diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rngd-fix-security-context-fo.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rngd-fix-security-context-fo.patch | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rngd-fix-security-context-fo.patch b/recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rngd-fix-security-context-fo.patch new file mode 100644 index 0000000..491cf02 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rngd-fix-security-context-fo.patch | |||
@@ -0,0 +1,64 @@ | |||
1 | From 617b8b558674a77cd2b1eff9155f276985456684 Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Wed, 25 May 2016 03:16:24 -0400 | ||
4 | Subject: [PATCH] policy/modules/services/rngd: fix security context for | ||
5 | rng-tools | ||
6 | |||
7 | * fix security context for /etc/init.d/rng-tools | ||
8 | * allow rngd_t to search /run/systemd/journal | ||
9 | |||
10 | Fixes: | ||
11 | audit: type=1400 audit(1592874699.503:11): avc: denied { read } for | ||
12 | pid=355 comm="rngd" name="cpu" dev="sysfs" ino=36 | ||
13 | scontext=system_u:system_r:rngd_t tcontext=system_u:object_r:sysfs_t | ||
14 | tclass=dir permissive=1 | ||
15 | audit: type=1400 audit(1592874699.505:12): avc: denied { getsched } | ||
16 | for pid=355 comm="rngd" scontext=system_u:system_r:rngd_t | ||
17 | tcontext=system_u:system_r:rngd_t tclass=process permissive=1 | ||
18 | audit: type=1400 audit(1592874699.508:13): avc: denied { setsched } | ||
19 | for pid=355 comm="rngd" scontext=system_u:system_r:rngd_t | ||
20 | tcontext=system_u:system_r:rngd_t tclass=process permissive=1 | ||
21 | |||
22 | Upstream-Status: Inappropriate [embedded specific] | ||
23 | |||
24 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
25 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
26 | --- | ||
27 | policy/modules/services/rngd.fc | 1 + | ||
28 | policy/modules/services/rngd.te | 3 ++- | ||
29 | 2 files changed, 3 insertions(+), 1 deletion(-) | ||
30 | |||
31 | diff --git a/policy/modules/services/rngd.fc b/policy/modules/services/rngd.fc | ||
32 | index 382c067f9..0ecc5acc4 100644 | ||
33 | --- a/policy/modules/services/rngd.fc | ||
34 | +++ b/policy/modules/services/rngd.fc | ||
35 | @@ -1,4 +1,5 @@ | ||
36 | /etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0) | ||
37 | +/etc/rc\.d/init\.d/rng-tools -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0) | ||
38 | |||
39 | /usr/bin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0) | ||
40 | |||
41 | diff --git a/policy/modules/services/rngd.te b/policy/modules/services/rngd.te | ||
42 | index 839813216..c4ffafb5d 100644 | ||
43 | --- a/policy/modules/services/rngd.te | ||
44 | +++ b/policy/modules/services/rngd.te | ||
45 | @@ -21,7 +21,7 @@ files_runtime_file(rngd_runtime_t) | ||
46 | # | ||
47 | |||
48 | allow rngd_t self:capability { ipc_lock sys_admin }; | ||
49 | -allow rngd_t self:process signal; | ||
50 | +allow rngd_t self:process { signal getsched setsched }; | ||
51 | allow rngd_t self:fifo_file rw_fifo_file_perms; | ||
52 | allow rngd_t self:unix_stream_socket { accept listen }; | ||
53 | |||
54 | @@ -34,6 +34,7 @@ dev_read_rand(rngd_t) | ||
55 | dev_read_urand(rngd_t) | ||
56 | dev_rw_tpm(rngd_t) | ||
57 | dev_write_rand(rngd_t) | ||
58 | +dev_read_sysfs(rngd_t) | ||
59 | |||
60 | files_read_etc_files(rngd_t) | ||
61 | |||
62 | -- | ||
63 | 2.17.1 | ||
64 | |||