From mboxrd@z Thu Jan  1 00:00:00 1970
From: dominick.grift@gmail.com (Dominick Grift)
Date: Thu, 16 Aug 2012 12:14:35 +0200
Subject: [refpolicy] [PATCH] Platform Management
Message-ID: <1345112075-12019-1-git-send-email-dominick.grift@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

I have this AMT functionality on my workstation and i noticed this
/dev/mei interface without a valid device node type.

So i decided to look into this a bit.

With regard to Intel AMT, i ended up at:

http://software.intel.com/en-us/articles/download-the-latest-intel-amt-open-source-drivers/

I understand that there is a daemon and a suite of applications that
operate on this interface to allow for enterprise platform management
functionality.

Seems though that these programs currently have some licensing issues.

There seem to also be similar technologies by other vendors.

Declare a device node for platform management interfaces and label Intel
Management Engine Interface character device nodes with type
mgmt_device_t.

https://en.wikipedia.org/wiki/Desktop_and_mobile_Architecture_for_System_Hardware
https://en.wikipedia.org/wiki/Intelligent_Platform_Management_Interface
https://en.wikipedia.org/wiki/Intel_Active_Management_Technology
https://en.wikipedia.org/wiki/OPMA

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 02b7ac1..56f2520 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -59,6 +59,7 @@
 /dev/logibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 /dev/mcelog		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
+/dev/mei		-c	gen_context(system_u:object_r:mgmt_device_t,s0)
 /dev/mem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 /dev/mergemem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 /dev/mga_vid.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 06eda45..563da93 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -121,6 +121,9 @@
 type lvm_control_t;
 dev_node(lvm_control_t)
 
+type mgmt_device_t;
+dev_node(mgmt_device_t)
+
 #
 # memory_device_t is the type of /dev/kmem,
 # /dev/mem and /dev/port.