Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp10964376ybi;
        Thu, 25 Jul 2019 07:45:55 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzf11sy7FivICC1ffkhmgAFDY3DRYMdjz657VgDrvDe8R56Ru6dZ9pcwU9RR2jdu8u52ptg
X-Received: by 2002:a17:902:44f:: with SMTP id 73mr92412653ple.192.1564065954968;
        Thu, 25 Jul 2019 07:45:54 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1564065954; cv=pass;
        d=google.com; s=arc-20160816;
        b=aizzQ9fgrKnVWl9w3ZfNdrkRY8b6Kv1MZDPTIKNj5q8hvH3Jue1wQW21QE8CCNOJeq
         uvfRUUK0KpK7GdbBJGd/mdHrd+2Iwio3lUfSDqhLABkzQdyyinfdv8bopqnxZ2OWiy/K
         Ccm2y/zb4tJvNmlpjPJj+/TAEEECCTr6mHiVvQJTdZ0BF7NbTyGVw2zhMY8gtygfua4t
         fVEjFVJc9pC3ee8nlR9k97sKFP5lyzBK6FGYbiqhtDHuv+8hN6Mj4a7y0vd8OxwcHAlV
         38c90lS74elXgdjiK9EB5ZAvNKb4/WU9MAUOaJmnLwEVW3RR6Vg3xmiDgKCytKadaUwz
         tX2A==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:content-transfer-encoding
         :content-language:accept-language:message-id:date:thread-index
         :thread-topic:subject:to:from:dkim-signature;
        bh=/tkQ5mlLTjwoEDDBDWblcgBzpeeNmdF3/I2sfiS9XbY=;
        b=wOUNhUTmY+hr6Bwx3nKj3KaVumM7Q3AR5DYepqCCXPy8djfwkCA3bBeborDothAySd
         1mbd6wBcw9bmrXCNv1deRHvWtKSvwp4Lt4KG7N6UwlQt1QWpszKZ/QnhXJta4l1F5e09
         9Ch1MGcWtOi0Yz/qb5G6Io0nhLhXfIJcYaSiq67ZjFrsIsVkNRbU0wl82KfVkbuDvL66
         ycUh5kODzzOwGpbqeR9XrGxZUqK2A9SlQDkR4LYrZL0dSQqSHSFDyuFNm20Yr22pgxan
         nSqPM2CFK3XU3iUPF5r//jY6LFnId0ILaNGVA6jbI9zEjczZ8FMO8LRlM8UbXf28Zulx
         yFJA==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b="iFrYQbJ/";
       arc=pass (i=1 spf=pass spfdomain=tresys.com dkim=pass dkdomain=tresys.com dmarc=pass fromdomain=tresys.com);
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a8si17112489ple.243.2019.07.25.07.45.52;
        Thu, 25 Jul 2019 07:45:54 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b="iFrYQbJ/";
       arc=pass (i=1 spf=pass spfdomain=tresys.com dkim=pass dkdomain=tresys.com dmarc=pass fromdomain=tresys.com);
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729248AbfGYOoF (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 11 others); Thu, 25 Jul 2019 10:44:05 -0400
Received: from mail-eopbgr700137.outbound.protection.outlook.com ([40.107.70.137]:25890
        "EHLO NAM04-SN1-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1729196AbfGYOoE (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Thu, 25 Jul 2019 10:44:04 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=AZkD2daxso6OK9lnbrph0rISpEStCK3x/H3dpBdAnQI8xCwK661wPcuGuMGUHUplf48gmBRIVcSn8nBnjPdaIjON99h0It1J3D9Lt+BV6CqxMpm/Np1YQ6ivKdWE9vzAiS9C6j6+BuPj/I60h0COnlI/EZoHJVIDcKQb/txS7IMuOm41Aui9Ni+dAkzpNnVEcsYEs21Alr09fgLmRZeltJWuIiQ5e88XpYpT9XlXXMzQG8TZu/CGAFHFgL3O2hxetrIs9Ppwarusmq83PB/qCPiWjbFG+fAMknP3jjvmLyJ8w5K7ysvLwAMX8iUmhaUM8mALeo3AocRRMGbHMhvMgw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=/tkQ5mlLTjwoEDDBDWblcgBzpeeNmdF3/I2sfiS9XbY=;
 b=EzgoYK+fX98dNzEkj+LBmoHlZnry/SvQZZGVnmIXKuB8rmQg7BvGIZSF/zASN/blc65DX9xiom12BjMHMEmGbgmpjeAB8Mm/pTlkw87yGzGj/m/ap/jR+0e2Vx7hyV7HRpuXooUnbCsGMVuaecfYf0aSN6XRkLfeJNzMhpwYJJ5ZqT440VUyxCJcGPv3m66hts6ZQYIbbaGG9mrquR4ZzsIU3b2s11Q5os0edca3mrCJ7NX0r/bmpt+pvXuWq69d/vJwl7q3n3Lfxbt6tqVGd4lUWXQtlKiPA9q2a8qp2t618E3lMNUcJORNfGyWzRDhVtYxpV/8PmwJGzS9sWLIAQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass
