From: aranea@aixah.de (Luis Ressel) Date: Sat, 5 Mar 2016 22:24:31 +0100 Subject: [refpolicy] [PATCH] New policy for tboot utilities In-Reply-To: <56DB4B0F.5090501@gmail.com> References: <1457208522-8926-1-git-send-email-aranea@aixah.de> <56DB4B0F.5090501@gmail.com> Message-ID: <20160305222431.5ab3070c@gentp.lnet> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sat, 5 Mar 2016 22:09:35 +0100 Dominick Grift wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On 03/05/2016 09:08 PM, Luis Ressel wrote: > > tboot is an OSS project for using the features of Intel TXT. Some > > of its included utilities (might) need special permissions. For > > now, there's only a policy for txt-stat (it needs access to > > /dev/mem). > > Did you use sepolgen for this? Some comments inline > No, I didn't. It's been quite a while since I've last written a policy, apologies if something's weird. > > --- tboot.fc | 1 + tboot.if | 46 > > ++++++++++++++++++++++++++++++++++++++++++++++ tboot.te | 20 > > ++++++++++++++++++++ 3 files changed, 67 insertions(+) create mode > > 100644 tboot.fc create mode 100644 tboot.if create mode 100644 > > tboot.te > > > > diff --git a/tboot.fc b/tboot.fc new file mode 100644 index > > 0000000..5fdd3ad --- /dev/null +++ b/tboot.fc @@ -0,0 +1 @@ > > +/usr/sbin/txt-stat -- > > gen_context(system_u:object_r:txtstat_exec_t,s0) diff --git > > a/tboot.if b/tboot.if new file mode 100644 index 0000000..8fce0f2 > > --- /dev/null +++ b/tboot.if @@ -0,0 +1,46 @@ +##

Policy > > for tboot utilities.

> > Please provide a summary. We already know its policy for tboot > utilities . > > Example: > > "Performs a verified launch using Intel TXT" > Yeah, I've proven countless times that I'm not good at descriptions. Your proposal isn't optimal, though; SELinux isn't involved with the measured launch itself, after all -- this policy is really just for some of the utilities that happen to be included in the tboot package. -- Regards, Luis Ressel