-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/31/2011 08:50 PM, Dominick Grift wrote:
> On 03/31/2011 08:10 PM, Ted Toth wrote:
>> When I was configuring a local dns server I noticed the following AVC:
>
>> type=AVC msg=audit(1301591991.675:24730): avc: denied { getattr }
>> for pid=23587 comm="named" path="/dev/random" dev=dm-0 ino=533878
>> scontext=system_u:system_r:named_t:s0
>> tcontext=system_u:object_r:named_zone_t:s0 tclass=chr_file
>
>> [root@localhost BUILD]# find / -inum 533878
>> /var/named/chroot/dev/random
>
>> I've included a proposed patch below.
>
>> Ted
>
>> --- serefpolicy-3.9.7/policy/modules/services/bind.fc.orig 2011-03-31
>> 12:54:32.128829155 -0500
>> +++ serefpolicy-3.9.7/policy/modules/services/bind.fc 2011-03-31
>> 12:58:11.849410409 -0500
>> @@ -60,4 +60,6 @@
>> /var/named/chroot/var/named/named\.ca --
>> gen_context(system_u:object_r:named_conf_t,s0)
>> /var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
>> /var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
>> +/var/named/chroot/dev/random -- gen_context(system_u:object_r:random_device_t:s0)
>> +/var/named/chroot/dev/zero -- gen_context(system_u:object_r:zero_device_t:s0)
>
> Already there in /policy/modules/kernel/devices.fc
>
> /var/named/chroot/dev/random -c
> gen_context(system_u:object_r:random_device_t,s0)
> /var/named/chroot/dev/zero -c
> gen_context(system_u:object_r:zero_device_t,s0)
>
> Along with:
>
> /var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0)
> /var/named/chroot/dev/null -c
> gen_context(system_u:object_r:null_device_t,s0)
>
In theory your patch would not fix it since -- mean single file, and we
are we 're dealing with character files here ( -c instead of -- ).
I guess this may be a good case for "using last path component in type
transition rules".
So that i guess named or initrc can create these nodes with a proper
type based on their name, instead of just relying on fc spec and restorecon.
>> ')
>> --
>> selinux mailing list
>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk2U4ekACgkQMlxVo39jgT8avgCfeNgVrZclMYWLacP4LNSgXtXy
TRQAn0WgGcTZVO+1gceaJ9VygsrnvlGN
=PKt6
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
