tee_supplicant: Add necessary SELinux policy for tee_supplicant domain by wenjz-qualcomm · Pull Request #1105 · SELinuxProject/refpolicy

wenjz-qualcomm · 2026-04-16T03:42:54Z

Define some new interfaces to access /var/lib/tee, /var/lib/qtee_supplicant
and /var/lib/tee/qtee_supplicant.

Grant the nescessary permission to tee_supplicant for resolving
AVC denials in enforcing mode.

Upstream-Status: Inappropriate [embedded specific]

In the commit write the Upstream-status just because yocto project request it, the status isn't the truly status, just to maintain a uniform format.

harshaldev27 · 2026-04-17T11:09:54Z

Hi @wenjz-qualcomm , Can you please update the Commit message to explicitly state that we are adding these new interface for qtee-supplicant which requires more permissions than OPTEE's tee-supplicant. Also, please describe what all permissions (high level) we are adding and why. Please also fix the indentation on your commit message body.

Finally, drop this "Upstream-Status: Inappropriate [embedded specific]" from the commit message.

wenjz-qualcomm · 2026-04-20T07:24:48Z

Hi @harshaldev27 and @dburgener, I already modified all mentioned comments, pls help me review the latest version. Thanks.

harshaldev27 · 2026-04-20T07:30:53Z

@@ -1,5 +1,5 @@
 ## <summary>tee_supplicant</summary>
-#
+##


Please don't add unnecessary #s here. This file should be un-touched.

This change still remains.

pebenito · 2026-05-04T15:32:59Z

Hi @pebenito, does that mean that we should label /usr/bin/qtee_supplicant as tee_supplicant_qtee, and then for all the permissions that it needs common with tee_supplicant_t call the same interfaces? Or is there a better way to do this?

No, /usr/bin/qtee_supplicant would remain tee_supplicant_exec_t. The entire .te file should use tee_supplicant_t. Any permissions known to be specific to qtee_supplicant should be in the tunable. Then on your system, you would enable the tee_supplicant_qtee Boolean to enable the rules.

harshaldev27 · 2026-05-05T09:28:38Z

Hi @pebenito, does that mean that we should label /usr/bin/qtee_supplicant as tee_supplicant_qtee, and then for all the permissions that it needs common with tee_supplicant_t call the same interfaces? Or is there a better way to do this?

No, /usr/bin/qtee_supplicant would remain tee_supplicant_exec_t. The entire .te file should use tee_supplicant_t. Any permissions known to be specific to qtee_supplicant should be in the tunable. Then on your system, you would enable the tee_supplicant_qtee Boolean to enable the rules.

Understood. I believe @wenjz-qualcomm has already accomodated this direction in the lastest pushed changes.

pebenito · 2026-05-06T14:21:34Z

+        # Access tee_supplicant to read /var
+        files_list_var(tee_supplicant_t)
+
+        # Access qtee_supplicant to visit /var/lib
+        files_list_var_lib(tee_supplicant_t)
+
+        # Access qtee_supplicant to access compatible of device tree
+        dev_read_sysfs(tee_supplicant_t)
+
+        # Access qtee_supplicant to send logs to systemd journal
+        logging_send_syslog_msg(tee_supplicant_t)
+
+        # Access qtee_supplicant to access /proc/cmdline
+        kernel_read_system_state(tee_supplicant_t)
+
+        # Access qtee_supplicant to request sys_rawio capability
+        allow tee_supplicant_t self:capability sys_rawio;
+
+        # Access qtee_supplicant to write wake_lock
+        dev_write_sysfs(tee_supplicant_t)
+
+        # Allow qtee_supplicant to block system suspend (wake_lock)
+        allow tee_supplicant_t self:capability2 block_suspend;


Please order the lines in the tunable block according to the StyleGuide.

pebenito · 2026-05-06T14:23:17Z

+        files_list_var_lib(tee_supplicant_t)
+
+        # Access qtee_supplicant to access compatible of device tree
+        dev_read_sysfs(tee_supplicant_t)


Which files/directories in sysfs does this read? We are slowly adding more labeling in sysfs. Please put comments that summarize what is accessed in sysfs.

This change is adding some interfaces for qtee_supplicant which requires more permissions than OPTEE’s tee‑supplicant. Overall, some necessary permissions for qtee_supplicant to accessing system resources have been added. Signed-off-by: Wenjia Zhang <wenjia.zhang@oss.qualcomm.com>

wenjz-qualcomm · 2026-05-08T01:58:51Z

Hi @pebenito , could you please help me to do the further review?

harshaldev27

This is looking good from my side.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>

pebenito · 2026-05-12T14:00:19Z

 ')

+optional_policy(`
+	tee_supplicant_var_lib_filetrans(initrc_t)


This is too broad. This will make any file or directory it creates in /var/lib as tee_supplicant_var_lib_t. The interface should be revised like

refpolicy/policy/modules/kernel/files.if

Line 2192 in 436d78b

filetrans_pattern($1, root_t, $2, $3, $4)

so the object class and dir name can be specified at the call site.

pebenito · 2026-05-12T14:00:47Z

@@ -1,5 +1,5 @@
 ## <summary>tee_supplicant</summary>
-#
+##


This change still remains.

dburgener reviewed Apr 16, 2026

View reviewed changes

wenjz-qualcomm force-pushed the main branch 2 times, most recently from c7d9e2a to fc2e74a Compare April 17, 2026 09:23

harshaldev27 suggested changes Apr 17, 2026

View reviewed changes

wenjz-qualcomm force-pushed the main branch from fc2e74a to a46699f Compare April 20, 2026 07:22

harshaldev27 reviewed Apr 20, 2026

View reviewed changes

wenjz-qualcomm force-pushed the main branch 2 times, most recently from e1b57ab to 61d20af Compare April 21, 2026 06:31

harshaldev27 suggested changes Apr 21, 2026

View reviewed changes

Comment thread policy/modules/services/tee_supplicant.fc Outdated

Comment thread policy/modules/services/tee_supplicant.te Outdated

wenjz-qualcomm force-pushed the main branch 3 times, most recently from e8ffeaf to 31ceb11 Compare April 28, 2026 06:56

harshaldev27 suggested changes May 4, 2026

View reviewed changes

Comment thread policy/modules/services/tee_supplicant.te Outdated

pebenito reviewed May 5, 2026

View reviewed changes

Comment thread policy/modules/services/tee_supplicant.te Outdated

wenjz-qualcomm force-pushed the main branch from 31ceb11 to 465038e Compare May 6, 2026 06:28

pebenito requested changes May 6, 2026

View reviewed changes

wenjz-qualcomm force-pushed the main branch from 465038e to b61d9f3 Compare May 7, 2026 02:49

wenjz-qualcomm requested review from harshaldev27 and pebenito May 12, 2026 01:58

harshaldev27 approved these changes May 12, 2026

View reviewed changes

tee_supplicant.te: Whitespace fixes.

2fd473b

Signed-off-by: Chris PeBenito <pebenito@ieee.org>

pebenito requested changes May 12, 2026

View reviewed changes

Conversation

wenjz-qualcomm commented Apr 16, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

harshaldev27 commented Apr 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

wenjz-qualcomm commented Apr 20, 2026

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

pebenito commented May 4, 2026

Uh oh!

harshaldev27 commented May 5, 2026

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

wenjz-qualcomm commented May 8, 2026

Uh oh!

harshaldev27 left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

wenjz-qualcomm commented Apr 16, 2026 •

edited

Loading

harshaldev27 commented Apr 17, 2026 •

edited

Loading