fedora-selinux March 2011 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: [PATCH] serefpolicy: named getattr AVC acces

Re: [PATCH] serefpolicy: named getattr AVC accessing /dev/random

From: Dominick Grift <domg472_at_nospam>
Date: Thu Mar 31 2011 - 18:50:15 GMT
To: selinux@lists.fedoraproject.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/31/2011 08:10 PM, Ted Toth wrote:
> When I was configuring a local dns server I noticed the following AVC:
>
> type=AVC msg=audit(1301591991.675:24730): avc: denied { getattr }
> for pid=23587 comm="named" path="/dev/random" dev=dm-0 ino=533878
> scontext=system_u:system_r:named_t:s0
> tcontext=system_u:object_r:named_zone_t:s0 tclass=chr_file
>
> [root@localhost BUILD]# find / -inum 533878
> /var/named/chroot/dev/random
>
> I've included a proposed patch below.
>
> Ted
>
> --- serefpolicy-3.9.7/policy/modules/services/bind.fc.orig 2011-03-31
> 12:54:32.128829155 -0500
> +++ serefpolicy-3.9.7/policy/modules/services/bind.fc 2011-03-31
> 12:58:11.849410409 -0500
> @@ -60,4 +60,6 @@
> /var/named/chroot/var/named/named\.ca --
> gen_context(system_u:object_r:named_conf_t,s0)
> /var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
> /var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
> +/var/named/chroot/dev/random -- gen_context(system_u:object_r:random_device_t:s0)
> +/var/named/chroot/dev/zero -- gen_context(system_u:object_r:zero_device_t:s0)

Already there in /policy/modules/kernel/devices.fc

/var/named/chroot/dev/random -c
gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c
gen_context(system_u:object_r:zero_device_t,s0)

Along with:

/var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0)
/var/named/chroot/dev/null -c
gen_context(system_u:object_r:null_device_t,s0)

> ')
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2UzOcACgkQMlxVo39jgT/XlgCcCJMja8RUvo/veDzFoYrRYwMi
QeUAn2Z8vpFKBIk9wnJGQ/ys+ba87AtL
=piRH
-----END PGP SIGNATURE-----
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux