[PATCH] serefpolicy: named getattr AVC accessing /dev/random

Thu Mar 31 18:10:43 UTC 2011

When I was configuring a local dns server I noticed the following AVC:

type=AVC msg=audit(1301591991.675:24730): avc:  denied  { getattr }
for  pid=23587 comm="named" path="/dev/random" dev=dm-0 ino=533878
scontext=system_u:system_r:named_t:s0
tcontext=system_u:object_r:named_zone_t:s0 tclass=chr_file

[root at localhost BUILD]# find / -inum 533878
/var/named/chroot/dev/random

I've included a proposed patch below.

Ted

--- serefpolicy-3.9.7/policy/modules/services/bind.fc.orig	2011-03-31
12:54:32.128829155 -0500
+++ serefpolicy-3.9.7/policy/modules/services/bind.fc	2011-03-31
12:58:11.849410409 -0500
@@ -60,4 +60,6 @@
 /var/named/chroot/var/named/named\.ca --
gen_context(system_u:object_r:named_conf_t,s0)
 /var/named/chroot/var/log/named.*	--	gen_context(system_u:object_r:named_log_t,s0)
 /var/named/dynamic(/.*)?		gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/dev/random		--	gen_context(system_u:object_r:random_device_t:s0)
+/var/named/chroot/dev/zero		--	gen_context(system_u:object_r:zero_device_t:s0)
 ')
