From: aranea@aixah.de (Luis Ressel)
Date: Sat, 5 Mar 2016 21:08:42 +0100
Subject: [refpolicy] [PATCH] New policy for tboot utilities
Message-ID: <1457208522-8926-1-git-send-email-aranea@aixah.de>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
tboot is an OSS project for using the features of Intel TXT. Some of its
included utilities (might) need special permissions. For now, there's
only a policy for txt-stat (it needs access to /dev/mem).
---
tboot.fc | 1 +
tboot.if | 46 ++++++++++++++++++++++++++++++++++++++++++++++
tboot.te | 20 ++++++++++++++++++++
3 files changed, 67 insertions(+)
create mode 100644 tboot.fc
create mode 100644 tboot.if
create mode 100644 tboot.te
diff --git a/tboot.fc b/tboot.fc
new file mode 100644
index 0000000..5fdd3ad
--- /dev/null
+++ b/tboot.fc
@@ -0,0 +1 @@
+/usr/sbin/txt-stat -- gen_context(system_u:object_r:txtstat_exec_t,s0)
diff --git a/tboot.if b/tboot.if
new file mode 100644
index 0000000..8fce0f2
--- /dev/null
+++ b/tboot.if
@@ -0,0 +1,46 @@
+## Policy for tboot utilities.
+
+########################################
+##
+## Execute txt-stat in the txtstat domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`tboot_domtrans_txtstat',`
+ gen_require(`
+ type txtstat_t, txtstat_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, txtstat_exec_t, txtstat_t)
+')
+
+########################################
+##
+## Execute txt-stat in the txtstat domain, and
+## allow the specified role the txtstat domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`tboot_run_txtstat',`
+ gen_require(`
+ type txtstat_t;
+ ')
+
+ tboot_domtrans_txtstat($1)
+ role $2 types txtstat_t;
+')
diff --git a/tboot.te b/tboot.te
new file mode 100644
index 0000000..96ed061
--- /dev/null
+++ b/tboot.te
@@ -0,0 +1,20 @@
+policy_module(tboot, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type txtstat_t;
+type txtstat_exec_t;
+application_domain(txtstat_t, txtstat_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+dev_read_raw_memory(txtstat_t)
+
+domain_use_interactive_fds(txtstat_t)
+userdom_use_user_terminals(txtstat_t)
--
2.7.2