+
########################################
#
-# Local policy
+# tpm2-abrmd local policy
#
allow tpm2_abrmd_t self:process signal;
allow tpm2_abrmd_t self:unix_stream_socket create_socket_perms;
+allow tpm2_abrmd_t self:fifo_file { read write };
dev_rw_tpm(tpm2_abrmd_t)
@@ -28,3 +33,30 @@ kernel_read_system_state(tpm2_abrmd_t)
optional_policy(`
dbus_system_domain(tpm2_abrmd_t, tpm2_abrmd_exec_t)
')
+
+
+###########################################
+# tpm2_* local policy
+#
+
+allow tpm2_t self:unix_stream_socket create_socket_perms;
+allow tpm2_t self:capability dac_override;
+
+dev_rw_tpm(tpm2_t)
+
+files_read_etc_files(tpm2_t)
+
+kernel_read_crypto_sysctls(tpm2_t)
+kernel_read_system_state(tpm2_t)
+
+miscfiles_read_generic_certs(tpm2_t)
+
+selinux_getattr_fs(tpm2_t)
+selinux_search_fs(tpm2_t)
+
+tpm2_dbus_chat_abrmd(tpm2_t)
+tpm2_rw_abrmd_pipes(tpm2_t)
+
+optional_policy(`
+ dbus_system_bus_client(tpm2_t)
+')