From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 7 Mar 2016 10:13:29 -0500
Subject: [refpolicy] [PATCH v2] New policy for tboot utilities
In-Reply-To: <1457218424-15243-1-git-send-email-aranea@aixah.de>
References: <1457218424-15243-1-git-send-email-aranea@aixah.de>
Message-ID: <56DD9A99.1080709@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 3/5/2016 5:53 PM, Luis Ressel wrote:
> tboot is an OSS project for using the features of Intel TXT. Some of its
> included utilities (might) need special permissions. For now, there's
> only a policy for txt-stat (it needs access to /dev/mem).


> +########################################
> +## <summary>
> +##	Role access for txt-stat
> +## </summary>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access
> +##	</summary>
> +## </param>
> +## <param name="domain">
> +##	<summary>
> +##	User domain for the role
> +##	</summary>
> +## </param>
> +#
> +interface(`tboot_txtstat_role',`
> +	gen_require(`
> +		type txtstat_t;
> +	')
> +
> +	tboot_run_txtstat($2, $1)
> +
> +	ps_process_pattern($2, txtstat_t)
> +	allow $2 txtstat_t:process { signull signal sigkill };
> +')

Are all of the utilities simple command line tools (the ones that may
need domains in the future)?  If so, this interface doesn't seem
necessary.  The role interfaces are usually for complicated apps that
have their own derived types e.g. for home directory content.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com