[selinux-policy: 1287/3172] add audioentropy, bug 1515

Thu Oct 7 20:56:26 UTC 2010

commit 7f74a4172141d2956a0b4396b90e4ee871ceb64f
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Mar 21 18:50:58 2006 +0000

    add audioentropy, bug 1515

 refpolicy/Changelog                               |    1 +
 refpolicy/policy/modules/services/audioentropy.fc |    4 +
 refpolicy/policy/modules/services/audioentropy.if |    1 +
 refpolicy/policy/modules/services/audioentropy.te |   72 +++++++++++++++++++++
 4 files changed, 78 insertions(+), 0 deletions(-)
---

diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 7b7d13f..1730699 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -11,6 +11,7 @@
 - Added modules:
 	amavis (Erich Schubert)
 	apt (Erich Schubert)
+	audioentropy
 	clamav (Erich Schubert)
 	dpkg (Erich Schubert)
 	ethereal
diff --git a/refpolicy/policy/modules/services/audioentropy.fc b/refpolicy/policy/modules/services/audioentropy.fc
new file mode 100644
index 0000000..bcf3e1c
--- /dev/null
+++ b/refpolicy/policy/modules/services/audioentropy.fc
@@ -0,0 +1,4 @@
+#
+# /usr
+#
+/usr/sbin/audio-entropyd	--	gen_context(system_u:object_r:entropyd_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/audioentropy.if b/refpolicy/policy/modules/services/audioentropy.if
new file mode 100644
index 0000000..67906f0
--- /dev/null
+++ b/refpolicy/policy/modules/services/audioentropy.if
@@ -0,0 +1 @@
+## <summary>Generate entropy from audio input</summary>
diff --git a/refpolicy/policy/modules/services/audioentropy.te b/refpolicy/policy/modules/services/audioentropy.te
new file mode 100644
index 0000000..c01456c
--- /dev/null
+++ b/refpolicy/policy/modules/services/audioentropy.te
@@ -0,0 +1,72 @@
+
+policy_module(audio_entropy,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type entropyd_t;
+type entropyd_exec_t;
+init_daemon_domain(entropyd_t,entropyd_exec_t)
+
+type entropyd_var_run_t;
+files_pid_file(entropyd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow entropyd_t self:capability { ipc_lock sys_admin };
+dontaudit entropyd_t self:capability sys_tty_config;
+allow entropyd_t self:process signal_perms;
+
+allow entropyd_t entropyd_var_run_t:file manage_file_perms;
+allow entropyd_t entropyd_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(entropyd_t,entropyd_var_run_t,file)
+
+kernel_read_kernel_sysctls(entropyd_t)
+kernel_list_proc(entropyd_t)
+kernel_read_proc_symlinks(entropyd_t)
+
+dev_read_sysfs(entropyd_t)
+dev_read_urand(entropyd_t)
+dev_write_urand(entropyd_t)
+dev_read_sound(entropyd_t)
+
+fs_getattr_all_fs(entropyd_t)
+fs_search_auto_mountpoints(entropyd_t)
+
+term_dontaudit_use_console(entropyd_t)
+
+domain_use_interactive_fds(entropyd_t)
+
+init_use_fds(entropyd_t)
+init_use_script_ptys(entropyd_t)
+
+libs_use_ld_so(entropyd_t)
+libs_use_shared_libs(entropyd_t)
+
+logging_send_syslog_msg(entropyd_t)
+
+miscfiles_read_localization(entropyd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
+userdom_dontaudit_search_sysadm_home_dirs(entropyd_t)
+
+ifdef(`targeted_policy', `
+	files_dontaudit_read_root_files(entropyd_t)
+
+	term_dontaudit_use_unallocated_ttys(entropyd_t)
+	term_dontaudit_use_generic_ptys(entropyd_t)
+')
+
+optional_policy(`selinuxutil',`
+	seutil_sigchld_newrole(entropyd_t)
+')
+
+optional_policy(`udev',`
+	udev_read_db(entropyd_t)
+')
+
