From 62d5fd70550ba0f6564c5240c369c421b1415eb9 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 3 Mar 2022 16:57:41 +0100
Subject: [PATCH] Allow rngd drop privileges via setuid/setgid/setcap

Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/62d5fd70550ba0f6564c5240c369c421b1415eb9
Conflict: NA

The rngd service starts as root to be able to access some resources
like /dev/hwrng, then it drops capabilities and changes ruid/euid/suid
and rgid/egid/sgid.

Resolves: rhbz#2058914
Signed-off-by: lujie54 <lujie54@huawei.com>
---
 policy/modules/contrib/rngd.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/rngd.te b/policy/modules/contrib/rngd.te
index 316d210..ca8c996 100644
--- a/policy/modules/contrib/rngd.te
+++ b/policy/modules/contrib/rngd.te
@@ -30,8 +30,8 @@ files_pid_file(rngd_var_run_t)
 # Local policy
 #
 
-allow rngd_t self:capability { ipc_lock sys_admin };
-allow rngd_t self:process { setsched signal };
+allow rngd_t self:capability { ipc_lock setgid setuid sys_admin };
+allow rngd_t self:process { setcap setsched signal };
 allow rngd_t self:fifo_file rw_fifo_file_perms;
 allow rngd_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow rngd_t self:unix_stream_socket { accept listen };
-- 
1.8.3.1