From: sds@tycho.nsa.gov (Stephen Smalley) Date: Mon, 31 Jan 2011 14:17:00 -0500 Subject: [refpolicy] [PATCH] Add TSS Core Services (TCS) daemon (tcsd) policy Message-ID: <1296501420.26427.46.camel@moss-pluto> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Signed-off-by: Stephen Smalley --- policy/modules/kernel/corenetwork.te.in | 1 + policy/modules/kernel/devices.if | 18 +++++++++++ policy/modules/services/tcsd.fc | 3 ++ policy/modules/services/tcsd.if | 1 + policy/modules/services/tcsd.te | 51 +++++++++++++++++++++++++++++++ 5 files changed, 74 insertions(+), 0 deletions(-) create mode 100644 policy/modules/services/tcsd.fc create mode 100644 policy/modules/services/tcsd.if create mode 100644 policy/modules/services/tcsd.te diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index f12e087..0757523 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -196,6 +196,7 @@ network_port(ssh, tcp,22,s0) type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict network_port(swat, tcp,901,s0) network_port(syslogd, udp,514,s0) +network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 15a7bef..efaf808 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -3773,6 +3773,24 @@ interface(`dev_rw_sysfs',` ######################################## ## +## Read and write the TPM device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_tpm',` + gen_require(` + type device_t, tpm_device_t; + ') + + rw_chr_files_pattern($1, device_t, tpm_device_t) +') + +######################################## +## ## Read from pseudo random number generator devices (e.g., /dev/urandom). ## ## diff --git a/policy/modules/services/tcsd.fc b/policy/modules/services/tcsd.fc new file mode 100644 index 0000000..8a473e7 --- /dev/null +++ b/policy/modules/services/tcsd.fc @@ -0,0 +1,3 @@ +/usr/sbin/tcsd -- gen_context(system_u:object_r:tcsd_exec_t,s0) +/var/lib/tpm(/.*)? gen_context(system_u:object_r:tcsd_var_lib_t,s0) + diff --git a/policy/modules/services/tcsd.if b/policy/modules/services/tcsd.if new file mode 100644 index 0000000..e814f69 --- /dev/null +++ b/policy/modules/services/tcsd.if @@ -0,0 +1 @@ +## TSS Core Services (TCS) daemon (tcsd) policy diff --git a/policy/modules/services/tcsd.te b/policy/modules/services/tcsd.te new file mode 100644 index 0000000..e87e2ae --- /dev/null +++ b/policy/modules/services/tcsd.te @@ -0,0 +1,51 @@ +policy_module(tcsd, 1.0.0) + +######################################## +# +# Declarations +# + +type tcsd_t; +type tcsd_exec_t; +domain_type(tcsd_t) +init_daemon_domain(tcsd_t, tcsd_exec_t) + +# /var/lib/tpm +type tcsd_var_lib_t; +files_type(tcsd_var_lib_t) + +######################################## +# +# tcsd local policy +# + +allow tcsd_t self:capability { dac_override setuid }; +allow tcsd_t self:process { signal sigkill }; +allow tcsd_t self:tcp_socket create_stream_socket_perms; + +# Access /dev/tpm0. +dev_rw_tpm(tcsd_t) + +# var/lib files for tcsd +manage_dirs_pattern(tcsd_t,tcsd_var_lib_t,tcsd_var_lib_t) +manage_files_pattern(tcsd_t,tcsd_var_lib_t,tcsd_var_lib_t) +files_var_lib_filetrans(tcsd_t,tcsd_var_lib_t,{ file dir }) + +# Accept connections on the TCS port over loopback. +sysnet_read_config(tcsd_t) +corenet_all_recvfrom_unlabeled(tcsd_t) +corenet_tcp_bind_generic_node(tcsd_t) +corenet_tcp_bind_tcs_port(tcsd_t) + +# Read /dev/urandom, /etc, /usr, and locale files. +dev_read_urand(tcsd_t) +files_read_etc_files(tcsd_t) +files_read_usr_files(tcsd_t) +miscfiles_read_localization(tcsd_t) + +# tcsd is dynamically linked and thus uses ld.so and shared libs. +libs_use_ld_so(tcsd_t) +libs_use_shared_libs(tcsd_t) + +# Log messages via syslog. +logging_send_syslog_msg(tcsd_t) -- 1.7.3.5 -- Stephen Smalley National Security Agency