* [refpolicy] [PATCH/RFC v4] Haveget support in (audio)entropyd
@ 2011-07-20 18:58 Sven Vermeulen
2011-07-20 18:59 ` [refpolicy] [PATCH 1/3] Separate sound specific items frmo general entropyd Sven Vermeulen
` (3 more replies)
0 siblings, 4 replies; 7+ messages in thread
From: Sven Vermeulen @ 2011-07-20 18:58 UTC (permalink / raw)
To: refpolicy
This patch set segregates the obvious audio-related privileges within
entropyd_t (in the audioentropyd module) through the use of a SELinux
boolean "entropyd_use_audio", enhances the entropyd_t with the privileges
needed by haveged, and adds the proper file contexts for haveged support.
Comments always appreciated. This obsoletes the previous patch set titled
"[PATCH/RFC v3] Haveget support in (audio)entropyd".
Changes since v2:
- Use optional_policy ( tunable_policy ( ... ) ) format. The other way
around isn't supported
Changes since v3:
- dev_* calls do not need to be made optional, they are part of base modules
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH 1/3] Separate sound specific items frmo general entropyd
2011-07-20 18:58 [refpolicy] [PATCH/RFC v4] Haveget support in (audio)entropyd Sven Vermeulen
@ 2011-07-20 18:59 ` Sven Vermeulen
2011-07-20 19:00 ` [refpolicy] [PATCH 2/3] Update entropyd_t with privileges needed for haveged Sven Vermeulen
` (2 subsequent siblings)
3 siblings, 0 replies; 7+ messages in thread
From: Sven Vermeulen @ 2011-07-20 18:59 UTC (permalink / raw)
To: refpolicy
Introduce a tunable called "entropyd_use_audio". This boolean triggers the
privileges that are specific for audio support (both device access as well
as the alsa-specific ones).
The idea to use a boolean is to support other entropy management
applications/daemons which use different sources (like haveged using the
HAVEGE algorithm).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/services/audioentropy.te | 25 ++++++++++++++++++-------
1 files changed, 18 insertions(+), 7 deletions(-)
diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te
index 2b348c7..7ece78d 100644
--- a/policy/modules/services/audioentropy.te
+++ b/policy/modules/services/audioentropy.te
@@ -5,6 +5,13 @@ policy_module(audioentropy, 1.6.0)
# Declarations
#
+## <desc>
+## <p>
+## Allow the use of the audio devices as the source for the entropy feeds
+## </p>
+## </desc>
+gen_tunable(entropyd_use_audio, false)
+
type entropyd_t;
type entropyd_exec_t;
init_daemon_domain(entropyd_t, entropyd_exec_t)
@@ -33,11 +40,6 @@ dev_read_urand(entropyd_t)
dev_write_urand(entropyd_t)
dev_read_rand(entropyd_t)
dev_write_rand(entropyd_t)
-dev_read_sound(entropyd_t)
-# set sound card parameters such as
-# sample format, number of channels
-# and sample rate.
-dev_write_sound(entropyd_t)
files_read_etc_files(entropyd_t)
files_read_usr_files(entropyd_t)
@@ -54,9 +56,18 @@ miscfiles_read_localization(entropyd_t)
userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
userdom_dontaudit_search_user_home_dirs(entropyd_t)
+tunable_policy(`entropyd_use_audio',`
+ dev_read_sound(entropyd_t)
+ # set sound card parameters such as sample format, number of channels
+ # and sample rate.
