[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/

[Jason Zaman]

commit:     a4525d611f5e4d7dc9d53af40f800e678805b8c1
Author:     Tianjia Zhang <tianjia.zhang <AT> linux <DOT> alibaba <DOT> com>
AuthorDate: Thu Dec 19 06:46:00 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Mar  8 23:01:08 2025 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a4525d61

tpm2: Add the necessary policy to run tpm2 tools

The following is the audit log to run tpm2_pcrread:

  [  942.958920] audit: type=1400 audit(1737012994.270:1242): avc:  denied  { 
read write } for  pid=13621 comm="tpm2_pcrread" path="/dev/pts/2" dev="devpts" 
ino=5 scontext=secadm_u:secadm_r:tpm2_t:s0-s15:c0.c1023 
tcontext=secadm_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=1
  [  942.962483] audit: type=1400 audit(1737012994.270:1243): avc:  denied  { 
use } for  pid=13621 comm="tpm2_pcrread" path="/dev/pts/2" dev="devpts" ino=5 
scontext=secadm_u:secadm_r:tpm2_t:s0-s15:c0.c1023 
tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=fd permissive=1
  [  942.973926] audit: type=1400 audit(1737012994.290:1246): avc:  denied  { 
getattr } for  pid=13621 comm="tpm2_pcrread" name="/" dev="efivarfs" ino=3381 
scontext=secadm_u:secadm_r:tpm2_t:s0-s15:c0.c1023 
tcontext=system_u:object_r:efivarfs_t:s0 tclass=filesystem permissive=1
  [  942.981343] audit: type=1400 audit(1737012994.298:1248): avc:  denied  { 
ioctl } for  pid=13621 comm="tpm2_pcrread" path="/dev/pts/2" dev="devpts" ino=5 
ioctlcmd=0x5401 scontext=secadm_u:secadm_r:tpm2_t:s0-s15:c0.c1023 
tcontext=secadm_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=1
  [  942.983486] audit: type=1400 audit(1737012994.298:1249): avc:  denied  { 
search } for  pid=13621 comm="tpm2_pcrread" name="zoneinfo" dev="vda2" 
ino=134930888 scontext=secadm_u:secadm_r:tpm2_t:s0-s15:c0.c1023 
tcontext=system_u:object_r:locale_t:s0 tclass=dir permissive=1
  [  942.985608] audit: type=1400 audit(1737012994.298:1250): avc:  denied  { 
read } for  pid=13621 comm="tpm2_pcrread" name="Shanghai" dev="vda2" 
ino=134930926 scontext=secadm_u:secadm_r:tpm2_t:s0-s15:c0.c1023 
tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1

Signed-off-by: Tianjia Zhang <tianjia.zhang <AT> linux.alibaba.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/tpm2.te | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/policy/modules/services/tpm2.te b/policy/modules/services/tpm2.te
index 74fa42c69..b908e6632 100644
--- a/policy/modules/services/tpm2.te
+++ b/policy/modules/services/tpm2.te
@@ -52,13 +52,23 @@ files_read_etc_files(tpm2_t)
 kernel_read_system_state(tpm2_t)
 
 miscfiles_read_generic_certs(tpm2_t)
+miscfiles_read_localization(tpm2_t)
+miscfiles_getattr_localization(tpm2_t)
 
 selinux_getattr_fs(tpm2_t)
 selinux_search_fs(tpm2_t)
 
+fs_getattr_efivarfs(tpm2_t)
+
+userdom_use_user_ptys(tpm2_t)
+
 tpm2_dbus_chat_abrmd(tpm2_t)
 tpm2_rw_abrmd_pipes(tpm2_t)
 
 optional_policy(`
        dbus_system_bus_client(tpm2_t)
 ')
+
+optional_policy(`
+       ssh_use_sshd_pidfds(tpm2_t)
+')