From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 27 May 2014 09:29:43 -0400
Subject: [refpolicy] [PATCH 1/1] add module for the entropy key daemon
In-Reply-To: <20140525155334.GA16988@peter.simplex.ro>
References: <1399497604-3278-1-git-send-email-petre.rodan@simplex.ro>	<536CCB22.3010207@tresys.com>
	<20140525155334.GA16988@peter.simplex.ro>
Message-ID: <53849347.8020503@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 05/25/2014 11:53 AM, Petre Rodan wrote:
> 
> Hi Chris,
> 
> On Fri, May 09, 2014 at 08:33:38AM -0400, Christopher J. PeBenito wrote:
>> On 05/07/2014 05:20 PM, Petre Rodan wrote:
>>> index 0000000..d2efb55
>>> --- /dev/null
>>> +++ b/ekeyd.te
>>> +require {
>>> +	type unreserved_port_t;
>>> +}
>>
>> This looks like it should be a new port type based on the rules below.
> 
> well, there is no standard port for this application and there is no default set anywhere AFAICT.
> the default is to send the random stream to the local machine only, but if the user needs to send entropy to more than a box that port needs to be set via EGDTCPSocket.
> 
> the man page looks like this: http://manpages.ubuntu.com/manpages/lucid/man5/ekeyd.conf.5.html

Ok, then an interface needs to be created rather than requiring the type.

>>> +term_use_unallocated_ttys(ekey_tool_t)
>>
>> Why is it using unallocated ttys?
> 
> the entropy-generating device is a usb dongle and /dev/ttyACM[0-9] (tty_device_t) ends up being used as an interface between the dongle and the software.

Please add a comment about this.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com