8f5cbc7779
The various /bin/tpm2_* binaries use dbus to communicate with tpm2-abrmd and also can directly access /dev/tpmrm0. This seems like a way to help limit access to the TPM by running the tpm_* binaries in their own domain. I setup this domain because I have a process that needs to use tpm2_hmac to encode something, but didn't want that domain to have direct access to the TPM. I did some basic testing to verify that the other tpm2_* binaries have basically the same access needs. But it wasn't through testing of all the tpm2_* binaries. Signed-off-by: Dave Sugar <dsugar@tresys.com>
7 lines
348 B
Plaintext
7 lines
348 B
Plaintext
/usr/bin/tpm2-abrmd -- gen_context(system_u:object_r:tpm2_abrmd_exec_t,s0)
|
|
/usr/bin/tpm2_[^/]+ -- gen_context(system_u:object_r:tpm2_exec_t,s0)
|
|
|
|
/usr/sbin/tpm2-abrmd -- gen_context(system_u:object_r:tpm2_abrmd_exec_t,s0)
|
|
|
|
/usr/lib/systemd/system/[^/]*tpm2-abrmd\.service -- gen_context(system_u:object_r:tpm2_abrmd_unit_t,s0)
|