[PATCH] serefpolicy: named getattr AVC accessing /dev/random
Ted Toth
txtoth at gmail.com
Thu Mar 31 18:10:43 UTC 2011
When I was configuring a local dns server I noticed the following AVC:
type=AVC msg=audit(1301591991.675:24730): avc: denied { getattr }
for pid=23587 comm="named" path="/dev/random" dev=dm-0 ino=533878
scontext=system_u:system_r:named_t:s0
tcontext=system_u:object_r:named_zone_t:s0 tclass=chr_file
[root at localhost BUILD]# find / -inum 533878
/var/named/chroot/dev/random
I've included a proposed patch below.
Ted
--- serefpolicy-3.9.7/policy/modules/services/bind.fc.orig 2011-03-31
12:54:32.128829155 -0500
+++ serefpolicy-3.9.7/policy/modules/services/bind.fc 2011-03-31
12:58:11.849410409 -0500
@@ -60,4 +60,6 @@
/var/named/chroot/var/named/named\.ca --
gen_context(system_u:object_r:named_conf_t,s0)
/var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/dev/random -- gen_context(system_u:object_r:random_device_t:s0)
+/var/named/chroot/dev/zero -- gen_context(system_u:object_r:zero_device_t:s0)
')
More information about the selinux
mailing list