Re: Named and /dev/random Fedora 14

David Highley <dhighley@xxxxxxxxxxxxxxxxxxxxxxx> · Thu, 11 Nov 2010 11:23:03 -0800 (PST)

"Daniel J Walsh wrote:"
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 11/11/2010 01:13 PM, David Highley wrote:
> > Anyone else seeing this issue with a new install of Fedora 14? Attempted
> > to get around issue with audit2allow, but was not successful.
> > 
> > time->Wed Nov 10 21:28:20 2010
> > type=SYSCALL msg=audit(1289453300.241:33869): arch=c000003e syscall=4
> > success=no exit=-13 a0=7f482c177050 a1=7f4826a61590 a2=7f4826a61590
> > a3=7f482960e150 items=0 ppid=4267 pid=4272 auid=1000 uid=25 gid=25
> > euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=1
> > comm="named" exe="/usr/sbin/named" subj=unconfined_u:system_r:named_t:s0
> > key=(null)
> > type=AVC msg=audit(1289453300.241:33869): avc:  denied  { getattr } for
> > pid=4272 comm="named" path="/dev/random" dev=dm-0 ino=2361331
> > scontext=unconfined_u:system_r:named_t:s0
> > tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
> > ----
> > time->Wed Nov 10 21:45:00 2010
> > type=SYSCALL msg=audit(1289454300.409:5): arch=c000003e syscall=2
> > success=no exit=-13 a0=7f41edbc8050 a1=800 a2=0 a3=7f41eb05f150 items=0
> > ppid=1168 pid=1172 auid=4294967295 uid=25 gid=25 euid=25 suid=25
> > fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named"
> > exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)
> > type=AVC msg=audit(1289454300.409:5): avc:  denied  { read } for
> > pid=1172 comm="named" name="random" dev=dm-0 ino=2361331
> > scontext=system_u:system_r:named_t:s0
> > tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
> > ----
> > time->Thu Nov 11 09:45:29 2010
> > type=SYSCALL msg=audit(1289497529.277:177): arch=c000003e syscall=2
> > success=no exit=-13 a0=7f3f6554f050 a1=800 a2=0 a3=7f3f629e6150 items=0
> > ppid=5581 pid=5585 auid=1000 uid=25 gid=25 euid=25 suid=25 fsuid=25
> > egid=25 sgid=25 fsgid=25 tty=(none) ses=19 comm="named"
> > exe="/usr/sbin/named" subj=unconfined_u:system_r:named_t:s0 key=(null)
> > type=AVC msg=audit(1289497529.277:177): avc:  denied  { read } for
> > pid=5585 comm="named" name="random" dev=dm-0 ino=2361331
> > scontext=unconfined_u:system_r:named_t:s0
> > tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
> > ----
> > time->Thu Nov 11 09:48:34 2010
> > type=SYSCALL msg=audit(1289497714.136:178): arch=c000003e syscall=2
> > success=no exit=-13 a0=7f6e92cdc050 a1=800 a2=0 a3=7f6e90173150 items=0
> > ppid=5704 pid=5706 auid=1000 uid=25 gid=25 euid=25 suid=25 fsuid=25
> > egid=25 sgid=25 fsgid=25 tty=(none) ses=19 comm="named"
> > exe="/usr/sbin/named" subj=unconfined_u:system_r:named_t:s0 key=(null)
> > type=AVC msg=audit(1289497714.136:178): avc:  denied  { read } for
> > pid=5706 comm="named" name="random" dev=dm-0 ino=2361331
> > scontext=unconfined_u:system_r:named_t:s0
> > tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
> > ----
> > time->Thu Nov 11 09:55:11 2010
> > type=SYSCALL msg=audit(1289498111.595:193): arch=c000003e syscall=4
> > success=no exit=-13 a0=7f90a3eb2050 a1=7f909e79c590 a2=7f909e79c590
> > a3=7f90a1349150 items=0 ppid=5916 pid=5921 auid=1000 uid=25 gid=25
> > euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=19
> > comm="named" exe="/usr/sbin/named" subj=unconfined_u:system_r:named_t:s0
> > key=(null)
> > type=AVC msg=audit(1289498111.595:193): avc:  denied  { getattr } for
> > pid=5921 comm="named" path="/dev/random" dev=dm-0 ino=2361331
> > scontext=unconfined_u:system_r:named_t:s0
> > tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
> > ----
> > time->Thu Nov 11 09:56:26 2010
> > type=SYSCALL msg=audit(1289498186.109:195): arch=c000003e syscall=2
> > success=no exit=-13 a0=7f6e01308050 a1=800 a2=0 a3=7f6dfe79f150 items=0
> > ppid=6042 pid=6046 auid=1000 uid=25 gid=25 euid=25 suid=25 fsuid=25
> > egid=25 sgid=25 fsgid=25 tty=(none) ses=19 comm="named"
> > exe="/usr/sbin/named" subj=unconfined_u:system_r:named_t:s0 key=(null)
> > type=AVC msg=audit(1289498186.109:195): avc:  denied  { read } for
> > pid=6046 comm="named" name="random" dev=dm-0 ino=2361331
> > scontext=unconfined_u:system_r:named_t:s0
> > tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
> > ----
> > time->Thu Nov 11 10:01:50 2010
> > type=SYSCALL msg=audit(1289498510.975:204): arch=c000003e syscall=4
> > success=no exit=-13 a0=7f7313ba9050 a1=7f730f495590 a2=7f730f495590
> > a3=7f7311040150 items=0 ppid=6199 pid=6202 auid=1000 uid=25 gid=25
> > euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=19
> > comm="named" exe="/usr/sbin/named" subj=unconfined_u:system_r:named_t:s0
> > key=(null)
> > type=AVC msg=audit(1289498510.975:204): avc:  denied  { getattr } for
> > pid=6202 comm="named" path="/dev/random" dev=dm-0 ino=2361331
> > scontext=unconfined_u:system_r:named_t:s0
> > tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
> > --
> > selinux mailing list
> > selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> For some reason /dev/random is mislabeled.  Udev is in charge of
> labeling it, running restorecon /dev/random should fix.

I thought of that and it did not change, so its label is matching the
policies.

> 
> If this continues on next reboot, open a bug on udev, with me on cc.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAkzcNYYACgkQrlYvE4MpobOz8ACg2WzZhWb84iHLRECPtk9Dqnh+
> AjYAoK4smJs2DFMOf6eQVa9Iijc7o5NR
> =tgM0
> -----END PGP SIGNATURE-----
> 
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux