[PATCH] serefpolicy: named getattr AVC accessing /dev/random

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

When I was configuring a local dns server I noticed the following AVC:

type=AVC msg=audit(1301591991.675:24730): avc:  denied  { getattr }
for  pid=23587 comm="named" path="/dev/random" dev=dm-0 ino=533878
scontext=system_u:system_r:named_t:s0
tcontext=system_u:object_r:named_zone_t:s0 tclass=chr_file

[root@localhost BUILD]# find / -inum 533878
/var/named/chroot/dev/random

I've included a proposed patch below.

Ted

--- serefpolicy-3.9.7/policy/modules/services/bind.fc.orig	2011-03-31
12:54:32.128829155 -0500
+++ serefpolicy-3.9.7/policy/modules/services/bind.fc	2011-03-31
12:58:11.849410409 -0500
@@ -60,4 +60,6 @@
 /var/named/chroot/var/named/named\.ca --
gen_context(system_u:object_r:named_conf_t,s0)
 /var/named/chroot/var/log/named.*	--	gen_context(system_u:object_r:named_log_t,s0)
 /var/named/dynamic(/.*)?		gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/dev/random		--	gen_context(system_u:object_r:random_device_t:s0)
+/var/named/chroot/dev/zero		--	gen_context(system_u:object_r:zero_device_t:s0)
 ')
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux