From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id A77F51582EF for ; Sat, 08 Mar 2025 23:55:22 +0000 (UTC) Received: from lists.gentoo.org (bobolink.gentoo.org [140.211.166.189]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) (Authenticated sender: relay-lists.gentoo.org@gentoo.org) by smtp.gentoo.org (Postfix) with ESMTPSA id 931CE343078 for ; Sat, 08 Mar 2025 23:55:22 +0000 (UTC) Received: from bobolink.gentoo.org (localhost [127.0.0.1]) by bobolink.gentoo.org (Postfix) with ESMTP id 53DCF1103E1; Sat, 08 Mar 2025 23:55:07 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by bobolink.gentoo.org (Postfix) with ESMTPS id 49A3C1103CB for ; Sat, 08 Mar 2025 23:55:07 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 050D9340906 for ; Sat, 08 Mar 2025 23:55:07 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 597DC28A5 for ; Sat, 08 Mar 2025 23:55:04 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1741474868.a4525d611f5e4d7dc9d53af40f800e678805b8c1.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/services/tpm2.te X-VCS-Directories: policy/modules/services/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: a4525d611f5e4d7dc9d53af40f800e678805b8c1 X-VCS-Branch: master Date: Sat, 08 Mar 2025 23:55:04 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: c3b992dc-31ce-46ac-9f5b-8d3a0fd44a37 X-Archives-Hash: 05f3e7629ec67916993aa8c727dc22f1 commit: a4525d611f5e4d7dc9d53af40f800e678805b8c1 Author: Tianjia Zhang linux alibaba com> AuthorDate: Thu Dec 19 06:46:00 2024 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sat Mar 8 23:01:08 2025 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a4525d61 tpm2: Add the necessary policy to run tpm2 tools The following is the audit log to run tpm2_pcrread: [ 942.958920] audit: type=1400 audit(1737012994.270:1242): avc: denied { read write } for pid=13621 comm="tpm2_pcrread" path="/dev/pts/2" dev="devpts" ino=5 scontext=secadm_u:secadm_r:tpm2_t:s0-s15:c0.c1023 tcontext=secadm_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=1 [ 942.962483] audit: type=1400 audit(1737012994.270:1243): avc: denied { use } for pid=13621 comm="tpm2_pcrread" path="/dev/pts/2" dev="devpts" ino=5 scontext=secadm_u:secadm_r:tpm2_t:s0-s15:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=fd permissive=1 [ 942.973926] audit: type=1400 audit(1737012994.290:1246): avc: denied { getattr } for pid=13621 comm="tpm2_pcrread" name="/" dev="efivarfs" ino=3381 scontext=secadm_u:secadm_r:tpm2_t:s0-s15:c0.c1023 tcontext=system_u:object_r:efivarfs_t:s0 tclass=filesystem permissive=1 [ 942.981343] audit: type=1400 audit(1737012994.298:1248): avc: denied { ioctl } for pid=13621 comm="tpm2_pcrread" path="/dev/pts/2" dev="devpts" ino=5 ioctlcmd=0x5401 scontext=secadm_u:secadm_r:tpm2_t:s0-s15:c0.c1023 tcontext=secadm_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=1 [ 942.983486] audit: type=1400 audit(1737012994.298:1249): avc: denied { search } for pid=13621 comm="tpm2_pcrread" name="zoneinfo" dev="vda2" ino=134930888 scontext=secadm_u:secadm_r:tpm2_t:s0-s15:c0.c1023 tcontext=system_u:object_r:locale_t:s0 tclass=dir permissive=1 [ 942.985608] audit: type=1400 audit(1737012994.298:1250): avc: denied { read } for pid=13621 comm="tpm2_pcrread" name="Shanghai" dev="vda2" ino=134930926 scontext=secadm_u:secadm_r:tpm2_t:s0-s15:c0.c1023 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1 Signed-off-by: Tianjia Zhang linux.alibaba.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/tpm2.te | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/policy/modules/services/tpm2.te b/policy/modules/services/tpm2.te index 74fa42c69..b908e6632 100644 --- a/policy/modules/services/tpm2.te +++ b/policy/modules/services/tpm2.te @@ -52,13 +52,23 @@ files_read_etc_files(tpm2_t) kernel_read_system_state(tpm2_t) miscfiles_read_generic_certs(tpm2_t) +miscfiles_read_localization(tpm2_t) +miscfiles_getattr_localization(tpm2_t) selinux_getattr_fs(tpm2_t) selinux_search_fs(tpm2_t) +fs_getattr_efivarfs(tpm2_t) + +userdom_use_user_ptys(tpm2_t) + tpm2_dbus_chat_abrmd(tpm2_t) tpm2_rw_abrmd_pipes(tpm2_t) optional_policy(` dbus_system_bus_client(tpm2_t) ') + +optional_policy(` + ssh_use_sshd_pidfds(tpm2_t) +')