From 58189f4965cee47f28ea2f73e3ceee4355ee53d1 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Sun, 1 Sep 2019 13:47:45 +0200
Subject: [PATCH] entropyd: haveged service uses PrivateDevices=yes

On Debian, haveged fails to start with "haveged: Couldn't open random
device: Permission denied". strace shows:

    openat(AT_FDCWD, "/dev/random", O_RDWR) = -1 EACCES (Permission denied)

audit.log has:

    type=AVC msg=audit(1566048720.132:1338): avc:  denied  { search }
    for  pid=20235 comm="haveged" name="/" dev="tmpfs" ino=76666
    scontext=system_u:system_r:entropyd_t
    tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0

With systemd, /dev is a temporary filesystem (tmpfs_t), so haveged needs
the search permission to it in order to open /dev/random. Use the
newly-added interface to allow this access.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 policy/modules/services/entropyd.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/policy/modules/services/entropyd.te b/policy/modules/services/entropyd.te
index be383c89f..7f15dc284 100644
--- a/policy/modules/services/entropyd.te
+++ b/policy/modules/services/entropyd.te
@@ -64,6 +64,12 @@ miscfiles_read_localization(entropyd_t)
 userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
 userdom_dontaudit_search_user_home_dirs(entropyd_t)
 
+ifdef(`init_systemd', `
+	optional_policy(`
+		systemd_PrivateDevices(entropyd_t)
+	')
+')
+
 tunable_policy(`entropyd_use_audio',`
 	dev_read_sound(entropyd_t)
 	dev_write_sound(entropyd_t)