From: dominick.grift@gmail.com (Dominick Grift)
Date: Sun, 03 Nov 2013 16:58:58 +0100
Subject: [refpolicy] [PATCH 1/1] Allow rngd to write a pid file
In-Reply-To: <20131021183303.GA21172@siphos.be>
References: <20131021183303.GA21172@siphos.be>
Message-ID: <1383494338.3070.0.camel@d30>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 2013-10-21 at 20:33 +0200, Sven Vermeulen wrote:
> Signed-off-by: Luis Ressel <aranea@aixah.de>
> Acked-by: Sven Vermeulen <sven.vermeulen@siphos.be>

This seems to be lacking a file context spec?

> ---
>  rngd.te | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/rngd.te b/rngd.te
> index 4ab4eb5..19b66b9 100644
> --- a/rngd.te
> +++ b/rngd.te
> @@ -12,6 +12,9 @@ init_daemon_domain(rngd_t, rngd_exec_t)
>  type rngd_initrc_exec_t;
>  init_script_file(rngd_initrc_exec_t)
>  
> +type rngd_var_run_t;
> +files_pid_file(rngd_var_run_t)
> +
>  ########################################
>  #
>  # Local policy
> @@ -22,6 +25,9 @@ allow rngd_t self:process signal;
>  allow rngd_t self:fifo_file rw_fifo_file_perms;
>  allow rngd_t self:unix_stream_socket { accept listen };
>  
> +manage_files_pattern(rngd_t, rngd_var_run_t, rngd_var_run_t)
> +files_pid_filetrans(rngd_t, rngd_var_run_t, file)
> +
>  kernel_rw_kernel_sysctl(rngd_t)
>  
>  dev_read_rand(rngd_t)