Ana Guerrero
1d968c6357
Update SELinux modules dir as macro to allow root path move As discussed before we are going to move SELinux modules from /var/lib/selinux to /etc/selinux (bsc#1221342). This small change allows you to build your packages dynamically (not depending on selinux-package version) and us to change module directory macro in upcoming versions of selinux-policy package without interfering with other packages using custom SELinux modules. (forwarded request 1318594 from djz88) OBS-URL: https://build.opensuse.org/request/show/1318602 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tpm2.0-abrmd?expand=0&rev=31
The tpm2-abrmd by upstream default allows every local users in the system to access the TPM chip and modify its settings (bsc#1197532). Upstream suggests to use the TPM's internal security features (e.g. password protection) to prevent local users from manipulating the chip without authorization. Still the default behaviour that every user in the system can access TPM features without any authentication could come as a surprise to end users and system integrators alike. For this reason on SUSE only members of the 'tss' group are allowed to access the tpm2-abrmd D-Bus interface, thereby mirroring the access permissions of the /dev/tpm0 and /dev/tpmrm0 character devices.