RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

entropyd: haveged service uses PrivateDevices=yes 

On Debian, haveged fails to start with "haveged: Couldn't open random
device: Permission denied". strace shows:

    openat(AT_FDCWD, "/dev/random", O_RDWR) = -1 EACCES (Permission denied)

audit.log has:

    type=AVC msg=audit(1566048720.132:1338): avc:  denied  { search }
    for  pid=20235 comm="haveged" name="/" dev="tmpfs" ino=76666
    scontext=system_u:system_r:entropyd_t
    tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0

With systemd, /dev is a temporary filesystem (tmpfs_t), so haveged needs
the search permission to it in order to open /dev/random. Use the
newly-added interface to allow this access.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This commit is contained in:
Nicolas Iooss 2019-09-01 13:47:45 +02:00
parent a7e3407606
commit 58189f4965
No known key found for this signature in database
GPG Key ID: C191415F340DAAA0
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
policy/modules/services/entropyd.te
View File

@ -64,6 +64,12 @@ miscfiles_read_localization(entropyd_t)
userdom_dontaudit_use_unpriv_user_fds(entropyd_t) userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
userdom_dontaudit_search_user_home_dirs(entropyd_t) userdom_dontaudit_search_user_home_dirs(entropyd_t)
ifdef(`init_systemd', `
optional_policy(`
systemd_PrivateDevices(entropyd_t)
')
')
tunable_policy(`entropyd_use_audio',` tunable_policy(`entropyd_use_audio',`
dev_read_sound(entropyd_t) dev_read_sound(entropyd_t)
dev_write_sound(entropyd_t) dev_write_sound(entropyd_t)