From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 07 Feb 2011 09:02:29 -0500
Subject: [refpolicy] [PATCH] Add TSS Core Services (TCS) daemon (tcsd)
 policy
In-Reply-To: <1296501420.26427.46.camel@moss-pluto>
References: <1296501420.26427.46.camel@moss-pluto>
Message-ID: <4D4FFB75.1050301@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 1/31/2011 2:17 PM, Stephen Smalley wrote:
>
> Signed-off-by: Stephen Smalley<sds@tycho.nsa.gov>
> ---
>   policy/modules/kernel/corenetwork.te.in |    1 +
>   policy/modules/kernel/devices.if        |   18 +++++++++++
>   policy/modules/services/tcsd.fc         |    3 ++
>   policy/modules/services/tcsd.if         |    1 +
>   policy/modules/services/tcsd.te         |   51 +++++++++++++++++++++++++++++++
>   5 files changed, 74 insertions(+), 0 deletions(-)
>   create mode 100644 policy/modules/services/tcsd.fc
>   create mode 100644 policy/modules/services/tcsd.if
>   create mode 100644 policy/modules/services/tcsd.te

Merged.


> diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
> index f12e087..0757523 100644
> --- a/policy/modules/kernel/corenetwork.te.in
> +++ b/policy/modules/kernel/corenetwork.te.in
> @@ -196,6 +196,7 @@ network_port(ssh, tcp,22,s0)
>   type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
>   network_port(swat, tcp,901,s0)
>   network_port(syslogd, udp,514,s0)
> +network_port(tcs, tcp, 30003, s0)
>   network_port(telnetd, tcp,23,s0)
>   network_port(tftp, udp,69,s0)
>   network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
> diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> index 15a7bef..efaf808 100644
> --- a/policy/modules/kernel/devices.if
> +++ b/policy/modules/kernel/devices.if
> @@ -3773,6 +3773,24 @@ interface(`dev_rw_sysfs',`
>
>   ########################################
>   ##<summary>
> +##	Read and write the TPM device.
> +##</summary>
> +##<param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +##</param>
> +#
> +interface(`dev_rw_tpm',`
> +	gen_require(`
> +		type device_t, tpm_device_t;
> +	')
> +
> +	rw_chr_files_pattern($1, device_t, tpm_device_t)
> +')
> +
> +########################################
> +##<summary>
>   ##	Read from pseudo random number generator devices (e.g., /dev/urandom).
>   ##</summary>
>   ##<desc>
> diff --git a/policy/modules/services/tcsd.fc b/policy/modules/services/tcsd.fc
> new file mode 100644
> index 0000000..8a473e7
> --- /dev/null
> +++ b/policy/modules/services/tcsd.fc
> @@ -0,0 +1,3 @@
> +/usr/sbin/tcsd		--	gen_context(system_u:object_r:tcsd_exec_t,s0)
> +/var/lib/tpm(/.*)?		gen_context(system_u:object_r:tcsd_var_lib_t,s0)
> +
> diff --git a/policy/modules/services/tcsd.if b/policy/modules/services/tcsd.if
> new file mode 100644
> index 0000000..e814f69
> --- /dev/null
> +++ b/policy/modules/services/tcsd.if
> @@ -0,0 +1 @@
> +##<summary>TSS Core Services (TCS) daemon (tcsd) policy</summary>
> diff --git a/policy/modules/services/tcsd.te b/policy/modules/services/tcsd.te
> new file mode 100644
> index 0000000..e87e2ae
> --- /dev/null
> +++ b/policy/modules/services/tcsd.te
> @@ -0,0 +1,51 @@
> +policy_module(tcsd, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type tcsd_t;
> +type tcsd_exec_t;
> +domain_type(tcsd_t)
> +init_daemon_domain(tcsd_t, tcsd_exec_t)
> +
> +# /var/lib/tpm
> +type tcsd_var_lib_t;
> +files_type(tcsd_var_lib_t)
> +
> +########################################
> +#
> +# tcsd local policy
> +#
> +
> +allow tcsd_t self:capability { dac_override setuid };
> +allow tcsd_t self:process { signal sigkill };
> +allow tcsd_t self:tcp_socket create_stream_socket_perms;
> +
> +# Access /dev/tpm0.
> +dev_rw_tpm(tcsd_t)
> +
> +# var/lib files for tcsd
> +manage_dirs_pattern(tcsd_t,tcsd_var_lib_t,tcsd_var_lib_t)
> +manage_files_pattern(tcsd_t,tcsd_var_lib_t,tcsd_var_lib_t)
> +files_var_lib_filetrans(tcsd_t,tcsd_var_lib_t,{ file dir })
> +
> +# Accept connections on the TCS port over loopback.
> +sysnet_read_config(tcsd_t)
> +corenet_all_recvfrom_unlabeled(tcsd_t)
> +corenet_tcp_bind_generic_node(tcsd_t)
> +corenet_tcp_bind_tcs_port(tcsd_t)
> +
> +# Read /dev/urandom, /etc, /usr, and locale files.
> +dev_read_urand(tcsd_t)
> +files_read_etc_files(tcsd_t)
> +files_read_usr_files(tcsd_t)
> +miscfiles_read_localization(tcsd_t)
> +
> +# tcsd is dynamically linked and thus uses ld.so and shared libs.
> +libs_use_ld_so(tcsd_t)
> +libs_use_shared_libs(tcsd_t)
> +
> +# Log messages via syslog.
> +logging_send_syslog_msg(tcsd_t)


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com