selinux-refpolicy/policy/modules/services/tpm2.if
Christian Göttsche 72b2c66256 whitespace cleanup
Remove trailing white spaces and mixed up indents

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-08-13 14:34:57 +02:00

227 lines
4.2 KiB
Plaintext

## <summary>Trusted Platform Module 2.0</summary>
########################################
## <summary>
## Execute tpm2_* processes
## in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`tpm2_exec',`
gen_require(`
type tpm2_exec_t;
')
corecmd_search_bin($1)
can_exec($1, tpm2_exec_t)
')
########################################
## <summary>
## Execute tpm2_* processes in the tpm2 domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`tpm2_domtrans',`
gen_require(`
type tpm2_t, tpm2_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, tpm2_exec_t, tpm2_t)
')
########################################
## <summary>
## Execute tpm2_* processes in the tpm2
## domain and allow the specified role
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
#
interface(`tpm2_run',`
gen_require(`
type tpm2_t;
')
role $2 types tpm2_t;
tpm2_domtrans($1)
')
########################################
## <summary>
## Use tpm2 file descriptors.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`tpm2_use_fds',`
gen_require(`
type tpm2_t;
')
allow $1 tpm2_t:fd use;
')
########################################
## <summary>
## Do not audit attempts to inherit file
## descriptors from tpm2.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`tpm2_dontaudit_use_fds',`
gen_require(`
type tpm2_t;
')
dontaudit $1 tpm2_t:fd use;
')
########################################
## <summary>
## Send and receive messages from
## tpm2-abrmd over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`tpm2_dbus_chat_abrmd',`
gen_require(`
type tpm2_abrmd_t;
class dbus send_msg;
')
allow $1 tpm2_abrmd_t:dbus send_msg;
allow tpm2_abrmd_t $1:dbus send_msg;
')
########################################
## <summary>
## Allow tpm2 to read unnamed pipes from other process.
## </summary>
## <desc>
## <p>
## Allow the tpm to open and read pipes from other
## domain. This is seen when piping input to one
## of the tpm2_* processes. For example:
## sha512sum my_file | tpm2_hmac -k 0x81001000 -g sha256 /dev/stdin
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain of pipe to be read by tpm2_t.
## </summary>
## </param>
#
interface(`tpm2_read_pipes',`
gen_require(`
type tpm2_t;
')
allow tpm2_t $1:fifo_file read_fifo_file_perms;
')
########################################
## <summary>
## Allow specified domain to enable/disable tpm2-abrmd unit
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`tpm2_enabledisable_abrmd',`
gen_require(`
type tpm2_abrmd_unit_t;
class service { enable disable };
')
allow $1 tpm2_abrmd_unit_t:service { enable disable };
')
########################################
## <summary>
## Allow specified domain to start/stop tpm2-abrmd unit
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`tpm2_startstop_abrmd',`
gen_require(`
type tpm2_abrmd_unit_t;
class service { start stop };
')
allow $1 tpm2_abrmd_unit_t:service { start stop };
')
########################################
## <summary>
## Allow specified domain to get status of tpm2-abrmd unit
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`tpm2_status_abrmd',`
gen_require(`
type tpm2_abrmd_unit_t;
class service status;
')
allow $1 tpm2_abrmd_unit_t:service status;
')
########################################
## <summary>
## access tpm2-abrmd fifos
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`tpm2_rw_abrmd_pipes',`
gen_require(`
type tpm2_abrmd_t;
')
allow $1 tpm2_abrmd_t:fd use;
allow $1 tpm2_abrmd_t:fifo_file rw_fifo_file_perms;
')