+ dev_write_sound(entropyd_t)
+')
+
optional_policy(`
- alsa_read_lib(entropyd_t)
- alsa_read_rw_config(entropyd_t)
+ tunable_policy(`entropyd_use_audio',`
+ alsa_read_lib(entropyd_t)
+ alsa_read_rw_config(entropyd_t)
+ ')
')
optional_policy(`
--
1.7.3.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH 2/3] Update entropyd_t with privileges needed for haveged
2011-07-20 18:58 [refpolicy] [PATCH/RFC v4] Haveget support in (audio)entropyd Sven Vermeulen
2011-07-20 18:59 ` [refpolicy] [PATCH 1/3] Separate sound specific items frmo general entropyd Sven Vermeulen
@ 2011-07-20 19:00 ` Sven Vermeulen
2011-07-20 19:00 ` [refpolicy] [PATCH 3/3] Add file context rules " Sven Vermeulen
2011-07-22 12:43 ` [refpolicy] [PATCH/RFC v4] Haveget support in (audio)entropyd Christopher J. PeBenito
3 siblings, 0 replies; 7+ messages in thread
From: Sven Vermeulen @ 2011-07-20 19:00 UTC (permalink / raw)
To: refpolicy
Haveged by itself requires a few additional privileges (create a unix socket
and write access to some proc/sys/kernel files (like
/proc/sys/kernel/random/write_wakeup_threshold).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/services/audioentropy.te | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te
index 7ece78d..67f546d 100644
--- a/policy/modules/services/audioentropy.te
+++ b/policy/modules/services/audioentropy.te
@@ -27,11 +27,12 @@ files_pid_file(entropyd_var_run_t)
allow entropyd_t self:capability { dac_override ipc_lock sys_admin };
dontaudit entropyd_t self:capability sys_tty_config;
allow entropyd_t self:process signal_perms;
+allow entropyd_t self:unix_dgram_socket create_socket_perms;
manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t)
files_pid_filetrans(entropyd_t, entropyd_var_run_t, file)
-kernel_read_kernel_sysctls(entropyd_t)
+kernel_rw_kernel_sysctl(entropyd_t)
kernel_list_proc(entropyd_t)
kernel_read_proc_symlinks(entropyd_t)
--
1.7.3.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH 3/3] Add file context rules for haveged
2011-07-20 18:58 [refpolicy] [PATCH/RFC v4] Haveget support in (audio)entropyd Sven Vermeulen
2011-07-20 18:59 ` [refpolicy] [PATCH 1/3] Separate sound specific items frmo general entropyd Sven Vermeulen
2011-07-20 19:00 ` [refpolicy] [PATCH 2/3] Update entropyd_t with privileges needed for haveged Sven Vermeulen
@ 2011-07-20 19:00 ` Sven Vermeulen
2011-07-22 12:43 ` [refpolicy] [PATCH/RFC v4] Haveget support in (audio)entropyd Christopher J. PeBenito
3 siblings, 0 replies; 7+ messages in thread
From: Sven Vermeulen @ 2011-07-20 19:00 UTC (permalink / raw)
To: refpolicy
Add file context rules for haveged within the audioentropyd module.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/services/audioentropy.fc | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/policy/modules/services/audioentropy.fc b/policy/modules/services/audioentropy.fc
index 001235e..d2d8ce3 100644
--- a/policy/modules/services/audioentropy.fc
+++ b/policy/modules/services/audioentropy.fc
@@ -2,5 +2,7 @@
# /usr
#
/usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0)
+/usr/sbin/haveged -- gen_context(system_u:object_r:entropyd_exec_t,s0)
/var/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0)
+/var/run/haveged\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0)
--
1.7.3.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH/RFC v4] Haveget support in (audio)entropyd
2011-07-20 18:58 [refpolicy] [PATCH/RFC v4] Haveget support in (audio)entropyd Sven Vermeulen
` (2 preceding siblings ...)
2011-07-20 19:00 ` [refpolicy] [PATCH 3/3] Add file context rules " Sven Vermeulen
@ 2011-07-22 12:43 ` Christopher J. PeBenito
2011-07-22 13:52 ` Daniel J Walsh
2011-07-22 15:04 ` Sven Vermeulen
3 siblings, 2 replies; 7+ messages in thread
From: Christopher J. PeBenito @ 2011-07-22 12:43 UTC (permalink / raw)
To: refpolicy
On 07/20/11 14:58, Sven Vermeulen wrote:
> This patch set segregates the obvious audio-related privileges within
> entropyd_t (in the audioentropyd module) through the use of a SELinux
> boolean "entropyd_use_audio", enhances the entropyd_t with the privileges
> needed by haveged, and adds the proper file contexts for haveged support.
>
> Comments always appreciated. This obsoletes the previous patch set titled
> "[PATCH/RFC v3] Haveget support in (audio)entropyd".
