Signed-off-by: Stephen Smalley <[email protected]>
---
policy/modules/kernel/corenetwork.te.in | 1 +
policy/modules/kernel/devices.if | 18 +++++++++++
policy/modules/services/tcsd.fc | 3 ++
policy/modules/services/tcsd.if | 1 +
policy/modules/services/tcsd.te | 51 +++++++++++++++++++++++++++++++
5 files changed, 74 insertions(+), 0 deletions(-)
create mode 100644 policy/modules/services/tcsd.fc
create mode 100644 policy/modules/services/tcsd.if
create mode 100644 policy/modules/services/tcsd.te
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index f12e087..0757523 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -196,6 +196,7 @@ network_port(ssh, tcp,22,s0)
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
network_port(swat, tcp,901,s0)
network_port(syslogd, udp,514,s0)
+network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 15a7bef..efaf808 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -3773,6 +3773,24 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
+## Read and write the TPM device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_tpm',`
+ gen_require(`
+ type device_t, tpm_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, tpm_device_t)
+')
+
+########################################
+## <summary>
## Read from pseudo random number generator devices (e.g., /dev/urandom).
## </summary>
## <desc>
diff --git a/policy/modules/services/tcsd.fc b/policy/modules/services/tcsd.fc
new file mode 100644
index 0000000..8a473e7
--- /dev/null
+++ b/policy/modules/services/tcsd.fc
@@ -0,0 +1,3 @@
+/usr/sbin/tcsd -- gen_context(system_u:object_r:tcsd_exec_t,s0)
+/var/lib/tpm(/.*)? gen_context(system_u:object_r:tcsd_var_lib_t,s0)
+
diff --git a/policy/modules/services/tcsd.if b/policy/modules/services/tcsd.if
new file mode 100644
index 0000000..e814f69
--- /dev/null
+++ b/policy/modules/services/tcsd.if
@@ -0,0 +1 @@
+## <summary>TSS Core Services (TCS) daemon (tcsd) policy</summary>
diff --git a/policy/modules/services/tcsd.te b/policy/modules/services/tcsd.te
new file mode 100644
index 0000000..e87e2ae
--- /dev/null
+++ b/policy/modules/services/tcsd.te
@@ -0,0 +1,51 @@
+policy_module(tcsd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type tcsd_t;
+type tcsd_exec_t;
+domain_type(tcsd_t)
+init_daemon_domain(tcsd_t, tcsd_exec_t)
+
+# /var/lib/tpm
+type tcsd_var_lib_t;
+files_type(tcsd_var_lib_t)
+
+########################################
+#
+# tcsd local policy
+#
+
+allow tcsd_t self:capability { dac_override setuid };
+allow tcsd_t self:process { signal sigkill };
+allow tcsd_t self:tcp_socket create_stream_socket_perms;
+
+# Access /dev/tpm0.
+dev_rw_tpm(tcsd_t)
+
+# var/lib files for tcsd
+manage_dirs_pattern(tcsd_t,tcsd_var_lib_t,tcsd_var_lib_t)
+manage_files_pattern(tcsd_t,tcsd_var_lib_t,tcsd_var_lib_t)
+files_var_lib_filetrans(tcsd_t,tcsd_var_lib_t,{ file dir })
+
+# Accept connections on the TCS port over loopback.
+sysnet_read_config(tcsd_t)
+corenet_all_recvfrom_unlabeled(tcsd_t)
+corenet_tcp_bind_generic_node(tcsd_t)
+corenet_tcp_bind_tcs_port(tcsd_t)
+
+# Read /dev/urandom, /etc, /usr, and locale files.
+dev_read_urand(tcsd_t)
+files_read_etc_files(tcsd_t)
+files_read_usr_files(tcsd_t)
+miscfiles_read_localization(tcsd_t)
+
+# tcsd is dynamically linked and thus uses ld.so and shared libs.
+libs_use_ld_so(tcsd_t)
+libs_use_shared_libs(tcsd_t)
+
+# Log messages via syslog.
+logging_send_syslog_msg(tcsd_t)
--
1.7.3.5
--
Stephen Smalley
National Security Agency
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Our version of tcsd policy
Steve I suppose we are going to need this in RHEL6.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1IdbcACgkQrlYvE4MpobMaCwCgxr5qZHG1GzFOWwRXvWcex4jW
wdMAn2zU5VwffzfXlkzYM07bOliEw/xS
=4oVi
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: tcsd.patch
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20110201/34d32f08/attachment-0001.pl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tcsd.patch.sig
Type: application/pgp-signature
Size: 72 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110201/34d32f08/attachment-0001.bin
On Tue, 2011-02-01 at 16:05 -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Our version of tcsd policy
>
> Steve I suppose we are going to need this in RHEL6.
Ok, didn't know you had a tcsd policy. Mine was originally developed on
RHEL5.5 and then tweaked to build with latest refpolicy, so yours is
likely more accurate for RHEL6.
--
Stephen Smalley
National Security Agency
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/02/2011 10:18 AM, Stephen Smalley wrote:
> On Tue, 2011-02-01 at 16:05 -0500, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Our version of tcsd policy
>>
>> Steve I suppose we are going to need this in RHEL6.
>
> Ok, didn't know you had a tcsd policy. Mine was originally developed on
> RHEL5.5 and then tweaked to build with latest refpolicy, so yours is
> likely more accurate for RHEL6.
