Confine the ktls service

The ktls-utils package provides a TLS handshake user agent that listens for kernel requests and then materializes a user space socket endpoint on which to perform these handshakes. The resulting negotiated session parameters are passed back to the kernel via standard kTLS socket options.
fedora-selinux · Oct 23, 2024 · 3b83877 · 3b83877
1 parent 785a086
commit 3b83877
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 0 deletions.
diff --git a/dist/targeted/modules.conf b/dist/targeted/modules.conf
@@ -3036,3 +3036,11 @@ powerprofiles = module
 #
 #
 pcm = module
+
+# Layer: contrib
+# Module: ktls
+#
+# Policy for ktls - TLS handshake agent for kernel sockets
+#
+#
+ktls = module
diff --git a/policy/modules/contrib/ktls.fc b/policy/modules/contrib/ktls.fc
@@ -0,0 +1 @@
+/usr/sbin/tlshd		--	gen_context(system_u:object_r:ktlshd_exec_t,s0)
diff --git a/policy/modules/contrib/ktls.if b/policy/modules/contrib/ktls.if
@@ -0,0 +1 @@
+## <summary>ktls - TLS handshake agent for kernel sockets</summary>
diff --git a/policy/modules/contrib/ktls.te b/policy/modules/contrib/ktls.te
@@ -0,0 +1,13 @@
+policy_module(ktls, 1.0)
+
+########################################
+#
+# Declarations
+#
+
+type ktlshd_t;
+type ktlshd_exec_t;
+init_daemon_domain(ktlshd_t, ktlshd_exec_t)
+
+permissive ktlshd_t;
+