tboot is an OSS project for using the features of Intel TXT. Some of its
included utilities (might) need special permissions. For now, there's
only a policy for txt-stat (it needs access to /dev/mem).
---
tboot.fc | 1 +
tboot.if | 46 ++++++++++++++++++++++++++++++++++++++++++++++
tboot.te | 20 ++++++++++++++++++++
3 files changed, 67 insertions(+)
create mode 100644 tboot.fc
create mode 100644 tboot.if
create mode 100644 tboot.te
diff --git a/tboot.fc b/tboot.fc
new file mode 100644
index 0000000..5fdd3ad
--- /dev/null
+++ b/tboot.fc
@@ -0,0 +1 @@
+/usr/sbin/txt-stat -- gen_context(system_u:object_r:txtstat_exec_t,s0)
diff --git a/tboot.if b/tboot.if
new file mode 100644
index 0000000..8fce0f2
--- /dev/null
+++ b/tboot.if
@@ -0,0 +1,46 @@
+## <summary>Policy for tboot utilities.</summary>
+
+########################################
+## <summary>
+## Execute txt-stat in the txtstat domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`tboot_domtrans_txtstat',`
+ gen_require(`
+ type txtstat_t, txtstat_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, txtstat_exec_t, txtstat_t)
+')
+
+########################################
+## <summary>
+## Execute txt-stat in the txtstat domain, and
+## allow the specified role the txtstat domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`tboot_run_txtstat',`
+ gen_require(`
+ type txtstat_t;
+ ')
+
+ tboot_domtrans_txtstat($1)
+ role $2 types txtstat_t;
+')
diff --git a/tboot.te b/tboot.te
new file mode 100644
index 0000000..96ed061
--- /dev/null
+++ b/tboot.te
@@ -0,0 +1,20 @@
+policy_module(tboot, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type txtstat_t;
+type txtstat_exec_t;
+application_domain(txtstat_t, txtstat_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+dev_read_raw_memory(txtstat_t)
+
+domain_use_interactive_fds(txtstat_t)
+userdom_use_user_terminals(txtstat_t)
--
2.7.2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 03/05/2016 09:08 PM, Luis Ressel wrote:
> tboot is an OSS project for using the features of Intel TXT. Some
> of its included utilities (might) need special permissions. For
> now, there's only a policy for txt-stat (it needs access to
> /dev/mem).
Did you use sepolgen for this? Some comments inline
> --- tboot.fc | 1 + tboot.if | 46
> ++++++++++++++++++++++++++++++++++++++++++++++ tboot.te | 20
> ++++++++++++++++++++ 3 files changed, 67 insertions(+) create mode
> 100644 tboot.fc create mode 100644 tboot.if create mode 100644
> tboot.te
>
> diff --git a/tboot.fc b/tboot.fc new file mode 100644 index
> 0000000..5fdd3ad --- /dev/null +++ b/tboot.fc @@ -0,0 +1 @@
> +/usr/sbin/txt-stat --
> gen_context(system_u:object_r:txtstat_exec_t,s0) diff --git
> a/tboot.if b/tboot.if new file mode 100644 index 0000000..8fce0f2
> --- /dev/null +++ b/tboot.if @@ -0,0 +1,46 @@ +## <summary>Policy
> for tboot utilities.</summary>
Please provide a summary. We already know its policy for tboot utilities
.
