diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te index 2b348c7eb..7ece78d47 100644 --- a/policy/modules/services/audioentropy.te +++ b/policy/modules/services/audioentropy.te @@ -5,6 +5,13 @@ policy_module(audioentropy, 1.6.0) # Declarations # +## +##

+## Allow the use of the audio devices as the source for the entropy feeds +##

+##
+gen_tunable(entropyd_use_audio, false) + type entropyd_t; type entropyd_exec_t; init_daemon_domain(entropyd_t, entropyd_exec_t) @@ -33,11 +40,6 @@ dev_read_urand(entropyd_t) dev_write_urand(entropyd_t) dev_read_rand(entropyd_t) dev_write_rand(entropyd_t) -dev_read_sound(entropyd_t) -# set sound card parameters such as -# sample format, number of channels -# and sample rate. -dev_write_sound(entropyd_t) files_read_etc_files(entropyd_t) files_read_usr_files(entropyd_t) @@ -54,9 +56,18 @@ miscfiles_read_localization(entropyd_t) userdom_dontaudit_use_unpriv_user_fds(entropyd_t) userdom_dontaudit_search_user_home_dirs(entropyd_t) +tunable_policy(`entropyd_use_audio',` + dev_read_sound(entropyd_t) + # set sound card parameters such as sample format, number of channels + # and sample rate. + dev_write_sound(entropyd_t) +') + optional_policy(` - alsa_read_lib(entropyd_t) - alsa_read_rw_config(entropyd_t) + tunable_policy(`entropyd_use_audio',` + alsa_read_lib(entropyd_t) + alsa_read_rw_config(entropyd_t) + ') ') optional_policy(`