|
|
d32965 |
policy_module(keylime, 1.0.0)
|
|
|
d32965 |
|
|
|
d32965 |
########################################
|
|
|
d32965 |
#
|
|
|
d32965 |
# Declarations
|
|
|
d32965 |
#
|
|
|
d32965 |
|
|
|
d32965 |
attribute keylime_domain;
|
|
|
d32965 |
|
|
|
d32965 |
type keylime_agent_t;
|
|
|
d32965 |
keylime_use_keylime_domain(keylime_agent_t)
|
|
|
d32965 |
type keylime_agent_exec_t;
|
|
|
d32965 |
init_daemon_domain(keylime_agent_t, keylime_agent_exec_t)
|
|
|
d32965 |
|
|
|
d32965 |
type keylime_server_t;
|
|
|
d32965 |
keylime_use_keylime_domain(keylime_server_t)
|
|
|
d32965 |
type keylime_server_exec_t;
|
|
|
d32965 |
init_daemon_domain(keylime_server_t, keylime_server_exec_t)
|
|
|
d32965 |
|
|
|
d32965 |
type keylime_log_t;
|
|
|
d32965 |
logging_log_file(keylime_log_t)
|
|
|
d32965 |
|
|
|
d32965 |
type keylime_var_lib_t;
|
|
|
d32965 |
files_type(keylime_var_lib_t)
|
|
|
d32965 |
|
|
|
d32965 |
type keylime_tmp_t;
|
|
|
d32965 |
files_tmp_file(keylime_tmp_t)
|
|
|
d32965 |
|
|
|
d32965 |
########################################
|
|
|
d32965 |
#
|
|
|
d32965 |
# keylime domain policy
|
|
|
d32965 |
#
|
|
|
d32965 |
|
|
|
d32965 |
allow keylime_domain self:tcp_socket create_stream_socket_perms;
|
|
|
d32965 |
|
|
|
d32965 |
manage_dirs_pattern(keylime_domain, keylime_tmp_t, keylime_tmp_t)
|
|
|
d32965 |
manage_files_pattern(keylime_domain, keylime_tmp_t, keylime_tmp_t)
|
|
|
d32965 |
files_tmp_filetrans(keylime_domain, keylime_tmp_t, { dir file })
|
|
|
d32965 |
|
|
|
d32965 |
manage_dirs_pattern(keylime_domain, keylime_var_lib_t, keylime_var_lib_t)
|
|
|
d32965 |
manage_files_pattern(keylime_domain, keylime_var_lib_t, keylime_var_lib_t)
|
|
|
d32965 |
files_var_lib_filetrans(keylime_domain, keylime_var_lib_t, { dir file lnk_file })
|
|
|
d32965 |
|
|
|
d32965 |
corecmd_exec_bin(keylime_domain)
|
|
|
d32965 |
|
|
|
d32965 |
corenet_tcp_bind_generic_node(keylime_domain)
|
|
|
d32965 |
corenet_tcp_bind_all_ports(keylime_domain)
|
|
|
d32965 |
corenet_tcp_connect_all_unreserved_ports(keylime_domain)
|
|
|
d32965 |
|
|
|
d32965 |
dev_read_sysfs(keylime_domain)
|
|
|
d32965 |
|
|
|
d32965 |
fs_tmpfs_filetrans(keylime_domain, keylime_var_lib_t, { dir file })
|
|
|
d32965 |
|
|
|
d32965 |
init_named_socket_activation(keylime_domain, keylime_var_lib_t, "keylime")
|
|
|
d32965 |
|
|
|
d32965 |
miscfiles_read_generic_certs(keylime_domain)
|
|
|
d32965 |
|
|
|
d32965 |
sysnet_read_config(keylime_domain)
|
|
|
d32965 |
|
|
|
d32965 |
userdom_exec_user_tmp_files(keylime_domain)
|
|
|
d32965 |
userdom_manage_user_tmp_dirs(keylime_domain)
|
|
|
d32965 |
userdom_manage_user_tmp_files(keylime_domain)
|
|
|
d32965 |
|
|
|
d32965 |
########################################
|
|
|
d32965 |
#
|
|
|
d32965 |
# keylime server policy
|
|
|
d32965 |
#
|
|
|
d32965 |
|
|
|
d32965 |
allow keylime_server_t self:netlink_route_socket { create_stream_socket_perms nlmsg_read };
|
|
|
d32965 |
