[refpolicy] [PATCH] Add TSS Core Services (TCS) daemon (tcsd) policy

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH] Add TSS Core Services (TCS) daemon (tcsd) policy
@ 2011-01-31 19:17 Stephen Smalley
  2011-02-01 21:05 ` Daniel J Walsh
  2011-02-07 14:02 ` Christopher J. PeBenito
  0 siblings, 2 replies; 5+ messages in thread
From: Stephen Smalley @ 2011-01-31 19:17 UTC (permalink / raw)
  To: refpolicy


Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 policy/modules/kernel/corenetwork.te.in |    1 +
 policy/modules/kernel/devices.if        |   18 +++++++++++
 policy/modules/services/tcsd.fc         |    3 ++
 policy/modules/services/tcsd.if         |    1 +
 policy/modules/services/tcsd.te         |   51 +++++++++++++++++++++++++++++++
 5 files changed, 74 insertions(+), 0 deletions(-)
 create mode 100644 policy/modules/services/tcsd.fc
 create mode 100644 policy/modules/services/tcsd.if
 create mode 100644 policy/modules/services/tcsd.te

diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index f12e087..0757523 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -196,6 +196,7 @@ network_port(ssh, tcp,22,s0)
 type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
 network_port(swat, tcp,901,s0)
 network_port(syslogd, udp,514,s0)
+network_port(tcs, tcp, 30003, s0)
 network_port(telnetd, tcp,23,s0)
 network_port(tftp, udp,69,s0)
 network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 15a7bef..efaf808 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -3773,6 +3773,24 @@ interface(`dev_rw_sysfs',`
 
 ########################################
 ## <summary>
+##	Read and write the TPM device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_tpm',`
+	gen_require(`
+		type device_t, tpm_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, tpm_device_t)
+')
+
+########################################
+## <summary>
 ##	Read from pseudo random number generator devices (e.g., /dev/urandom).
 ## </summary>
 ## <desc>
diff --git a/policy/modules/services/tcsd.fc b/policy/modules/services/tcsd.fc
new file mode 100644
index 0000000..8a473e7
--- /dev/null
+++ b/policy/modules/services/tcsd.fc
@@ -0,0 +1,3 @@
+/usr/sbin/tcsd		--	gen_context(system_u:object_r:tcsd_exec_t,s0)
+/var/lib/tpm(/.*)?		gen_context(system_u:object_r:tcsd_var_lib_t,s0)
+
diff --git a/policy/modules/services/tcsd.if b/policy/modules/services/tcsd.if
new file mode 100644
index 0000000..e814f69
--- /dev/null
+++ b/policy/modules/services/tcsd.if
@@ -0,0 +1 @@
+## <summary>TSS Core Services (TCS) daemon (tcsd) policy</summary>
diff --git a/policy/modules/services/tcsd.te b/policy/modules/services/tcsd.te
new file mode 100644
index 0000000..e87e2ae
--- /dev/null
+++ b/policy/modules/services/tcsd.te
@@ -0,0 +1,51 @@
+policy_module(tcsd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type tcsd_t;
+type tcsd_exec_t;
+domain_type(tcsd_t)
+init_daemon_domain(tcsd_t, tcsd_exec_t)
+
+# /var/lib/tpm
+type tcsd_var_lib_t;
+files_type(tcsd_var_lib_t)
+
+########################################
+#
+# tcsd local policy
+#
+
+allow tcsd_t self:capability { dac_override setuid };
+allow tcsd_t self:process { signal sigkill };
+allow tcsd_t self:tcp_socket create_stream_socket_perms;
+
+# Access /dev/tpm0.
+dev_rw_tpm(tcsd_t)
+
+# var/lib files for tcsd
+manage_dirs_pattern(tcsd_t,tcsd_var_lib_t,tcsd_var_lib_t)
+manage_files_pattern(tcsd_t,tcsd_var_lib_t,tcsd_var_lib_t)
+files_var_lib_filetrans(tcsd_t,tcsd_var_lib_t,{ file dir })
+
+# Accept connections on the TCS port over loopback.
+sysnet_read_config(tcsd_t)
+corenet_all_recvfrom_unlabeled(tcsd_t)
+corenet_tcp_bind_generic_node(tcsd_t)
+corenet_tcp_bind_tcs_port(tcsd_t)
+
+# Read /dev/urandom, /etc, /usr, and locale files.
+dev_read_urand(tcsd_t)
+files_read_etc_files(tcsd_t)
+files_read_usr_files(tcsd_t)
+miscfiles_read_localization(tcsd_t)
+
+# tcsd is dynamically linked and thus uses ld.so and shared libs.
+libs_use_ld_so(tcsd_t)
+libs_use_shared_libs(tcsd_t)
+
+# Log messages via syslog.
+logging_send_syslog_msg(tcsd_t)
-- 
1.7.3.5


