From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Wed, 20 Jul 2011 17:19:05 +0200
Subject: [refpolicy] [PATCH 1/4] Adding haveged TE definition
In-Reply-To: <20110720151732.GA18841@siphos.be>
References: <20110720151732.GA18841@siphos.be>
Message-ID: <20110720151905.GB18841@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

This is the general .te for the haveged_t domain. Beyond some basic logging
functionalities and access to the kernels' random devices, this deamon has
no additional requirements (as of yet).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/services/haveged.te |   35 +++++++++++++++++++++++++++++++++++
 1 files changed, 35 insertions(+), 0 deletions(-)
 create mode 100644 policy/modules/services/haveged.te

diff --git a/policy/modules/services/haveged.te b/policy/modules/services/haveged.te
new file mode 100644
index 0000000..7a5f92e
--- /dev/null
+++ b/policy/modules/services/haveged.te
@@ -0,0 +1,35 @@
+policy_module(haveged, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type haveged_t;
+type haveged_exec_t;
+init_daemon_domain(haveged_t, haveged_exec_t)
+
+type haveged_var_run_t;
+files_pid_file(haveged_var_run_t)
+
+########################################
+#
+# haveged local policy
+#
+allow haveged_t self:capability sys_admin;
+allow haveged_t self:unix_dgram_socket create_socket_perms;
+allow haveged_t haveged_var_run_t:file manage_file_perms;
+
+# pid file
+files_pid_filetrans(haveged_t, haveged_var_run_t, file)
+
+## Kernel stuff
+kernel_rw_kernel_sysctl(haveged_t)
+dev_read_rand(haveged_t)
+dev_write_rand(haveged_t)
+
+## System stuff
+miscfiles_read_localization(haveged_t)
+
+## Other stuff
+logging_send_syslog_msg(haveged_t)
-- 
1.7.3.4