allow keylime_server_t self:udp_socket create_stream_socket_perms;
|
|
|
d32965 |
|
|
|
d32965 |
manage_dirs_pattern(keylime_server_t, keylime_log_t, keylime_log_t)
|
|
|
d32965 |
manage_files_pattern(keylime_server_t, keylime_log_t, keylime_log_t)
|
|
|
d32965 |
|
|
|
d32965 |
fs_rw_inherited_tmpfs_files(keylime_server_t)
|
|
|
d32965 |
|
|
|
d32965 |
optional_policy(`
|
|
|
d32965 |
gpg_exec(keylime_server_t)
|
|
|
d32965 |
')
|
|
|
d32965 |
|
|
|
d32965 |
optional_policy(`
|
|
|
d32965 |
kerberos_read_config(keylime_server_t)
|
|
|
d32965 |
kerberos_read_keytab(keylime_server_t)
|
|
|
d32965 |
')
|
|
|
d32965 |
|
|
|
d32965 |
optional_policy(`
|
|
|
d32965 |
sssd_run_stream_connect(keylime_server_t)
|
|
|
d32965 |
')
|
|
|
d32965 |
|
|
|
d32965 |
|
|
|
d32965 |
########################################
|
|
|
d32965 |
#
|
|
|
d32965 |
# keylime agent policy
|
|
|
d32965 |
#
|
|
|
d32965 |
#work with /var/lib/keylime/secure
|
|
|
d32965 |
allow keylime_agent_t self:capability { chown dac_override dac_read_search setgid setuid sys_nice sys_ptrace };
|
|
|
d32965 |
allow keylime_agent_t self:chr_file getattr;
|
|
|
d32965 |
|
|
|
d32965 |
#FIX ME, add to tabrmd policy interface related with this
|
|
|
d32965 |
allow keylime_agent_t domain:unix_stream_socket rw_stream_socket_perms; #selint-disable:W-001
|
|
|
d32965 |
|
|
|
d32965 |
dev_rw_tpm(keylime_agent_t)
|
|
|
d32965 |
|
|
|
d32965 |
exec_files_pattern(keylime_agent_t, keylime_var_lib_t, keylime_var_lib_t)
|
|
|
d32965 |
files_read_var_lib_files(keylime_agent_t)
|
|
|
d32965 |
|
|
|
d32965 |
fs_dontaudit_search_cgroup_dirs(keylime_agent_t)
|
|
|
d32965 |
fs_getattr_cgroup(keylime_agent_t)
|
|
|
d32965 |
fs_mount_tmpfs(keylime_agent_t)
|
|
|
d32965 |
fs_setattr_tmpfs_dirs(keylime_agent_t)
|
|
|
d32965 |
|
|
|
d32965 |
init_dontaudit_stream_connect(keylime_agent_t)
|
|
|
d32965 |
|
|
|
d32965 |
kernel_read_all_proc(keylime_agent_t)
|
|
|
d32965 |
|
|
|
d32965 |
userdom_dontaudit_search_user_home_dirs(keylime_agent_t)
|
|
|
d32965 |
|
|
|
d32965 |
auth_read_passwd(keylime_agent_t)
|
|
|
d32965 |
|
|
|
d32965 |
keylime_mounton_var_lib(keylime_agent_t)
|
|
|
d32965 |
|
|
|
d32965 |
mount_domtrans(keylime_agent_t)
|
|
|
d32965 |
|
|
|
d32965 |
selinux_read_policy(keylime_agent_t)
|
|
|
d32965 |
|
|
|
d32965 |
optional_policy(`
|
|
|
d32965 |
#FIX ME, add to tabrmd policy interface related with this
|
|
|
d32965 |
#https://github.com/tpm2-software/tpm2-abrmd/blob/master/selinux
|
|
|
d32965 |
dbus_chat_system_bus(keylime_agent_t)
|
|
|
d32965 |
')
|
|
|
d32965 |
|
|
|
d32965 |
optional_policy(`
|
|
|
d32965 |
dbus_stream_connect_system_dbusd(keylime_agent_t)
|
|
|
d32965 |
dbus_system_bus_client(keylime_agent_t)
|
|
|
d32965 |
')
|
|
|
d32965 |
|
|
|
d32965 |
optional_policy(`
|
|
|
d32965 |
systemd_userdbd_stream_connect(keylime_agent_t)
|
|
|
d32965 |
systemd_machined_stream_connect(keylime_agent_t)
|
|
|
d32965 |
')
|