 smtp.mailfrom=tresys.com;dmarc=pass action=none
 header.from=tresys.com;dkim=pass header.d=tresys.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=tresys.onmicrosoft.com; s=selector2-tresys-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=/tkQ5mlLTjwoEDDBDWblcgBzpeeNmdF3/I2sfiS9XbY=;
 b=iFrYQbJ/BD4fRcvAIYYads1KBHPrR0cEOZZ20HBwskmsgCS2kdbitCd9cVlwMrYvFi1cc8kp1xwxSq8Q8RbNzF1ykZwM2/vzXYHjlPWlTBJTIlK91uW6okKjIwSSxe9m7e2xunQTIfl80KsfdMXvLbIzm+4Pd4HF+O5QgXb6np8=
Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by
 BN6PR15MB1698.namprd15.prod.outlook.com (10.174.239.145) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.2094.17; Thu, 25 Jul 2019 14:43:48 +0000
Received: from BN6PR15MB1507.namprd15.prod.outlook.com
 ([fe80::821:1970:ec38:1f08]) by BN6PR15MB1507.namprd15.prod.outlook.com
 ([fe80::821:1970:ec38:1f08%6]) with mapi id 15.20.2115.005; Thu, 25 Jul 2019
 14:43:48 +0000
From:   "Sugar, David" <dsugar@tresys.com>
To:     "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: [PATCH] Module for tpm2-abrmd
Thread-Topic: [PATCH] Module for tpm2-abrmd
Thread-Index: AQHVQvdexNgiDCQ3ZU2sLeCfWxr+tQ==
Date:   Thu, 25 Jul 2019 14:43:48 +0000
Message-ID: <20190725144316.10409-1-dsugar@tresys.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [96.244.17.66]
x-clientproxiedby: MN2PR17CA0003.namprd17.prod.outlook.com
 (2603:10b6:208:15e::16) To BN6PR15MB1507.namprd15.prod.outlook.com
 (2603:10b6:404:c6::19)
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=dsugar@tresys.com; 
x-ms-exchange-messagesentrepresentingtype: 1
x-mailer: git-send-email 2.21.0
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3c69e803-9d70-43a0-99cf-08d7110e80b8
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020);SRVR:BN6PR15MB1698;
x-ms-traffictypediagnostic: BN6PR15MB1698:
x-microsoft-antispam-prvs: <BN6PR15MB16983B353C3A548127ADDAA6B9C10@BN6PR15MB1698.namprd15.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:126;
x-forefront-prvs: 0109D382B0
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(4636009)(39830400003)(376002)(136003)(396003)(366004)(346002)(199004)(189003)(99286004)(6116002)(14454004)(36756003)(71200400001)(2501003)(316002)(6916009)(2906002)(305945005)(5660300002)(68736007)(71190400001)(7736002)(3846002)(2616005)(8676002)(2351001)(6506007)(66066001)(476003)(52116002)(1076003)(6486002)(50226002)(186003)(486006)(86362001)(64756008)(6436002)(26005)(66476007)(25786009)(102836004)(386003)(66446008)(66946007)(66556008)(14444005)(8936002)(6512007)(256004)(5640700003)(53936002)(81166006)(81156014)(508600001);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1698;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1;
received-spf: None (protection.outlook.com: tresys.com does not designate
 permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: yhJF+jQnmVz42PCz9vhLk20UsattGZgUpoTTReXATvYqi6Tbwsj1+gIvSWeXIN56YWsP6u230PsS6pD8RL+AvI3z4KG/I5E6W1J+qLE35B7hdxR9xvHJLcs0xQLCXcHXCwpTxb+vLhi/fJx5HHiiKtO8LXLMxV5GS+b7yYYzQI8V/TrKgbFTY469qj2KCdrSH1ydcBXCjCnaltqY9wPBuwYAAsHs+z/fGmuIO/8eg2r8lENlsZWq0Y9MWh+oGTJxhk1C3jor3HdT8qwVR1ruqFn4iMIuf8ohq5RZV22EWSZiGup8sMts/EM/km+GGNp5vqheRyJpFU8r46PJ7MZDQO8fcrhuakjTP1OPP2GVP42tvAPFen5+f4P1Anub2bpr4enY3gL0L53ipYsdhPFlzs6bn+5d/NmLS36NQO4AGLs=
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: tresys.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3c69e803-9d70-43a0-99cf-08d7110e80b8
