From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Wed, 20 Jul 2011 19:35:34 +0200 Subject: [refpolicy] [PATCH 1/3] Separate sound-specific items from general entropyd_t definitions In-Reply-To: <20110720173341.GA20050@siphos.be> References: <20110720173341.GA20050@siphos.be> Message-ID: <20110720173534.GB20050@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Introduce a tunable called "entropyd_use_audio". This boolean triggers the privileges that are specific for audio support (both device access as well as the alsa-specific ones). The idea to use a boolean is to support other entropy management applications/daemons which use different sources (like haveged using the HAVEGE algorithm). Signed-off-by: Sven Vermeulen --- policy/modules/services/audioentropy.te | 26 ++++++++++++++++++-------- 1 files changed, 18 insertions(+), 8 deletions(-) diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te index 2b348c7..08c1d8c 100644 --- a/policy/modules/services/audioentropy.te +++ b/policy/modules/services/audioentropy.te @@ -5,6 +5,13 @@ policy_module(audioentropy, 1.6.0) # Declarations # +## +##

+## Allow the use of the audio devices as the source for the entropy feeds +##

+## +gen_tunable(entropyd_use_audio, false) + type entropyd_t; type entropyd_exec_t; init_daemon_domain(entropyd_t, entropyd_exec_t) @@ -33,11 +40,6 @@ dev_read_urand(entropyd_t) dev_write_urand(entropyd_t) dev_read_rand(entropyd_t) dev_write_rand(entropyd_t) -dev_read_sound(entropyd_t) -# set sound card parameters such as -# sample format, number of channels -# and sample rate. -dev_write_sound(entropyd_t) files_read_etc_files(entropyd_t) files_read_usr_files(entropyd_t) @@ -54,9 +56,17 @@ miscfiles_read_localization(entropyd_t) userdom_dontaudit_use_unpriv_user_fds(entropyd_t) userdom_dontaudit_search_user_home_dirs(entropyd_t) -optional_policy(` - alsa_read_lib(entropyd_t) - alsa_read_rw_config(entropyd_t) +tunable_policy(`entropyd_use_audio',` + + dev_read_sound(entropyd_t) + # set sound card parameters such as sample format, number of channels + # and sample rate. + dev_write_sound(entropyd_t) + + optional_policy(` + alsa_read_lib(entropyd_t) + alsa_read_rw_config(entropyd_t) + ') ') optional_policy(` -- 1.7.3.4