From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 8E78A138010 for ; Tue, 2 Oct 2012 18:14:00 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7D3E321C00F; Tue, 2 Oct 2012 18:11:12 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 3F9DE21C007 for ; Tue, 2 Oct 2012 18:11:07 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 0AACF33D75D for ; Tue, 2 Oct 2012 18:11:01 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id AD566E544B for ; Tue, 2 Oct 2012 18:10:59 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1349201059.ed6053a16d285c29f5490f8572c10b17e723c99d.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/entropyd.fc policy/modules/contrib/entropyd.if policy/modules/contrib/entropyd.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: ed6053a16d285c29f5490f8572c10b17e723c99d X-VCS-Branch: master Date: Tue, 2 Oct 2012 18:10:59 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 41eb293e-e3d6-463a-b446-349770e4dbcd X-Archives-Hash: 41811c01f3d67f4a36919d1fbc82fa73 commit: ed6053a16d285c29f5490f8572c10b17e723c99d Author: Dominick Grift gmail com> AuthorDate: Sat Sep 29 09:55:40 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Tue Oct 2 18:04:19 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ed6053a1 Changes to the entropyd policy module Add init script Module clean up Signed-off-by: Dominick Grift gmail.com> --- policy/modules/contrib/entropyd.fc | 7 +++---- policy/modules/contrib/entropyd.if | 36 +++++++++++++++++++++++++++++++++++- policy/modules/contrib/entropyd.te | 16 +++++++++------- 3 files changed, 47 insertions(+), 12 deletions(-) diff --git a/policy/modules/contrib/entropyd.fc b/policy/modules/contrib/entropyd.fc index d2d8ce3..c698711 100644 --- a/policy/modules/contrib/entropyd.fc +++ b/policy/modules/contrib/entropyd.fc @@ -1,8 +1,7 @@ -# -# /usr -# +/etc/rc\.d/init\.d/((audio-entropyd)|(haveged)) -- gen_context(system_u:object_r:entropyd_initrc_exec_t,s0) + /usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0) -/usr/sbin/haveged -- gen_context(system_u:object_r:entropyd_exec_t,s0) +/usr/sbin/haveged -- gen_context(system_u:object_r:entropyd_exec_t,s0) /var/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0) /var/run/haveged\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0) diff --git a/policy/modules/contrib/entropyd.if b/policy/modules/contrib/entropyd.if index 67906f0..1161fbf 100644 --- a/policy/modules/contrib/entropyd.if +++ b/policy/modules/contrib/entropyd.if @@ -1 +1,35 @@ -## Generate entropy from audio input +## Generate entropy from audio input. + +######################################## +## +## All of the rules required to +## administrate an entropyd environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`entropyd_admin',` + gen_require(` + type entropyd_t, entropyd_initrc_exec_t, entropyd_var_run_t; + ') + + allow $1 entropyd_t:process { ptrace signal_perms }; + ps_process_pattern($1, entropyd_t) + + init_labeled_script_domtrans($1, entropyd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 entropyd_initrc_exec_t system_r; + allow $2 system_r; + + files_search_pids($1) + admin_pattern($1, entropyd_var_run_t) +') diff --git a/policy/modules/contrib/entropyd.te b/policy/modules/contrib/entropyd.te index b6ac808..e1aff60 100644 --- a/policy/modules/contrib/entropyd.te +++ b/policy/modules/contrib/entropyd.te @@ -1,4 +1,4 @@ -policy_module(entropyd, 1.7.0) +policy_module(entropyd, 1.7.1) ######################################## # @@ -6,9 +6,11 @@ policy_module(entropyd, 1.7.0) # ## -##

-## Allow the use of the audio devices as the source for the entropy feeds -##

+##

+## Determine whether entropyd can use +## audio devices as the source for +## the entropy feeds. +##

## gen_tunable(entropyd_use_audio, false) @@ -16,6 +18,9 @@ type entropyd_t; type entropyd_exec_t; init_daemon_domain(entropyd_t, entropyd_exec_t) +type entropyd_initrc_exec_t; +init_script_file(entropyd_initrc_exec_t) + type entropyd_var_run_t; files_pid_file(entropyd_var_run_t) @@ -27,7 +32,6 @@ files_pid_file(entropyd_var_run_t) allow entropyd_t self:capability { dac_override ipc_lock sys_admin }; dontaudit entropyd_t self:capability sys_tty_config; allow entropyd_t self:process signal_perms; -allow entropyd_t self:unix_dgram_socket create_socket_perms; manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t) files_pid_filetrans(entropyd_t, entropyd_var_run_t, file) @@ -59,8 +63,6 @@ userdom_dontaudit_search_user_home_dirs(entropyd_t) tunable_policy(`entropyd_use_audio',` dev_read_sound(entropyd_t) - # set sound card parameters such as sample format, number of channels - # and sample rate. dev_write_sound(entropyd_t) ')