>
I had one on my laptop that Eric asked me to write, but I never shipped
it. I added some missing access from yours and it is now in Rawhide. I
will have Miroslav back port it to RHEL5 and 6.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1JgM4ACgkQrlYvE4MpobMTtQCgoKBY0TilJesgb8uefpXjsoZo
aoEAn2tTWRr9rIaC9f5ENbPlfhcI791s
=hUxO
-----END PGP SIGNATURE-----
On 1/31/2011 2:17 PM, Stephen Smalley wrote:
>
> Signed-off-by: Stephen Smalley<[email protected]>
> ---
> policy/modules/kernel/corenetwork.te.in | 1 +
> policy/modules/kernel/devices.if | 18 +++++++++++
> policy/modules/services/tcsd.fc | 3 ++
> policy/modules/services/tcsd.if | 1 +
> policy/modules/services/tcsd.te | 51 +++++++++++++++++++++++++++++++
> 5 files changed, 74 insertions(+), 0 deletions(-)
> create mode 100644 policy/modules/services/tcsd.fc
> create mode 100644 policy/modules/services/tcsd.if
> create mode 100644 policy/modules/services/tcsd.te
Merged.
> diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
> index f12e087..0757523 100644
> --- a/policy/modules/kernel/corenetwork.te.in
> +++ b/policy/modules/kernel/corenetwork.te.in
> @@ -196,6 +196,7 @@ network_port(ssh, tcp,22,s0)
> type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
> network_port(swat, tcp,901,s0)
> network_port(syslogd, udp,514,s0)
> +network_port(tcs, tcp, 30003, s0)
> network_port(telnetd, tcp,23,s0)
> network_port(tftp, udp,69,s0)
> network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
> diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> index 15a7bef..efaf808 100644
> --- a/policy/modules/kernel/devices.if
> +++ b/policy/modules/kernel/devices.if
> @@ -3773,6 +3773,24 @@ interface(`dev_rw_sysfs',`
>
> ########################################
> ##<summary>
> +## Read and write the TPM device.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`dev_rw_tpm',`
> + gen_require(`
> + type device_t, tpm_device_t;
> + ')
> +
> + rw_chr_files_pattern($1, device_t, tpm_device_t)
> +')
> +
> +########################################
> +##<summary>
> ## Read from pseudo random number generator devices (e.g., /dev/urandom).
> ##</summary>
> ##<desc>
> diff --git a/policy/modules/services/tcsd.fc b/policy/modules/services/tcsd.fc
> new file mode 100644
> index 0000000..8a473e7
> --- /dev/null
> +++ b/policy/modules/services/tcsd.fc
> @@ -0,0 +1,3 @@
> +/usr/sbin/tcsd -- gen_context(system_u:object_r:tcsd_exec_t,s0)
> +/var/lib/tpm(/.*)? gen_context(system_u:object_r:tcsd_var_lib_t,s0)
> +
> diff --git a/policy/modules/services/tcsd.if b/policy/modules/services/tcsd.if
> new file mode 100644
> index 0000000..e814f69
> --- /dev/null
> +++ b/policy/modules/services/tcsd.if
> @@ -0,0 +1 @@
> +##<summary>TSS Core Services (TCS) daemon (tcsd) policy</summary>
> diff --git a/policy/modules/services/tcsd.te b/policy/modules/services/tcsd.te
> new file mode 100644
> index 0000000..e87e2ae
> --- /dev/null
> +++ b/policy/modules/services/tcsd.te
> @@ -0,0 +1,51 @@
> +policy_module(tcsd, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type tcsd_t;
> +type tcsd_exec_t;
> +domain_type(tcsd_t)
> +init_daemon_domain(tcsd_t, tcsd_exec_t)
> +
> +# /var/lib/tpm
> +type tcsd_var_lib_t;
> +files_type(tcsd_var_lib_t)
> +
> +########################################
> +#
> +# tcsd local policy
> +#
> +
> +allow tcsd_t self:capability { dac_override setuid };
> +allow tcsd_t self:process { signal sigkill };
> +allow tcsd_t self:tcp_socket create_stream_socket_perms;
> +
> +# Access /dev/tpm0.
> +dev_rw_tpm(tcsd_t)
> +
> +# var/lib files for tcsd
> +manage_dirs_pattern(tcsd_t,tcsd_var_lib_t,tcsd_var_lib_t)
> +manage_files_pattern(tcsd_t,tcsd_var_lib_t,tcsd_var_lib_t)
> +files_var_lib_filetrans(tcsd_t,tcsd_var_lib_t,{ file dir })
> +
> +# Accept connections on the TCS port over loopback.
> +sysnet_read_config(tcsd_t)
> +corenet_all_recvfrom_unlabeled(tcsd_t)
> +corenet_tcp_bind_generic_node(tcsd_t)
> +corenet_tcp_bind_tcs_port(tcsd_t)
> +
> +# Read /dev/urandom, /etc, /usr, and locale files.
> +dev_read_urand(tcsd_t)
> +files_read_etc_files(tcsd_t)
> +files_read_usr_files(tcsd_t)
> +miscfiles_read_localization(tcsd_t)
> +
> +# tcsd is dynamically linked and thus uses ld.so and shared libs.
> +libs_use_ld_so(tcsd_t)
> +libs_use_shared_libs(tcsd_t)
> +
> +# Log messages via syslog.
> +logging_send_syslog_msg(tcsd_t)
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com