commit: ae33618746dea07d4a275b09c0980e387a9d1cb5
Author: Tianjia Zhang <tianjia.zhang <AT> linux <DOT> alibaba <DOT> com>
AuthorDate: Thu Dec 26 12:03:50 2024 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Mar 8 23:01:08 2025 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ae336187
tpm2: allow tpm-abrmd to access urandom
The read permissions to /dev/urandom should is needed:
[ 5445.537739] audit: type=1400 audit(1737007412.134:1085): avc: denied {
read } for pid=8499 comm="tpm2-abrmd" name="urandom" dev="devtmpfs" ino=10
scontext=system_u:system_r:tpm2_abrmd_t:s0-s15:c0.c1023
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1
[ 5445.540088] audit: type=1400 audit(1737007412.134:1086): avc: denied {
open } for pid=8499 comm="tpm2-abrmd" path="/dev/urandom" dev="devtmpfs"
ino=10 scontext=system_u:system_r:tpm2_abrmd_t:s0-s15:c0.c1023
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1
Signed-off-by: Tianjia Zhang <tianjia.zhang <AT> linux.alibaba.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/tpm2.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/services/tpm2.te b/policy/modules/services/tpm2.te
index 48173de1b..74fa42c69 100644
--- a/policy/modules/services/tpm2.te
+++ b/policy/modules/services/tpm2.te
@@ -31,6 +31,8 @@ kernel_read_system_state(tpm2_abrmd_t)
logging_send_syslog_msg(tpm2_abrmd_t)
+dev_read_urand(tpm2_abrmd_t)
+
optional_policy(`
dbus_system_domain(tpm2_abrmd_t, tpm2_abrmd_exec_t)
')