-- 
Stephen Smalley
National Security Agency

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [refpolicy] [PATCH] Add TSS Core Services (TCS) daemon (tcsd) policy
  2011-01-31 19:17 [refpolicy] [PATCH] Add TSS Core Services (TCS) daemon (tcsd) policy Stephen Smalley
@ 2011-02-01 21:05 ` Daniel J Walsh
  2011-02-02 15:18   ` Stephen Smalley
  2011-02-07 14:02 ` Christopher J. PeBenito
  1 sibling, 1 reply; 5+ messages in thread
From: Daniel J Walsh @ 2011-02-01 21:05 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Our version of tcsd policy

Steve I suppose we are going to need this in RHEL6.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1IdbcACgkQrlYvE4MpobMaCwCgxr5qZHG1GzFOWwRXvWcex4jW
wdMAn2zU5VwffzfXlkzYM07bOliEw/xS
=4oVi
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: tcsd.patch
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20110201/34d32f08/attachment-0001.pl 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tcsd.patch.sig
Type: application/pgp-signature
Size: 72 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110201/34d32f08/attachment-0001.bin 

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] [PATCH] Add TSS Core Services (TCS) daemon (tcsd) policy
  2011-02-01 21:05 ` Daniel J Walsh
@ 2011-02-02 15:18   ` Stephen Smalley
  2011-02-02 16:05     ` Daniel J Walsh
  0 siblings, 1 reply; 5+ messages in thread
From: Stephen Smalley @ 2011-02-02 15:18 UTC (permalink / raw)
  To: refpolicy

On Tue, 2011-02-01 at 16:05 -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Our version of tcsd policy
> 
> Steve I suppose we are going to need this in RHEL6.

Ok, didn't know you had a tcsd policy.  Mine was originally developed on
RHEL5.5 and then tweaked to build with latest refpolicy, so yours is
likely more accurate for RHEL6.  

-- 
Stephen Smalley
National Security Agency

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] [PATCH] Add TSS Core Services (TCS) daemon (tcsd) policy
  2011-02-02 15:18   ` Stephen Smalley
@ 2011-02-02 16:05     ` Daniel J Walsh
  0 siblings, 0 replies; 5+ messages in thread
From: Daniel J Walsh @ 2011-02-02 16:05 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/02/2011 10:18 AM, Stephen Smalley wrote:
> On Tue, 2011-02-01 at 16:05 -0500, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Our version of tcsd policy
>>
>> Steve I suppose we are going to need this in RHEL6.
> 
> Ok, didn't know you had a tcsd policy.  Mine was originally developed on
> RHEL5.5 and then tweaked to build with latest refpolicy, so yours is
> likely more accurate for RHEL6.  
> 
I had one on my laptop that Eric asked me to write, but I never shipped
it.  I added some missing access from yours and it is now in Rawhide.  I
will have Miroslav back port it to RHEL5 and 6.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1JgM4ACgkQrlYvE4MpobMTtQCgoKBY0TilJesgb8uefpXjsoZo
aoEAn2tTWRr9rIaC9f5ENbPlfhcI791s
=hUxO
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] [PATCH] Add TSS Core Services (TCS) daemon (tcsd) policy
  2011-01-31 19:17 [refpolicy] [PATCH] Add TSS Core Services (TCS) daemon (tcsd) policy Stephen Smalley
  2011-02-01 21:05 ` Daniel J Walsh
@ 2011-02-07 14:02 ` Christopher J. PeBenito
  1 sibling, 0 replies; 5+ messages in thread
From: Christopher J. PeBenito @ 2011-02-07 14:02 UTC (permalink / raw)
  To: refpolicy

On 1/31/2011 2:17 PM, Stephen Smalley wrote:
>
> Signed-off-by: Stephen Smalley<sds@tycho.nsa.gov>
> ---
>   policy/modules/kernel/corenetwork.te.in |    1 +
>   policy/modules/kernel/devices.if        |   18 +++++++++++
>   policy/modules/services/tcsd.fc         |    3 ++
>   policy/modules/services/tcsd.if         |    1 +
>   policy/modules/services/tcsd.te         |   51 +++++++++++++++++++++++++++++++
>   5 files changed, 74 insertions(+), 0 deletions(-)
>   create mode 100644 policy/modules/services/tcsd.fc
>   create mode 100644 policy/modules/services/tcsd.if
>   create mode 100644 policy/modules/services/tcsd.te

Merged.


> diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
> index f12e087..0757523 100644
> --- a/policy/modules/kernel/corenetwork.te.in
> +++ b/policy/modules/kernel/corenetwork.te.in
> @@ -196,6 +196,7 @@ network_port(ssh, tcp,22,s0)
>   type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
>   network_port(swat, tcp,901,s0)
>   network_port(syslogd, udp,514,s0)
> +network_port(tcs, tcp, 30003, s0)
>   network_port(telnetd, tcp,23,s0)
>   network_port(tftp, udp,69,s0)
>   network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
> diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> index 15a7bef..efaf808 100644
> --- a/policy/modules/kernel/devices.if
> +++ b/policy/modules/kernel/devices.if
> @@ -3773,6 +3773,24 @@ interface(`dev_rw_sysfs',`
>
>   ########################################
>   ##<summary>
> +##	Read and write the TPM device.
> +##</summary>
> +##<param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +##</param>
> +#
> +interface(`dev_rw_tpm',`
> +	gen_require(`
> +		type device_t, tpm_device_t;
> +	')
> +
> +	rw_chr_files_pattern($1, device_t, tpm_device_t)
> +')
> +
> +########################################
> +##<summary>
>   ##	Read from pseudo random number generator devices (e.g., /dev/urandom).
>   ##</summary>
>   ##<desc>
> diff --git a/policy/modules/services/tcsd.fc b/policy/modules/services/tcsd.fc
> new file mode 100644
> index 0000000..8a473e7
> --- /dev/null
> +++ b/policy/modules/services/tcsd.fc
> @@ -0,0 +1,3 @@
> +/usr/sbin/tcsd		--	gen_context(system_u:object_r:tcsd_exec_t,s0)
> +/var/lib/tpm(/.*)?		gen_context(system_u:object_r:tcsd_var_lib_t,s0)
> +
> diff --git a/policy/modules/services/tcsd.if b/policy/modules/services/tcsd.if
> new file mode 100644
> index 0000000..e814f69
> --- /dev/null
> +++ b/policy/modules/services/tcsd.if
> @@ -0,0 +1 @@
> +##<summary>TSS Core Services (TCS) daemon (tcsd) policy</summary>
> diff --git a/policy/modules/services/tcsd.te b/policy/modules/services/tcsd.te
> new file mode 100644
> index 0000000..e87e2ae
> --- /dev/null
> +++ b/policy/modules/services/tcsd.te
> @@ -0,0 +1,51 @@
> +policy_module(tcsd, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type tcsd_t;
> +type tcsd_exec_t;
> +domain_type(tcsd_t)
> +init_daemon_domain(tcsd_t, tcsd_exec_t)
> +
> +# /var/lib/tpm
> +type tcsd_var_lib_t;
> +files_type(tcsd_var_lib_t)
> +
> +########################################
> +#
> +# tcsd local policy
> +#
> +
> +allow tcsd_t self:capability { dac_override setuid };
> +allow tcsd_t self:process { signal sigkill };
> +allow tcsd_t self:tcp_socket create_stream_socket_perms;
> +
> +# Access /dev/tpm0.
> +dev_rw_tpm(tcsd_t)
> +
> +# var/lib files for tcsd
> +manage_dirs_pattern(tcsd_t,tcsd_var_lib_t,tcsd_var_lib_t)
> +manage_files_pattern(tcsd_t,tcsd_var_lib_t,tcsd_var_lib_t)
> +files_var_lib_filetrans(tcsd_t,tcsd_var_lib_t,{ file dir })
> +
> +# Accept connections on the TCS port over loopback.
> +sysnet_read_config(tcsd_t)
> +corenet_all_recvfrom_unlabeled(tcsd_t)
> +corenet_tcp_bind_generic_node(tcsd_t)
> +corenet_tcp_bind_tcs_port(tcsd_t)
> +
> +# Read /dev/urandom, /etc, /usr, and locale files.
> +dev_read_urand(tcsd_t)
> +files_read_etc_files(tcsd_t)
> +files_read_usr_files(tcsd_t)
> +miscfiles_read_localization(tcsd_t)
> +
> +# tcsd is dynamically linked and thus uses ld.so and shared libs.
> +libs_use_ld_so(tcsd_t)
> +libs_use_shared_libs(tcsd_t)
> +
> +# Log messages via syslog.
> +logging_send_syslog_msg(tcsd_t)


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2011-02-07 14:02 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-01-31 19:17 [refpolicy] [PATCH] Add TSS Core Services (TCS) daemon (tcsd) policy Stephen Smalley
2011-02-01 21:05 ` Daniel J Walsh
2011-02-02 15:18   ` Stephen Smalley
2011-02-02 16:05     ` Daniel J Walsh
2011-02-07 14:02 ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.