From mboxrd@z Thu Jan 1 00:00:00 1970 From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 21 Aug 2012 15:51:37 -0400 Subject: [refpolicy] [PATCH] Platform Management In-Reply-To: <1345112075-12019-1-git-send-email-dominick.grift@gmail.com> References: <1345112075-12019-1-git-send-email-dominick.grift@gmail.com> Message-ID: <5033E6C9.8050903@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/16/12 06:14, Dominick Grift wrote: > I have this AMT functionality on my workstation and i noticed this > /dev/mei interface without a valid device node type. > > So i decided to look into this a bit. > > With regard to Intel AMT, i ended up at: > > http://software.intel.com/en-us/articles/download-the-latest-intel-amt-open-source-drivers/ > > I understand that there is a daemon and a suite of applications that > operate on this interface to allow for enterprise platform management > functionality. > > Seems though that these programs currently have some licensing issues. > > There seem to also be similar technologies by other vendors. > > Declare a device node for platform management interfaces and label Intel > Management Engine Interface character device nodes with type > mgmt_device_t. I don't have a problem adding a type to label this, but I'm not sure about the type name itself. I see that you made it a generic name because there could be other platform management interfaces. But since these tend to be vendor-specific, I don't know if a platform management interface from somewhere other than Intel would actually have the same security attributes. So I'm leaning towards the type being specific, like mei_device_t. If, in the future, a generic type makes more sense to encompass other management interfaces, we can always merge them into a single type with aliasing. > https://en.wikipedia.org/wiki/Desktop_and_mobile_Architecture_for_System_Hardware > https://en.wikipedia.org/wiki/Intelligent_Platform_Management_Interface > https://en.wikipedia.org/wiki/Intel_Active_Management_Technology > https://en.wikipedia.org/wiki/OPMA > > Signed-off-by: Dominick Grift > diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc > index 02b7ac1..56f2520 100644 > --- a/policy/modules/kernel/devices.fc > +++ b/policy/modules/kernel/devices.fc > @@ -59,6 +59,7 @@ > /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) > /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) > /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) > +/dev/mei -c gen_context(system_u:object_r:mgmt_device_t,s0) > /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) > /dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) > /dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) > diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te > index 06eda45..563da93 100644 > --- a/policy/modules/kernel/devices.te > +++ b/policy/modules/kernel/devices.te > @@ -121,6 +121,9 @@ > type lvm_control_t; > dev_node(lvm_control_t) > > +type mgmt_device_t; > +dev_node(mgmt_device_t) > + > # > # memory_device_t is the type of /dev/kmem, > # /dev/mem and /dev/port. > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com