public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
From: Jirka Hladky <jhladky@redhat.com>
To: git-commits@fedoraproject.org
Subject: [rpms/haveged] f44: Add SELinux policy module for semaphore creation in /dev/shm
Date: Fri, 19 Jun 2026 02:22:15 GMT [thread overview]
Message-ID: <178183573568.1.3748489212177549038.rpms-haveged-3524cc7c8787@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/haveged
Branch : f44
Commit : 3524cc7c87878548cc3a3db996bd548ec77e4c83
Author : Jirka Hladky <jhladky@redhat.com>
Date : 2026-06-18T04:47:22+02:00
Stats : +32/-3 in 2 file(s)
URL : https://src.fedoraproject.org/rpms/haveged/c/3524cc7c87878548cc3a3db996bd548ec77e4c83?branch=f44
Log:
Add SELinux policy module for semaphore creation in /dev/shm
The entropyd_t SELinux domain lacks permission to create POSIX named
semaphores (tmpfs_t files) in /dev/shm, causing haveged to fall back
to disabled command mode. Ship a local policy module to allow it.
Also bump release to 2.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
diff --git a/haveged-semaphore.te b/haveged-semaphore.te
new file mode 100644
index 0000000..c4233c3
--- /dev/null
+++ b/haveged-semaphore.te
@@ -0,0 +1,11 @@
+module haveged-semaphore 1.0;
+
+require {
+ type entropyd_t;
+ type tmpfs_t;
+ class file { create open read write getattr setattr unlink link rename lock map };
+ class dir { write add_name remove_name search getattr };
+}
+
+allow entropyd_t tmpfs_t:file { create open read write getattr setattr unlink link rename lock map };
+allow entropyd_t tmpfs_t:dir { write add_name remove_name search getattr };
diff --git a/haveged.spec b/haveged.spec
index 14e4296..0d2f946 100644
--- a/haveged.spec
+++ b/haveged.spec
@@ -2,17 +2,19 @@
Summary: A Linux entropy source using the HAVEGE algorithm
Name: haveged
Version: 1.9.23
-Release: 1%{?dist}
+Release: 2%{?dist}
# Automatically converted from old format: GPLv3+ - review is highly recommended.
License: GPL-3.0-or-later
URL: https://github.com/jirka-h/haveged
Source0: https://github.com/jirka-h/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
-Requires(post): systemd
+Source1: haveged-semaphore.te
+Requires(post): systemd policycoreutils
Requires(preun): systemd
-Requires(postun): systemd
+Requires(postun): systemd policycoreutils
BuildRequires: gcc
BuildRequires: make automake coreutils glibc-common systemd-units
+BuildRequires: checkpolicy selinux-policy-devel
Enhances: apache2 gpg2 openssl openvpn php5 smtp_daemon systemd
%description
@@ -49,6 +51,10 @@ Headers and shared object symbolic links for the HAVEGE algorithm
#make %{?_smp_mflags}
make
+# Build SELinux policy module
+cp %{SOURCE1} .
+make -f /usr/share/selinux/devel/Makefile haveged-semaphore.pp
+
%check
make check
@@ -72,11 +78,15 @@ install -Dpm 0644 contrib/Fedora/90-haveged.rules %{buildroot}%{_udevrulesdir}/9
# We don't ship .la files.
rm -rf %{buildroot}%{_libdir}/libhavege.*a
+# Install SELinux policy module
+install -Dpm 0644 haveged-semaphore.pp %{buildroot}%{_datadir}/selinux/packages/haveged-semaphore.pp
+
mkdir -p %{buildroot}%{_defaultdocdir}/%{name}
cp -p COPYING README ChangeLog AUTHORS contrib/build/havege_sample.c %{buildroot}%{_defaultdocdir}/%{name}
%post
/sbin/ldconfig
+semodule -i %{_datadir}/selinux/packages/haveged-semaphore.pp 2>/dev/null || :
%systemd_post %{name}.service %{name}-switch-root.service
%preun
@@ -85,6 +95,9 @@ cp -p COPYING README ChangeLog AUTHORS contrib/build/havege_sample.c %{buildroot
%postun
%systemd_postun_with_restart %{name}.service %{name}-switch-root.service
/sbin/ldconfig
+if [ $1 -eq 0 ]; then
+ semodule -r haveged-semaphore 2>/dev/null || :
+fi
%files
%{_mandir}/man8/haveged.8*
@@ -95,6 +108,7 @@ cp -p COPYING README ChangeLog AUTHORS contrib/build/havege_sample.c %{buildroot
%{_udevrulesdir}/*-%{name}.rules
%dir %{_prefix}/%{dracutlibdir}/modules.d/98%{name}
%{_prefix}/%{dracutlibdir}/modules.d/98%{name}/*
+%{_datadir}/selinux/packages/haveged-semaphore.pp
%files devel
%{_mandir}/man3/libhavege.3*
@@ -105,6 +119,10 @@ cp -p COPYING README ChangeLog AUTHORS contrib/build/havege_sample.c %{buildroot
%changelog
+* Thu Jun 18 2026 Jirka Hladky <hladky.jiri@gmail.com> - 1.9.23-2
+- Add SELinux policy module to allow semaphore creation in /dev/shm
+- Add rpminspect.yaml to waive pre-existing annocheck false positive
+
* Thu Jun 18 2026 Jirka Hladky <hladky.jiri@gmail.com> - 1.9.23-1
- Update to 1.9.23
- Security: use O_EXCL with sem_open to prevent semaphore pre-planting attacks
reply other threads:[~2026-06-19 2:22 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178183573568.1.3748489212177549038.rpms-haveged-3524cc7c8787@fedoraproject.org \
--to=jhladky@redhat.com \
--cc=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox