fedora-selinux March 2011 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: [PATCH] serefpolicy: named getattr AVC accessing

[PATCH] serefpolicy: named getattr AVC accessing /dev/random

From: Ted Toth <txtoth_at_nospam>
Date: Thu Mar 31 2011 - 18:10:43 GMT
To: selinux <selinux@lists.fedoraproject.org>

When I was configuring a local dns server I noticed the following AVC:

type=AVC msg=audit(1301591991.675:24730): avc: denied { getattr }
for pid=23587 comm="named" path="/dev/random" dev=dm-0 ino=533878
scontext=system_u:system_r:named_t:s0
tcontext=system_u:object_r:named_zone_t:s0 tclass=chr_file

[root@localhost BUILD]# find / -inum 533878
/var/named/chroot/dev/random

I've included a proposed patch below.

Ted

--- serefpolicy-3.9.7/policy/modules/services/bind.fc.orig 2011-03-31
12:54:32.128829155 -0500
+++ serefpolicy-3.9.7/policy/modules/services/bind.fc 2011-03-31
12:58:11.849410409 -0500
@@ -60,4 +60,6 @@
 /var/named/chroot/var/named/named\.ca --
gen_context(system_u:object_r:named_conf_t,s0)
 /var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
 /var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/dev/random -- gen_context(system_u:object_r:random_device_t:s0)
+/var/named/chroot/dev/zero -- gen_context(system_u:object_r:zero_device_t:s0)
 ')
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux