Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp4172204ybi;
        Mon, 29 Jul 2019 20:51:04 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxmSvz5iU9oNHvX31FfSPM+NpbDZ5pUQYWd7r89fsZElMW1lXnyBdh1LwpGJgMkEfi+jlm7
X-Received: by 2002:a17:90a:9f0b:: with SMTP id n11mr75981282pjp.98.1564458664381;
        Mon, 29 Jul 2019 20:51:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1564458664; cv=none;
        d=google.com; s=arc-20160816;
        b=kVCheL7fxSKYjyzd09j7kukhDCTxI78D/NXBoSc/k/flZkCBxa/uI5kp1jTB6zprny
         6zngaXW1kY+mYzLm6myIesafDPURxuk6FMlTTP859jL9k0y6wcOX9tn2b1kfsunXxwV9
         y0IZyLYy2DAi30MvMGeza+L2wD2EPjNN9yhORx59M/cv+Sp5KGR11n5HpfDrWR/hZ1XR
         Xa5LCVAtu8YaFPZBqGw/tgpVzO472cnkDj8EnIRcUFbM66o6dcw6dqyAwVCoYlgF2yAC
         5sIq8RDRtuJtiLqI31I9kgTupcRqO9j2++G393mAektTRls53vOAB0PaB7L4y1L9RWfT
         f5+g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:to:subject:dkim-signature;
        bh=s2ZW1Ihjb8oaUqrartiFLQok0C0ri5nhEYSd6PGpjXM=;
        b=wJjv5PJo9Yu7vnf7+8lN3HYH0ew1ho2K/775jihI5V5QsaF6oskPocFhUThItC55JC
         caFHi/StaqyqTLOg7f7JT/5Aoq4IvYomyUJGnuO14SfPwvnsx3piP8zcTOF3I2MgJYbE
         EelgvtJa64B3vtM1sAeKOH+34h2HgsoXQBEqb3Fb1qKf7XlXI7aYsaEslrt5y12Hta9K
         MSpiBQihrylkWbZpH5iDCxqVfIhI03w5x+qZz9xGcBvcIAUfbbcn+tW51vRO4fmSvvsz
         lTI+kWisx0g3t5bz9Wyzxr/dEHhsQPcgeKf4ZRION3ajFfZbN35QTl5qbv7LJ8Vo1I3P
         Qlqg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ieee.org header.s=google header.b=FoZfk2Je;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 22si27887422pgu.226.2019.07.29.20.51.00;
        Mon, 29 Jul 2019 20:51:04 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ieee.org header.s=google header.b=FoZfk2Je;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730317AbfG3AtY (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 11 others); Mon, 29 Jul 2019 20:49:24 -0400
Received: from mail-qt1-f195.google.com ([209.85.160.195]:36631 "EHLO
        mail-qt1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729305AbfG3AtX (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Mon, 29 Jul 2019 20:49:23 -0400
Received: by mail-qt1-f195.google.com with SMTP id z4so61438202qtc.3
        for <selinux-refpolicy@vger.kernel.org>; Mon, 29 Jul 2019 17:49:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ieee.org; s=google;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-language:content-transfer-encoding;
        bh=s2ZW1Ihjb8oaUqrartiFLQok0C0ri5nhEYSd6PGpjXM=;
        b=FoZfk2JeRBV6HPpI53kbfYg2vzzSmlQJQx5+IhZF5xR85gNeuhpX+8BYkdV6uU2/FC
         bNXQKTi1Q0BLxXc5sk2knXlKDkWHRCbVdijggfRKR86kssjNHUcbybKXtjFpbtcfbgr3
         2NMRwhCMYmUlNosej/HhMpYCBjr2IRfPek6AU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=s2ZW1Ihjb8oaUqrartiFLQok0C0ri5nhEYSd6PGpjXM=;
        b=LyrPWpwW99rclYiJOYRUeon1WnRKagTsiG8Jw/bA7a4PlgR3DZV+y9F72+TrYwhxWU
         QZy0nzUqABLMgQcnbVRbn/iuOy651yWVOBbDOgU/IM/rfkVE9sfsFfIipf7A8zRA5DZ3
         HMuUIpoRBcnBV/JI9muCMVAM3NUIibhD6GYJE4JDzbrxclzd4AJ5MoGumrRMu1Va9nOL
         aOP02mUIhcJ+VFIx+Gd++kxXXR06qlTnaK4SMxF5Gbu0Z+YUaOgkiraCWgBYnajTUUix
         7HN6mOapc2JH3cRdbBxNti+JPu741FJQH4hcB5WHyVPxabtB/VckBqpDpfCBnG2i0aBR
         a2jw==
X-Gm-Message-State: APjAAAVy4J8z2neIIU5x/1hzXFdI8LHZBmsumY6yjT3jPMaqZDzZhFD3
        mcZ8CEqdFsZL/ZRaH0n84M3DzUNeBVw=
X-Received: by 2002:aed:3b02:: with SMTP id p2mr80488034qte.62.1564447762378;
        Mon, 29 Jul 2019 17:49:22 -0700 (PDT)
Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247])
        by smtp.gmail.com with ESMTPSA id r189sm27936030qkc.60.2019.07.29.17.49.21
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 29 Jul 2019 17:49:21 -0700 (PDT)
Subject: Re: [PATCH] Module for tpm2-abrmd
To:     "Sugar, David" <dsugar@tresys.com>,
        "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
References: <20190725144316.10409-1-dsugar@tresys.com>
From:   Chris PeBenito <pebenito@ieee.org>
Message-ID: <4438bc8f-0322-bd10-eab7-5556ecf49278@ieee.org>
Date:   Mon, 29 Jul 2019 20:49:20 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <20190725144316.10409-1-dsugar@tresys.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

