selinux: Allow name resolve and optional unreserved port name_connect.

To use the mssim TCTI the daemon must be able to do two things: First it must be able to resolve DNS names. Second it must be able to connect to unreserved ports (the simulator binds to ports 2321 and 2322 by default). This commit grants the tabrmd the ability to resolve names over DNS through the 'sysnet_dns_name_resolve' interface. Permision to connect to all unreserved ports is granted through 'corenet_tcp_connect_all_unreserved_ports'. Access to unreserved ports is controlled by a new boolean: 'tabrmd_connect_all_unreserved' which is disabled by default. Signed-off-by: Philip Tricca <[email protected]>
tpm2-software · Dec 28, 2019 · 4c07690 · 4c07690
1 parent 0f00432
commit 4c07690
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/selinux/tabrmd.te b/selinux/tabrmd.te
@@ -1,10 +1,12 @@
-policy_module(tabrmd, 0.0.1)
+policy_module(tabrmd, 0.0.2)
 
 ########################################
 #
 # Declarations
 #
 
+gen_tunable(`tabrmd_connect_all_unreserved', false)
+
 type tabrmd_t;
 type tabrmd_exec_t;
 init_daemon_domain(tabrmd_t, tabrmd_exec_t)
@@ -13,10 +15,14 @@ allow tabrmd_t self:unix_dgram_socket { create_socket_perms };
 
 dev_rw_tpm(tabrmd_t)
 logging_send_syslog_msg(tabrmd_t)
+sysnet_dns_name_resolve(tabrmd_t)
 
 optional_policy(`
     dbus_stub()
     dbus_system_domain(tabrmd_t, tabrmd_exec_t)
     allow system_dbusd_t tabrmd_t:unix_stream_socket rw_stream_socket_perms;
 ')
 
+tunable_policy(`tabrmd_connect_all_unreserved',`
+    corenet_tcp_connect_all_unreserved_ports(tabrmd_t)
+')