Example:
"Performs a verified launch using Intel TXT"
> + +######################################## +## <summary> +##
> Execute txt-stat in the txtstat domain. +## </summary> +## <param
> name="domain"> +## <summary> +## Domain allowed to transition. +##
> </summary> +## </param> +# +interface(`tboot_domtrans_txtstat',` +
> gen_require(` + type txtstat_t, txtstat_exec_t; + ') + +
> corecmd_search_bin($1) + domtrans_pattern($1, txtstat_exec_t,
> txtstat_t) +') + +######################################## +##
> <summary> +## Execute txt-stat in the txtstat domain, and +## allow
> the specified role the txtstat domain. +## </summary> +## <param
> name="domain"> +## <summary> +## Domain allowed to transition. +##
> </summary> +## </param> +## <param name="role"> +## <summary> +##
> Role allowed access. +## </summary> +## </param> +## <rolecap/> +#
> +interface(`tboot_run_txtstat',` + gen_require(` + type
> txtstat_t; + ') + + tboot_domtrans_txtstat($1) + role $2 types
> txtstat_t; +')
Let's instead use role attributes
> diff --git a/tboot.te b/tboot.te new file mode 100644 index
> 0000000..96ed061 --- /dev/null +++ b/tboot.te @@ -0,0 +1,20 @@
> +policy_module(tboot, 1.0.0) +
> +######################################## +# +# Declarations +# +
> +type txtstat_t; +type txtstat_exec_t;
> +application_domain(txtstat_t, txtstat_exec_t) +
> +######################################## +# +# Local policy +# +
> +dev_read_raw_memory(txtstat_t) +
> +domain_use_interactive_fds(txtstat_t)
> +userdom_use_user_terminals(txtstat_t)
>
- --
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCAAGBQJW20sKAAoJECV0jlU3+Udp8NkMAIkk+SNdgBuSoB3WjwKzoTr4
DKDe+Gs33otLU9xC1e6Rf/Ve9k/UeAdtMdBAJpuqjeMP+hgDo7tIowGLWsjumke+
U+tetKP9D10U0w1ZaPcbI/ed4inIZyGDiLG67ESFW2w8HTs9YUFMU1WDdAxSnp6T
mOMF+KnmyHLP/bSM433nxBEH/XE7b/cR0zT6P9iIq/W4bV/US4oMlb6CfbgccY5l
a17ya3Kj+HCR+ogNBuAqfsZ1sbGsg9S44n20/JdG6t0O1z3HPJ0Dq+n0IIir6AyI
pZweJvkeYhXVK/24RSDtJWLWqz3Le7DHniqlvV56gJIsAFr7XaHxIG+VHVSidKIv
ECri+b5kT5iqVQPg6HX5NrbPRb+RLR/E2TutjeFeVBA0x/gjMi3YYj2kE13L4gSJ
hZ92vLmIIJu1eLwDD6j9utSWoWahotHtTRwqI4dDmaYl7SrGb4bEuEalZ4jlW/hx
IyN5hNvToGJo4Jpgl0U4+TSgAH6r9mY7ESqJrxCE7A==
=CXBf
-----END PGP SIGNATURE-----
On Sat, 5 Mar 2016 22:09:35 +0100
Dominick Grift <[email protected]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 03/05/2016 09:08 PM, Luis Ressel wrote:
> > tboot is an OSS project for using the features of Intel TXT. Some
> > of its included utilities (might) need special permissions. For
> > now, there's only a policy for txt-stat (it needs access to
> > /dev/mem).
>
> Did you use sepolgen for this? Some comments inline
>
No, I didn't. It's been quite a while since I've last written a policy,
apologies if something's weird.
> > --- tboot.fc | 1 + tboot.if | 46
> > ++++++++++++++++++++++++++++++++++++++++++++++ tboot.te | 20
> > ++++++++++++++++++++ 3 files changed, 67 insertions(+) create mode
> > 100644 tboot.fc create mode 100644 tboot.if create mode 100644
> > tboot.te
> >
> > diff --git a/tboot.fc b/tboot.fc new file mode 100644 index
> > 0000000..5fdd3ad --- /dev/null +++ b/tboot.fc @@ -0,0 +1 @@
> > +/usr/sbin/txt-stat --
> > gen_context(system_u:object_r:txtstat_exec_t,s0) diff --git
> > a/tboot.if b/tboot.if new file mode 100644 index 0000000..8fce0f2
> > --- /dev/null +++ b/tboot.if @@ -0,0 +1,46 @@ +## <summary>Policy
> > for tboot utilities.</summary>
>
> Please provide a summary. We already know its policy for tboot
> utilities .
>
> Example:
>
> "Performs a verified launch using Intel TXT"
>
Yeah, I've proven countless times that I'm not good at descriptions.
Your proposal isn't optimal, though; SELinux isn't involved with the
measured launch itself, after all -- this policy is really just for
some of the utilities that happen to be included in the tboot package.
--
Regards,
Luis Ressel
On Sat, 5 Mar 2016 22:09:35 +0100
Dominick Grift <[email protected]> wrote:
> Let's instead use role attributes
Yes, I've done that now.
--
Regards,
Luis Ressel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160305/3ae08b2a/attachment.bin