On 7/25/19 10:43 AM, Sugar, David wrote:
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/services/tpm2_abrmd.fc |  3 ++
>   policy/modules/services/tpm2_abrmd.if | 58 +++++++++++++++++++++++++++
>   policy/modules/services/tpm2_abrmd.te | 29 ++++++++++++++
>   3 files changed, 90 insertions(+)
>   create mode 100644 policy/modules/services/tpm2_abrmd.fc
>   create mode 100644 policy/modules/services/tpm2_abrmd.if
>   create mode 100644 policy/modules/services/tpm2_abrmd.te

I think my only question is about the module name.  Why not tpm2?  I'm 
not well versed on the Linux TPM stack, but isn't there other components 
that potentially could need policy, like tss or totp?



> diff --git a/policy/modules/services/tpm2_abrmd.fc b/policy/modules/services/tpm2_abrmd.fc
> new file mode 100644
> index 00000000..4ccf2f25
> --- /dev/null
> +++ b/policy/modules/services/tpm2_abrmd.fc
> @@ -0,0 +1,3 @@
> +/usr/sbin/tpm2-abrmd								--	gen_context(system_u:object_r:tpm2_abrmd_exec_t,s0)
> +
> +/usr/lib/systemd/system/[^/]*tpm2-abrmd\.service	--	gen_context(system_u:object_r:tpm2_abrmd_unit_t,s0)
> diff --git a/policy/modules/services/tpm2_abrmd.if b/policy/modules/services/tpm2_abrmd.if
> new file mode 100644
> index 00000000..dabb4a65
> --- /dev/null
> +++ b/policy/modules/services/tpm2_abrmd.if
> @@ -0,0 +1,58 @@
> +## <summary>TPM2 Access Broker and Resource Management daemon.</summary>
> +
> +########################################
> +## <summary>
> +##	Allow specified domain to enable/disable tpm2-abrmd unit
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`tpm2_abrmd_enabledisable',`
> +	gen_require(`
> +		type tpm2_abrmd_unit_t;
> +		class service { enable disable };
> +	')
> +
> +	allow $1 tpm2_abrmd_unit_t:service { enable disable };
> +')
> +
> +########################################
> +## <summary>
> +##	Allow specified domain to start/stop tpm2-abrmd unit
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`tpm2_abrmd_startstop',`
> +	gen_require(`
> +		type tpm2_abrmd_unit_t;
> +		class service { start stop };
> +	')
> +
> +	allow $1 tpm2_abrmd_unit_t:service { start stop };
> +')
> +
> +########################################
> +## <summary>
> +##	Allow specified domain to get status of tpm2-abrmd unit
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`tpm2_abrmd_status',`
> +	gen_require(`
> +		type tpm2_abrmd_unit_t;
> +		class service status;
> +	')
> +
> +	allow $1 tpm2_abrmd_unit_t:service status;
> +')
> diff --git a/policy/modules/services/tpm2_abrmd.te b/policy/modules/services/tpm2_abrmd.te
> new file mode 100644
> index 00000000..8a8ba5f0
> --- /dev/null
> +++ b/policy/modules/services/tpm2_abrmd.te
> @@ -0,0 +1,29 @@
> +policy_module(tpm2_abrmd, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type tpm2_abrmd_t;
> +type tpm2_abrmd_exec_t;
> +init_daemon_domain(tpm2_abrmd_t, tpm2_abrmd_exec_t)
> +
> +type tpm2_abrmd_unit_t;
> +init_unit_file(tpm2_abrmd_unit_t)
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow tpm2_abrmd_t self:process signal;
> +allow tpm2_abrmd_t self:unix_stream_socket create_socket_perms;
> +
> +dev_rw_tpm(tpm2_abrmd_t)
> +
> +kernel_read_crypto_sysctls(tpm2_abrmd_t)
> +kernel_read_system_state(tpm2_abrmd_t)
> +
> +dbus_system_bus_client(tpm2_abrmd_t)
> +dbus_connect_system_bus(tpm2_abrmd_t)
> 


-- 
Chris PeBenito