From: petre.rodan@simplex.ro (Petre Rodan) Date: Sun, 25 May 2014 18:53:34 +0300 Subject: [refpolicy] [PATCH 1/1] add module for the entropy key daemon In-Reply-To: <536CCB22.3010207@tresys.com> References: <1399497604-3278-1-git-send-email-petre.rodan@simplex.ro> <536CCB22.3010207@tresys.com> Message-ID: <20140525155334.GA16988@peter.simplex.ro> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi Chris, On Fri, May 09, 2014 at 08:33:38AM -0400, Christopher J. PeBenito wrote: > On 05/07/2014 05:20 PM, Petre Rodan wrote: > > index 0000000..d2efb55 > > --- /dev/null > > +++ b/ekeyd.te > > +require { > > + type unreserved_port_t; > > +} > > This looks like it should be a new port type based on the rules below. well, there is no standard port for this application and there is no default set anywhere AFAICT. the default is to send the random stream to the local machine only, but if the user needs to send entropy to more than a box that port needs to be set via EGDTCPSocket. the man page looks like this: http://manpages.ubuntu.com/manpages/lucid/man5/ekeyd.conf.5.html > > +term_use_unallocated_ttys(ekey_tool_t) > > Why is it using unallocated ttys? the entropy-generating device is a usb dongle and /dev/ttyACM[0-9] (tty_device_t) ends up being used as an interface between the dongle and the software. please don't forget to merge the sysadm_t and udev_t domain transitions too from the other patch. -- petre rodan Technical Manager Simplex SRL, Bucharest -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140525/57c3a4ac/attachment.bin