1 files changed, 64 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rngd-fix-security-context-fo.patch b/recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rngd-fix-security-context-fo.patch
new file mode 100644
index 0000000..491cf02
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rngd-fix-security-context-fo.patch
@@ -0,0 +1,64 @@
+From 617b8b558674a77cd2b1eff9155f276985456684 Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@windriver.com>
+Date: Wed, 25 May 2016 03:16:24 -0400
+Subject: [PATCH] policy/modules/services/rngd: fix security context for
+ rng-tools
+* fix security context for /etc/init.d/rng-tools
+* allow rngd_t to search /run/systemd/journal
+Fixes:
+audit: type=1400 audit(1592874699.503:11): avc:  denied  { read } for
+pid=355 comm="rngd" name="cpu" dev="sysfs" ino=36
+scontext=system_u:system_r:rngd_t tcontext=system_u:object_r:sysfs_t
+tclass=dir permissive=1
+audit: type=1400 audit(1592874699.505:12): avc:  denied  { getsched }
+for pid=355 comm="rngd" scontext=system_u:system_r:rngd_t
+tcontext=system_u:system_r:rngd_t tclass=process permissive=1
+audit: type=1400 audit(1592874699.508:13): avc:  denied  { setsched }
+for pid=355 comm="rngd" scontext=system_u:system_r:rngd_t
+tcontext=system_u:system_r:rngd_t tclass=process permissive=1
+Upstream-Status: Inappropriate [embedded specific]
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/services/rngd.fc | 1 +
+ policy/modules/services/rngd.te | 3 ++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+diff --git a/policy/modules/services/rngd.fc b/policy/modules/services/rngd.fc
+index 382c067f9..0ecc5acc4 100644
+--- a/policy/modules/services/rngd.fc
+++ b/policy/modules/services/rngd.fc
+@@ -1,4 +1,5 @@
+ /etc/rc\.d/init\.d/rngd        --      gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/rng-tools   --      gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
+ 
+ /usr/bin/rngd  --      gen_context(system_u:object_r:rngd_exec_t,s0)
+ 
+diff --git a/policy/modules/services/rngd.te b/policy/modules/services/rngd.te
+index 839813216..c4ffafb5d 100644
+--- a/policy/modules/services/rngd.te
+++ b/policy/modules/services/rngd.te
+@@ -21,7 +21,7 @@ files_runtime_file(rngd_runtime_t)
+ #
+ 
+ allow rngd_t self:capability { ipc_lock sys_admin };
+-allow rngd_t self:process signal;
+allow rngd_t self:process { signal getsched setsched };
+ allow rngd_t self:fifo_file rw_fifo_file_perms;
+ allow rngd_t self:unix_stream_socket { accept listen };
+ 
+@@ -34,6 +34,7 @@ dev_read_rand(rngd_t)
+ dev_read_urand(rngd_t)
+ dev_rw_tpm(rngd_t)
+ dev_write_rand(rngd_t)
+dev_read_sysfs(rngd_t)
+ 
+ files_read_etc_files(rngd_t)
+ 
+-- 
+2.17.1

diff --git a/recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rngd-fix-security-context-fo.patch b/recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rngd-fix-security-context-fo.patch new file mode 100644 index 0000000..491cf02 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rngd-fix-security-context-fo.patch
@@ -0,0 +1,64 @@
	1	From 617b8b558674a77cd2b1eff9155f276985456684 Mon Sep 17 00:00:00 2001
	2	From: Wenzong Fan <wenzong.fan@windriver.com>
	3	Date: Wed, 25 May 2016 03:16:24 -0400
	4	Subject: [PATCH] policy/modules/services/rngd: fix security context for
	5	rng-tools
	6
	7	* fix security context for /etc/init.d/rng-tools
	8	* allow rngd_t to search /run/systemd/journal
	9
	10	Fixes:
	11	audit: type=1400 audit(1592874699.503:11): avc: denied { read } for
	12	pid=355 comm="rngd" name="cpu" dev="sysfs" ino=36
	13	scontext=system_u:system_r:rngd_t tcontext=system_u:object_r:sysfs_t
	14	tclass=dir permissive=1
	15	audit: type=1400 audit(1592874699.505:12): avc: denied { getsched }
	16	for pid=355 comm="rngd" scontext=system_u:system_r:rngd_t
	17	tcontext=system_u:system_r:rngd_t tclass=process permissive=1
	18	audit: type=1400 audit(1592874699.508:13): avc: denied { setsched }
	19	for pid=355 comm="rngd" scontext=system_u:system_r:rngd_t
	20	tcontext=system_u:system_r:rngd_t tclass=process permissive=1
	21
	22	Upstream-Status: Inappropriate [embedded specific]
	23
	24	Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
	25	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	26	---
	27	policy/modules/services/rngd.fc \| 1 +
	28	policy/modules/services/rngd.te \| 3 ++-
	29	2 files changed, 3 insertions(+), 1 deletion(-)
	30
	31	diff --git a/policy/modules/services/rngd.fc b/policy/modules/services/rngd.fc
	32	index 382c067f9..0ecc5acc4 100644
	33	--- a/policy/modules/services/rngd.fc
	34	+++ b/policy/modules/services/rngd.fc
	35	@@ -1,4 +1,5 @@
	36	/etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
	37	+/etc/rc\.d/init\.d/rng-tools -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
	38
	39	/usr/bin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)
	40
	41	diff --git a/policy/modules/services/rngd.te b/policy/modules/services/rngd.te
	42	index 839813216..c4ffafb5d 100644
	43	--- a/policy/modules/services/rngd.te
	44	+++ b/policy/modules/services/rngd.te
	45	@@ -21,7 +21,7 @@ files_runtime_file(rngd_runtime_t)
	46	#
	47
	48	allow rngd_t self:capability { ipc_lock sys_admin };
	49	-allow rngd_t self:process signal;
	50	+allow rngd_t self:process { signal getsched setsched };
	51	allow rngd_t self:fifo_file rw_fifo_file_perms;
	52	allow rngd_t self:unix_stream_socket { accept listen };
	53
	54	@@ -34,6 +34,7 @@ dev_read_rand(rngd_t)
	55	dev_read_urand(rngd_t)
	56	dev_rw_tpm(rngd_t)
	57	dev_write_rand(rngd_t)
	58	+dev_read_sysfs(rngd_t)
	59
	60	files_read_etc_files(rngd_t)
	61
	62	--
	63	2.17.1
	64