1 |
commit: ed6053a16d285c29f5490f8572c10b17e723c99d |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Sat Sep 29 09:55:40 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Tue Oct 2 18:04:19 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ed6053a1 |
7 |
|
8 |
Changes to the entropyd policy module |
9 |
|
10 |
Add init script |
11 |
Module clean up |
12 |
|
13 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
14 |
|
15 |
--- |
16 |
policy/modules/contrib/entropyd.fc | 7 +++---- |
17 |
policy/modules/contrib/entropyd.if | 36 +++++++++++++++++++++++++++++++++++- |
18 |
policy/modules/contrib/entropyd.te | 16 +++++++++------- |
19 |
3 files changed, 47 insertions(+), 12 deletions(-) |
20 |
|
21 |
diff --git a/policy/modules/contrib/entropyd.fc b/policy/modules/contrib/entropyd.fc |
22 |
index d2d8ce3..c698711 100644 |
23 |
--- a/policy/modules/contrib/entropyd.fc |
24 |
+++ b/policy/modules/contrib/entropyd.fc |
25 |
@@ -1,8 +1,7 @@ |
26 |
-# |
27 |
-# /usr |
28 |
-# |
29 |
+/etc/rc\.d/init\.d/((audio-entropyd)|(haveged)) -- gen_context(system_u:object_r:entropyd_initrc_exec_t,s0) |
30 |
+ |
31 |
/usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0) |
32 |
-/usr/sbin/haveged -- gen_context(system_u:object_r:entropyd_exec_t,s0) |
33 |
+/usr/sbin/haveged -- gen_context(system_u:object_r:entropyd_exec_t,s0) |
34 |
|
35 |
/var/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0) |
36 |
/var/run/haveged\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0) |
37 |
|
38 |
diff --git a/policy/modules/contrib/entropyd.if b/policy/modules/contrib/entropyd.if |
39 |
index 67906f0..1161fbf 100644 |
40 |
--- a/policy/modules/contrib/entropyd.if |
41 |
+++ b/policy/modules/contrib/entropyd.if |
42 |
@@ -1 +1,35 @@ |
43 |
-## <summary>Generate entropy from audio input</summary> |
44 |
+## <summary>Generate entropy from audio input.</summary> |
45 |
+ |
46 |
+######################################## |
47 |
+## <summary> |
48 |
+## All of the rules required to |
49 |
+## administrate an entropyd environment. |
50 |
+## </summary> |
51 |
+## <param name="domain"> |
52 |
+## <summary> |
53 |
+## Domain allowed access. |
54 |
+## </summary> |
55 |
+## </param> |
56 |
+## <param name="role"> |
57 |
+## <summary> |
58 |
+## Role allowed access. |
59 |
+## </summary> |
60 |
+## </param> |
61 |
+## <rolecap/> |
62 |
+# |
63 |
+interface(`entropyd_admin',` |
64 |
+ gen_require(` |
65 |
+ type entropyd_t, entropyd_initrc_exec_t, entropyd_var_run_t; |
66 |
+ ') |
67 |
+ |
68 |
+ allow $1 entropyd_t:process { ptrace signal_perms }; |
69 |
+ ps_process_pattern($1, entropyd_t) |
70 |
+ |
71 |
+ init_labeled_script_domtrans($1, entropyd_initrc_exec_t) |
72 |
+ domain_system_change_exemption($1) |
73 |
+ role_transition $2 entropyd_initrc_exec_t system_r; |
74 |
+ allow $2 system_r; |
75 |
+ |
76 |
+ files_search_pids($1) |
77 |
+ admin_pattern($1, entropyd_var_run_t) |
78 |
+') |
79 |
|
80 |
diff --git a/policy/modules/contrib/entropyd.te b/policy/modules/contrib/entropyd.te |
81 |
index b6ac808..e1aff60 100644 |
82 |
--- a/policy/modules/contrib/entropyd.te |
83 |
+++ b/policy/modules/contrib/entropyd.te |
84 |
@@ -1,4 +1,4 @@ |
85 |
-policy_module(entropyd, 1.7.0) |
86 |
+policy_module(entropyd, 1.7.1) |
87 |
|
88 |
######################################## |
89 |
# |
90 |
@@ -6,9 +6,11 @@ policy_module(entropyd, 1.7.0) |
91 |
# |
92 |
|
93 |
## <desc> |
94 |
-## <p> |
95 |
-## Allow the use of the audio devices as the source for the entropy feeds |
96 |
-## </p> |
97 |
+## <p> |
98 |
+## Determine whether entropyd can use |
99 |
+## audio devices as the source for |
100 |
+## the entropy feeds. |
101 |
+## </p> |
102 |
## </desc> |
103 |
gen_tunable(entropyd_use_audio, false) |
104 |
|
105 |
@@ -16,6 +18,9 @@ type entropyd_t; |
106 |
type entropyd_exec_t; |
107 |
init_daemon_domain(entropyd_t, entropyd_exec_t) |
108 |
|
109 |
+type entropyd_initrc_exec_t; |
110 |
+init_script_file(entropyd_initrc_exec_t) |
111 |
+ |
112 |
type entropyd_var_run_t; |
113 |
files_pid_file(entropyd_var_run_t) |
114 |
|
115 |
@@ -27,7 +32,6 @@ files_pid_file(entropyd_var_run_t) |
116 |
allow entropyd_t self:capability { dac_override ipc_lock sys_admin }; |
117 |
dontaudit entropyd_t self:capability sys_tty_config; |
118 |
allow entropyd_t self:process signal_perms; |
119 |
-allow entropyd_t self:unix_dgram_socket create_socket_perms; |
120 |
|
121 |
manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t) |
122 |
files_pid_filetrans(entropyd_t, entropyd_var_run_t, file) |
123 |
@@ -59,8 +63,6 @@ userdom_dontaudit_search_user_home_dirs(entropyd_t) |
124 |
|
125 |
tunable_policy(`entropyd_use_audio',` |
126 |
dev_read_sound(entropyd_t) |
127 |
- # set sound card parameters such as sample format, number of channels |
128 |
- # and sample rate. |
129 |
dev_write_sound(entropyd_t) |
130 |
') |