Nicolas Iooss 58189f4965 entropyd: haveged service uses PrivateDevices=yes ... On Debian, haveged fails to start with "haveged: Couldn't open random device: Permission denied". strace shows: openat(AT_FDCWD, "/dev/random", O_RDWR) = -1 EACCES (Permission denied) audit.log has: type=AVC msg=audit(1566048720.132:1338): avc: denied { search } for pid=20235 comm="haveged" name="/" dev="tmpfs" ino=76666 scontext=system_u:system_r:entropyd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0 With systemd, /dev is a temporary filesystem (tmpfs_t), so haveged needs the search permission to it in order to open /dev/random. Use the newly-added interface to allow this access. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>		2019-09-01 13:47:45 +02:00
..
flask	Remove incorrect comment about capability2:mac_admin.	2019-03-11 20:49:42 -04:00
modules	entropyd: haveged service uses PrivateDevices=yes	2019-09-01 13:47:45 +02:00
support	obj_perm_sets.spt: Add xdp_socket to socket_class_set.	2018-10-23 17:18:43 -04:00
constraints	refpolicy: Update for kernel sctp support	2018-03-21 14:14:37 -04:00
context_defaults	Fix error in default_user example.	2014-04-28 10:19:22 -04:00
global_booleans	Move secure_mode_policyload into selinux module as that is the only place it is used.	2011-09-26 09:53:23 -04:00
global_tunables	user_udp_server tunable	2016-08-02 19:44:16 -04:00
mcs	refpolicy: Update for kernel sctp support	2018-03-21 14:14:37 -04:00
mls	Remove unused translate permission in context userspace class.	2018-10-13 13:39:18 -04:00
policy_capabilities	Enable cgroup_seclabel and nnp_nosuid_transition.	2018-01-16 18:52:39 -05:00
users	Apply direct_initrc to unconfined_r:unconfined_t	2014-01-16 15:27:18 -05:00