mirror of
https://github.com/SELinuxProject/refpolicy
synced 2025-03-22 11:06:37 +00:00
Module for tpm2
Module for tpm2 v2 - updated to rename module and interface names, different dbus interface Signed-off-by: Dave Sugar <dsugar@tresys.com>
This commit is contained in:
Sugar, David
Chris PeBenito
parent
fb04518b9d
commit
566fd554a6
3
policy/modules/services/tpm2.fc
Normal file
3
policy/modules/services/tpm2.fc
Normal file
@ -0,0 +1,3 @@
|
||||
/usr/sbin/tpm2-abrmd -- gen_context(system_u:object_r:tpm2_abrmd_exec_t,s0)
|
||||
|
||||
/usr/lib/systemd/system/[^/]*tpm2-abrmd\.service -- gen_context(system_u:object_r:tpm2_abrmd_unit_t,s0)
|
||||
58
policy/modules/services/tpm2.if
Normal file
58
policy/modules/services/tpm2.if
Normal file
@ -0,0 +1,58 @@
|
||||
## <summary>Trusted Platform Module 2.0</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow specified domain to enable/disable tpm2-abrmd unit
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`tpm2_enabledisable_abrmd',`
|
||||
gen_require(`
|
||||
type tpm2_abrmd_unit_t;
|
||||
class service { enable disable };
|
||||
')
|
||||
|
||||
allow $1 tpm2_abrmd_unit_t:service { enable disable };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow specified domain to start/stop tpm2-abrmd unit
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`tpm2_startstop_abrmd',`
|
||||
gen_require(`
|
||||
type tpm2_abrmd_unit_t;
|
||||
class service { start stop };
|
||||
')
|
||||
|
||||
allow $1 tpm2_abrmd_unit_t:service { start stop };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow specified domain to get status of tpm2-abrmd unit
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`tpm2_status_abrmd',`
|
||||
gen_require(`
|
||||
type tpm2_abrmd_unit_t;
|
||||
class service status;
|
||||
')
|
||||
|
||||
allow $1 tpm2_abrmd_unit_t:service status;
|
||||
')
|
||||
30
policy/modules/services/tpm2.te
Normal file
30
policy/modules/services/tpm2.te
Normal file
@ -0,0 +1,30 @@
|
||||
policy_module(tpm2, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type tpm2_abrmd_t;
|
||||
type tpm2_abrmd_exec_t;
|
||||
init_daemon_domain(tpm2_abrmd_t, tpm2_abrmd_exec_t)
|
||||
|
||||
type tpm2_abrmd_unit_t;
|
||||
init_unit_file(tpm2_abrmd_unit_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow tpm2_abrmd_t self:process signal;
|
||||
allow tpm2_abrmd_t self:unix_stream_socket create_socket_perms;
|
||||
|
||||
dev_rw_tpm(tpm2_abrmd_t)
|
||||
|
||||
kernel_read_crypto_sysctls(tpm2_abrmd_t)
|
||||
kernel_read_system_state(tpm2_abrmd_t)
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_domain(tpm2_abrmd_t, tpm2_abrmd_exec_t)
|
||||
')
|
||||
Loading…
Reference in New Issue
Block a user