This patch set segregates the obvious audio-related privileges within
entropyd_t (in the audioentropyd module) through the use of a SELinux
boolean "entropyd_use_audio", enhances the entropyd_t with the privileges
needed by haveged, and adds the proper file contexts for haveged support.
Comments always appreciated. This obsoletes the previous patch set titled
"Haveged definition".
Wkr,
Sven Vermeulen
Introduce a tunable called "entropyd_use_audio". This boolean triggers the
privileges that are specific for audio support (both device access as well
as the alsa-specific ones).
The idea to use a boolean is to support other entropy management
applications/daemons which use different sources (like haveged using the
HAVEGE algorithm).
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/services/audioentropy.te | 26 ++++++++++++++++++--------
1 files changed, 18 insertions(+), 8 deletions(-)
diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te
index 2b348c7..08c1d8c 100644
--- a/policy/modules/services/audioentropy.te
+++ b/policy/modules/services/audioentropy.te
@@ -5,6 +5,13 @@ policy_module(audioentropy, 1.6.0)
# Declarations
#
+## <desc>
+## <p>
+## Allow the use of the audio devices as the source for the entropy feeds
+## </p>
+## </desc>
+gen_tunable(entropyd_use_audio, false)
+
type entropyd_t;
type entropyd_exec_t;
init_daemon_domain(entropyd_t, entropyd_exec_t)
@@ -33,11 +40,6 @@ dev_read_urand(entropyd_t)
dev_write_urand(entropyd_t)
dev_read_rand(entropyd_t)
dev_write_rand(entropyd_t)
-dev_read_sound(entropyd_t)
-# set sound card parameters such as
-# sample format, number of channels
-# and sample rate.
-dev_write_sound(entropyd_t)
files_read_etc_files(entropyd_t)
files_read_usr_files(entropyd_t)
@@ -54,9 +56,17 @@ miscfiles_read_localization(entropyd_t)
userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
userdom_dontaudit_search_user_home_dirs(entropyd_t)
-optional_policy(`
- alsa_read_lib(entropyd_t)
- alsa_read_rw_config(entropyd_t)
+tunable_policy(`entropyd_use_audio',`
+
+ dev_read_sound(entropyd_t)
+ # set sound card parameters such as sample format, number of channels
+ # and sample rate.
+ dev_write_sound(entropyd_t)
+
+ optional_policy(`
+ alsa_read_lib(entropyd_t)
+ alsa_read_rw_config(entropyd_t)
+ ')
')
optional_policy(`
--
1.7.3.4
Haveged by itself requires a few additional privileges (create a unix socket
and write access to some proc/sys/kernel files (like
/proc/sys/kernel/random/write_wakeup_threshold).
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/services/audioentropy.te | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te
index 08c1d8c..b224ebf 100644
--- a/policy/modules/services/audioentropy.te
+++ b/policy/modules/services/audioentropy.te
@@ -27,11 +27,12 @@ files_pid_file(entropyd_var_run_t)
allow entropyd_t self:capability { dac_override ipc_lock sys_admin };
dontaudit entropyd_t self:capability sys_tty_config;
allow entropyd_t self:process signal_perms;
+allow entropyd_t self:unix_dgram_socket create_socket_perms;
manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t)
files_pid_filetrans(entropyd_t, entropyd_var_run_t, file)
-kernel_read_kernel_sysctls(entropyd_t)
+kernel_rw_kernel_sysctl(entropyd_t)
kernel_list_proc(entropyd_t)
kernel_read_proc_symlinks(entropyd_t)
--
1.7.3.4
Add file context rules for haveged within the audioentropyd module.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/services/audioentropy.fc | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/policy/modules/services/audioentropy.fc b/policy/modules/services/audioentropy.fc
index 001235e..d2d8ce3 100644
--- a/policy/modules/services/audioentropy.fc
+++ b/policy/modules/services/audioentropy.fc
@@ -2,5 +2,7 @@
# /usr
#
/usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0)
+/usr/sbin/haveged -- gen_context(system_u:object_r:entropyd_exec_t,s0)
/var/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0)
+/var/run/haveged\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0)
--
1.7.3.4