From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id C2C9A138200 for ; Tue, 16 Oct 2012 17:40:41 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 0FF24E02FB; Tue, 16 Oct 2012 17:39:28 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 60237E02F0 for ; Tue, 16 Oct 2012 17:39:28 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 7316733D7E6 for ; Tue, 16 Oct 2012 17:39:27 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 12784E5436 for ; Tue, 16 Oct 2012 17:39:26 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1350408940.67f7c97fa4287aecf5e4eab532f389016359c3d0.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: / X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: rngd.fc rngd.if rngd.te X-VCS-Directories: / X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 67f7c97fa4287aecf5e4eab532f389016359c3d0 X-VCS-Branch: master Date: Tue, 16 Oct 2012 17:39:26 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 4a6de446-aa6a-4919-9b2e-38876a5db77d X-Archives-Hash: 662faf6da8bb311148812db215953e9a commit: 67f7c97fa4287aecf5e4eab532f389016359c3d0 Author: Dominick Grift gmail com> AuthorDate: Mon Oct 15 16:09:25 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Tue Oct 16 17:35:40 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=67f7c97f Initial rngd policy module Hardware random number generation tools. Ported from Fedora with changes Signed-off-by: Dominick Grift gmail.com> --- rngd.fc | 3 +++ rngd.if | 32 ++++++++++++++++++++++++++++++++ rngd.te | 34 ++++++++++++++++++++++++++++++++++ 3 files changed, 69 insertions(+), 0 deletions(-) diff --git a/rngd.fc b/rngd.fc new file mode 100644 index 0000000..5dd779e --- /dev/null +++ b/rngd.fc @@ -0,0 +1,3 @@ +/etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0) + +/usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0) diff --git a/rngd.if b/rngd.if new file mode 100644 index 0000000..0e759a2 --- /dev/null +++ b/rngd.if @@ -0,0 +1,32 @@ +## Check and feed random data from hardware device to kernel random device. + +######################################## +## +## All of the rules required to +## administrate an rng environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`rngd_admin',` + gen_require(` + type rngd_t, rngd_initrc_exec_t; + ') + + allow $1 rngd_t:process { ptrace signal_perms }; + ps_process_pattern($1, rngd_t) + + init_labeled_script_domtrans($1, rngd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 rngd_initrc_exec_t system_r; + allow $2 system_r; +') diff --git a/rngd.te b/rngd.te new file mode 100644 index 0000000..c324536 --- /dev/null +++ b/rngd.te @@ -0,0 +1,34 @@ +policy_module(rngd, 1.0.0) + +######################################## +# +# Declarations +# + +type rngd_t; +type rngd_exec_t; +init_daemon_domain(rngd_t, rngd_exec_t) + +type rngd_initrc_exec_t; +init_script_file(rngd_initrc_exec_t) + +######################################## +# +# Local policy +# + +allow rngd_t self:capability sys_admin; +allow rngd_t self:process signal; +allow rngd_t self:fifo_file rw_fifo_file_perms; +allow rngd_t self:unix_stream_socket { accept listen }; + +dev_read_rand(rngd_t) +dev_read_urand(rngd_t) +dev_rw_tpm(rngd_t) +dev_write_rand(rngd_t) + +files_read_etc_files(rngd_t) + +logging_send_syslog_msg(rngd_t) + +miscfiles_read_localization(rngd_t)