Separate sound specific items frmo general entropyd

Introduce a tunable called "entropyd_use_audio". This boolean triggers the
privileges that are specific for audio support (both device access as well
as the alsa-specific ones).

The idea to use a boolean is to support other entropy management
applications/daemons which use different sources (like haveged using the
HAVEGE algorithm).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>

policy/modules/services/audioentropy.te

@@ -5,6 +5,13 @@ policy_module(audioentropy, 1.6.0)
 # Declarations
 #
 
+## <desc>
+## <p>
+##   Allow the use of the audio devices as the source for the entropy feeds
+## </p>
+## </desc>
+gen_tunable(entropyd_use_audio, false)
+
 type entropyd_t;
 type entropyd_exec_t;
 init_daemon_domain(entropyd_t, entropyd_exec_t)
@@ -33,11 +40,6 @@ dev_read_urand(entropyd_t)
 dev_write_urand(entropyd_t)
 dev_read_rand(entropyd_t)
 dev_write_rand(entropyd_t)
-dev_read_sound(entropyd_t)
-# set sound card parameters such as
-# sample format, number of channels
-# and sample rate.
-dev_write_sound(entropyd_t)
 
 files_read_etc_files(entropyd_t)
 files_read_usr_files(entropyd_t)
@@ -54,9 +56,18 @@ miscfiles_read_localization(entropyd_t)
 userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
 userdom_dontaudit_search_user_home_dirs(entropyd_t)
 
+tunable_policy(`entropyd_use_audio',`
+	dev_read_sound(entropyd_t)
+	# set sound card parameters such as sample format, number of channels
+	# and sample rate.
+	dev_write_sound(entropyd_t)
+')
+
 optional_policy(`
-	alsa_read_lib(entropyd_t)
+	tunable_policy(`entropyd_use_audio',`
-	alsa_read_rw_config(entropyd_t)
+		alsa_read_lib(entropyd_t)
+		alsa_read_rw_config(entropyd_t)
+	')
 ')
 
 optional_policy(`