* [refpolicy] [PATCH 3/3] Add file context rules for haveged
2011-07-20 17:33 [refpolicy] [PATCH/RFC v2] Haveged support in (audio)entropyd Sven Vermeulen
@ 2011-07-20 17:43 ` Sven Vermeulen
0 siblings, 0 replies; 6+ messages in thread
From: Sven Vermeulen @ 2011-07-20 17:43 UTC (permalink / raw)
To: refpolicy
Add file context rules for haveged within the audioentropyd module.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/services/audioentropy.fc | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/policy/modules/services/audioentropy.fc b/policy/modules/services/audioentropy.fc
index 001235e..d2d8ce3 100644
--- a/policy/modules/services/audioentropy.fc
+++ b/policy/modules/services/audioentropy.fc
@@ -2,5 +2,7 @@
# /usr
#
/usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0)
+/usr/sbin/haveged -- gen_context(system_u:object_r:entropyd_exec_t,s0)
/var/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0)
+/var/run/haveged\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0)
--
1.7.3.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH/RFC v3] Haveget support in (audio)entropyd
@ 2011-07-20 18:50 Sven Vermeulen
2011-07-20 18:51 ` [refpolicy] [PATCH 1/3] Separate sound specific items from general entropyd_t definition Sven Vermeulen
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Sven Vermeulen @ 2011-07-20 18:50 UTC (permalink / raw)
To: refpolicy
This patch set segregates the obvious audio-related privileges within
entropyd_t (in the audioentropyd module) through the use of a SELinux
boolean "entropyd_use_audio", enhances the entropyd_t with the privileges
needed by haveged, and adds the proper file contexts for haveged support.
Comments always appreciated. This obsoletes the previous patch set titled
"[PATCH/RFC v2] Haveget support in (audio)entropyd".
Changes since v2:
- Use optional_policy ( tunable_policy ( ... ) ) format. The other way
around isn't supported
^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 1/3] Separate sound specific items from general entropyd_t definition
2011-07-20 18:50 [refpolicy] [PATCH/RFC v3] Haveget support in (audio)entropyd Sven Vermeulen
@ 2011-07-20 18:51 ` Sven Vermeulen
2011-07-20 18:52 ` [refpolicy] [PATCH 2/3] Update entropyd_t with privileged needed for haveged Sven Vermeulen
2011-07-20 18:52 ` [refpolicy] [PATCH 3/3] Add file context rules " Sven Vermeulen
2 siblings, 0 replies; 6+ messages in thread
From: Sven Vermeulen @ 2011-07-20 18:51 UTC (permalink / raw)
To: refpolicy
Introduce a tunable called "entropyd_use_audio". This boolean triggers the
privileges that are specific for audio support (both device access as well
as the alsa-specific ones).
The idea to use a boolean is to support other entropy management
applications/daemons which use different sources (like haveged using the
HAVEGE algorithm).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/services/audioentropy.te | 27 ++++++++++++++++++++-------
1 files changed, 20 insertions(+), 7 deletions(-)
diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te
index 2b348c7..763bd44 100644
--- a/policy/modules/services/audioentropy.te
+++ b/policy/modules/services/audioentropy.te
@@ -5,6 +5,13 @@ policy_module(audioentropy, 1.6.0)
# Declarations
#
+## <desc>
+## <p>
+## Allow the use of the audio devices as the source for the entropy feeds
+## </p>
+## </desc>
+gen_tunable(entropyd_use_audio, false)
+
type entropyd_t;
type entropyd_exec_t;
init_daemon_domain(entropyd_t, entropyd_exec_t)
@@ -33,11 +40,6 @@ dev_read_urand(entropyd_t)
dev_write_urand(entropyd_t)
dev_read_rand(entropyd_t)
dev_write_rand(entropyd_t)
-dev_read_sound(entropyd_t)
-# set sound card parameters such as
-# sample format, number of channels
-# and sample rate.
-dev_write_sound(entropyd_t)
files_read_etc_files(entropyd_t)
files_read_usr_files(entropyd_t)
@@ -55,8 +57,19 @@ userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
userdom_dontaudit_search_user_home_dirs(entropyd_t)
optional_policy(`
- alsa_read_lib(entropyd_t)
- alsa_read_rw_config(entropyd_t)
+ tunable_policy(`entropyd_use_audio',`
+ dev_read_sound(entropyd_t)
+ # set sound card parameters such as sample format, number of channels
+ # and sample rate.
+ dev_write_sound(entropyd_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`entropyd_use_audio',`
+ alsa_read_lib(entropyd_t)
+ alsa_read_rw_config(entropyd_t)
+ ')
')
optional_policy(`
--
1.7.3.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 2/3] Update entropyd_t with privileged needed for haveged
2011-07-20 18:50 [refpolicy] [PATCH/RFC v3] Haveget support in (audio)entropyd Sven Vermeulen
2011-07-20 18:51 ` [refpolicy] [PATCH 1/3] Separate sound specific items from general entropyd_t definition Sven Vermeulen
@ 2011-07-20 18:52 ` Sven Vermeulen
2011-07-20 18:52 ` [refpolicy] [PATCH 3/3] Add file context rules " Sven Vermeulen
2 siblings, 0 replies; 6+ messages in thread
From: Sven Vermeulen @ 2011-07-20 18:52 UTC (permalink / raw)
To: refpolicy
Haveged by itself requires a few additional privileges (create a unix socket
and write access to some proc/sys/kernel files (like
/proc/sys/kernel/random/write_wakeup_threshold).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/services/audioentropy.te | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te
index 763bd44..a2f17fd 100644
--- a/policy/modules/services/audioentropy.te
+++ b/policy/modules/services/audioentropy.te
@@ -27,11 +27,12 @@ files_pid_file(entropyd_var_run_t)
allow entropyd_t self:capability { dac_override ipc_lock sys_admin };
dontaudit entropyd_t self:capability sys_tty_config;
allow entropyd_t self:process signal_perms;
+allow entropyd_t self:unix_dgram_socket create_socket_perms;
manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t)
files_pid_filetrans(entropyd_t, entropyd_var_run_t, file)
-kernel_read_kernel_sysctls(entropyd_t)
+kernel_rw_kernel_sysctl(entropyd_t)
kernel_list_proc(entropyd_t)
kernel_read_proc_symlinks(entropyd_t)
--
1.7.3.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 3/3] Add file context rules for haveged
2011-07-20 18:50 [refpolicy] [PATCH/RFC v3] Haveget support in (audio)entropyd Sven Vermeulen
2011-07-20 18:51 ` [refpolicy] [PATCH 1/3] Separate sound specific items from general entropyd_t definition Sven Vermeulen
2011-07-20 18:52 ` [refpolicy] [PATCH 2/3] Update entropyd_t with privileged needed for haveged Sven Vermeulen
@ 2011-07-20 18:52 ` Sven Vermeulen
2 siblings, 0 replies; 6+ messages in thread
From: Sven Vermeulen @ 2011-07-20 18:52 UTC (permalink / raw)
To: refpolicy
Add file context rules for haveged within the audioentropyd module.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/services/audioentropy.fc | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/policy/modules/services/audioentropy.fc b/policy/modules/services/audioentropy.fc
index 001235e..d2d8ce3 100644
--- a/policy/modules/services/audioentropy.fc
+++ b/policy/modules/services/audioentropy.fc
@@ -2,5 +2,7 @@
# /usr
#
/usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0)
+/usr/sbin/haveged -- gen_context(system_u:object_r:entropyd_exec_t,s0)
/var/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0)
+/var/run/haveged\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0)
--
1.7.3.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 3/3] Add file context rules for haveged
2011-07-20 18:58 [refpolicy] [PATCH/RFC v4] Haveget support in (audio)entropyd Sven Vermeulen
@ 2011-07-20 19:00 ` Sven Vermeulen
0 siblings, 0 replies; 6+ messages in thread
From: Sven Vermeulen @ 2011-07-20 19:00 UTC (permalink / raw)
To: refpolicy
Add file context rules for haveged within the audioentropyd module.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/services/audioentropy.fc | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/policy/modules/services/audioentropy.fc b/policy/modules/services/audioentropy.fc
index 001235e..d2d8ce3 100644
--- a/policy/modules/services/audioentropy.fc
+++ b/policy/modules/services/audioentropy.fc
@@ -2,5 +2,7 @@
# /usr
#
/usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0)
+/usr/sbin/haveged -- gen_context(system_u:object_r:entropyd_exec_t,s0)
/var/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0)
+/var/run/haveged\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0)
--
1.7.3.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2011-07-20 19:00 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-07-20 18:50 [refpolicy] [PATCH/RFC v3] Haveget support in (audio)entropyd Sven Vermeulen
2011-07-20 18:51 ` [refpolicy] [PATCH 1/3] Separate sound specific items from general entropyd_t definition Sven Vermeulen
2011-07-20 18:52 ` [refpolicy] [PATCH 2/3] Update entropyd_t with privileged needed for haveged Sven Vermeulen
2011-07-20 18:52 ` [refpolicy] [PATCH 3/3] Add file context rules " Sven Vermeulen
-- strict thread matches above, loose matches on Subject: below --
2011-07-20 18:58 [refpolicy] [PATCH/RFC v4] Haveget support in (audio)entropyd Sven Vermeulen
2011-07-20 19:00 ` [refpolicy] [PATCH 3/3] Add file context rules for haveged Sven Vermeulen
2011-07-20 17:33 [refpolicy] [PATCH/RFC v2] Haveged support in (audio)entropyd Sven Vermeulen
2011-07-20 17:43 ` [refpolicy] [PATCH 3/3] Add file context rules for haveged Sven Vermeulen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.