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jul 2019 14:43:48.7148
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: dsugar@tresys.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1698
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/services/tpm2_abrmd.fc |  3 ++
 policy/modules/services/tpm2_abrmd.if | 58 +++++++++++++++++++++++++++
 policy/modules/services/tpm2_abrmd.te | 29 ++++++++++++++
 3 files changed, 90 insertions(+)
 create mode 100644 policy/modules/services/tpm2_abrmd.fc
 create mode 100644 policy/modules/services/tpm2_abrmd.if
 create mode 100644 policy/modules/services/tpm2_abrmd.te

diff --git a/policy/modules/services/tpm2_abrmd.fc b/policy/modules/service=
s/tpm2_abrmd.fc
new file mode 100644
index 00000000..4ccf2f25
--- /dev/null
+++ b/policy/modules/services/tpm2_abrmd.fc
@@ -0,0 +1,3 @@
+/usr/sbin/tpm2-abrmd								--	gen_context(system_u:object_r:tpm2_abrmd_ex=
ec_t,s0)
+
+/usr/lib/systemd/system/[^/]*tpm2-abrmd\.service	--	gen_context(system_u:o=
bject_r:tpm2_abrmd_unit_t,s0)
diff --git a/policy/modules/services/tpm2_abrmd.if b/policy/modules/service=
s/tpm2_abrmd.if
new file mode 100644
index 00000000..dabb4a65
--- /dev/null
+++ b/policy/modules/services/tpm2_abrmd.if
@@ -0,0 +1,58 @@
+## <summary>TPM2 Access Broker and Resource Management daemon.</summary>
+
+########################################
+## <summary>
+##	Allow specified domain to enable/disable tpm2-abrmd unit
+## </summary>
+## <param name=3D"domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tpm2_abrmd_enabledisable',`
+	gen_require(`
+		type tpm2_abrmd_unit_t;
+		class service { enable disable };
+	')
+
+	allow $1 tpm2_abrmd_unit_t:service { enable disable };
+')
+
+########################################
+## <summary>
+##	Allow specified domain to start/stop tpm2-abrmd unit
+## </summary>
+## <param name=3D"domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tpm2_abrmd_startstop',`
+	gen_require(`
+		type tpm2_abrmd_unit_t;
+		class service { start stop };
+	')
+
+	allow $1 tpm2_abrmd_unit_t:service { start stop };
+')
+
+########################################
+## <summary>
+##	Allow specified domain to get status of tpm2-abrmd unit
+## </summary>
+## <param name=3D"domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tpm2_abrmd_status',`
+	gen_require(`
+		type tpm2_abrmd_unit_t;
+		class service status;
+	')
+
+	allow $1 tpm2_abrmd_unit_t:service status;
+')
diff --git a/policy/modules/services/tpm2_abrmd.te b/policy/modules/service=
s/tpm2_abrmd.te
new file mode 100644
index 00000000..8a8ba5f0
--- /dev/null
+++ b/policy/modules/services/tpm2_abrmd.te
@@ -0,0 +1,29 @@
+policy_module(tpm2_abrmd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type tpm2_abrmd_t;
+type tpm2_abrmd_exec_t;
+init_daemon_domain(tpm2_abrmd_t, tpm2_abrmd_exec_t)
+
+type tpm2_abrmd_unit_t;
+init_unit_file(tpm2_abrmd_unit_t)
+
+########################################
+#
+# Local policy
+#
+
+allow tpm2_abrmd_t self:process signal;
+allow tpm2_abrmd_t self:unix_stream_socket create_socket_perms;
+
+dev_rw_tpm(tpm2_abrmd_t)
+
+kernel_read_crypto_sysctls(tpm2_abrmd_t)
+kernel_read_system_state(tpm2_abrmd_t)
+
+dbus_system_bus_client(tpm2_abrmd_t)
+dbus_connect_system_bus(tpm2_abrmd_t)
--=20
2.21.0