>
> Changes since v2:
> - Use optional_policy ( tunable_policy ( ... ) ) format. The other way
> around isn't supported
>
> Changes since v3:
> - dev_* calls do not need to be made optional, they are part of base modules
Merged. I need to do one of these to things:
1. rename the module to entropyd. Causes an annoying upgrade problem
for distros. Otherwise this is trivial since it has no interface
compatibility to worry about.
2. set the default of entropyd_use_audio to true since this is the
audioentropy module.
How do you feel about #1? Dan, you too.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH/RFC v4] Haveget support in (audio)entropyd
2011-07-22 12:43 ` [refpolicy] [PATCH/RFC v4] Haveget support in (audio)entropyd Christopher J. PeBenito
@ 2011-07-22 13:52 ` Daniel J Walsh
2011-07-22 15:04 ` Sven Vermeulen
1 sibling, 0 replies; 7+ messages in thread
From: Daniel J Walsh @ 2011-07-22 13:52 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/22/2011 08:43 AM, Christopher J. PeBenito wrote:
> On 07/20/11 14:58, Sven Vermeulen wrote:
>> This patch set segregates the obvious audio-related privileges
>> within entropyd_t (in the audioentropyd module) through the use of
>> a SELinux boolean "entropyd_use_audio", enhances the entropyd_t
>> with the privileges needed by haveged, and adds the proper file
>> contexts for haveged support.
>>
>> Comments always appreciated. This obsoletes the previous patch set
>> titled "[PATCH/RFC v3] Haveget support in (audio)entropyd".
>>
>> Changes since v2: - Use optional_policy ( tunable_policy ( ... ) )
>> format. The other way around isn't supported
>>
>> Changes since v3: - dev_* calls do not need to be made optional,
>> they are part of base modules
>
> Merged. I need to do one of these to things:
>
> 1. rename the module to entropyd. Causes an annoying upgrade
> problem for distros. Otherwise this is trivial since it has no
> interface compatibility to worry about.
>
> 2. set the default of entropyd_use_audio to true since this is the
> audioentropy module.
>
> How do you feel about #1? Dan, you too.
>
Fine with me. We can remove the old and add the new to the dist for the
name.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk4pgKYACgkQrlYvE4MpobNktgCgkR9v+t4nyqxr4bIjVM/6NkIg
bFoAoJ2vegVTU4d8PWAm8S3ElwcmmalX
=f/Oz
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH/RFC v4] Haveget support in (audio)entropyd
2011-07-22 12:43 ` [refpolicy] [PATCH/RFC v4] Haveget support in (audio)entropyd Christopher J. PeBenito
2011-07-22 13:52 ` Daniel J Walsh
@ 2011-07-22 15:04 ` Sven Vermeulen
1 sibling, 0 replies; 7+ messages in thread
From: Sven Vermeulen @ 2011-07-22 15:04 UTC (permalink / raw)
To: refpolicy
On Fri, Jul 22, 2011 at 08:43:27AM -0400, Christopher J. PeBenito wrote:
> Merged. I need to do one of these to things:
>
> 1. rename the module to entropyd. Causes an annoying upgrade problem
> for distros. Otherwise this is trivial since it has no interface
> compatibility to worry about.
>
> 2. set the default of entropyd_use_audio to true since this is the
> audioentropy module.
>
> How do you feel about #1? Dan, you too.
#1 is fine here. I'd rather see rememberable names than historic ones ;-)
Wkr,
Sven Vermeulen
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2011-07-22 15:04 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-07-20 18:58 [refpolicy] [PATCH/RFC v4] Haveget support in (audio)entropyd Sven Vermeulen
2011-07-20 18:59 ` [refpolicy] [PATCH 1/3] Separate sound specific items frmo general entropyd Sven Vermeulen
2011-07-20 19:00 ` [refpolicy] [PATCH 2/3] Update entropyd_t with privileges needed for haveged Sven Vermeulen
2011-07-20 19:00 ` [refpolicy] [PATCH 3/3] Add file context rules " Sven Vermeulen
2011-07-22 12:43 ` [refpolicy] [PATCH/RFC v4] Haveget support in (audio)entropyd Christopher J. PeBenito
2011-07-22 13:52 ` Daniel J Walsh
2011-07-22 15:04 ` Sven Vermeulen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.