-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/31/2011 08:10 PM, Ted Toth wrote:
> When I was configuring a local dns server I noticed the following AVC:
>
> type=AVC msg=audit(1301591991.675:24730): avc: denied { getattr }
> for pid=23587 comm="named" path="/dev/random" dev=dm-0 ino=533878
> scontext=system_u:system_r:named_t:s0
> tcontext=system_u:object_r:named_zone_t:s0 tclass=chr_file
>
> [root@localhost BUILD]# find / -inum 533878
> /var/named/chroot/dev/random
>
> I've included a proposed patch below.
>
> Ted
>
> --- serefpolicy-3.9.7/policy/modules/services/bind.fc.orig 2011-03-31
> 12:54:32.128829155 -0500
> +++ serefpolicy-3.9.7/policy/modules/services/bind.fc 2011-03-31
> 12:58:11.849410409 -0500
> @@ -60,4 +60,6 @@
> /var/named/chroot/var/named/named\.ca --
> gen_context(system_u:object_r:named_conf_t,s0)
> /var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
> /var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
> +/var/named/chroot/dev/random -- gen_context(system_u:object_r:random_device_t:s0)
> +/var/named/chroot/dev/zero -- gen_context(system_u:object_r:zero_device_t:s0)
Already there in /policy/modules/kernel/devices.fc
/var/named/chroot/dev/random -c
gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c
gen_context(system_u:object_r:zero_device_t,s0)
Along with:
/var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0)
/var/named/chroot/dev/null -c
gen_context(system_u:object_r:null_device_t,s0)
> ')
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk2UzOcACgkQMlxVo39jgT/XlgCcCJMja8RUvo/veDzFoYrRYwMi
QeUAn2Z8vpFKBIk9wnJGQ/ys+ba87AtL
=piRH
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
