[PATCH] serefpolicy: named getattr AVC accessing /dev/random
Ted Toth
txtoth at gmail.com
Thu Mar 31 21:42:58 UTC 2011
On Thu, Mar 31, 2011 at 3:19 PM, Dominick Grift <domg472 at gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 03/31/2011 08:50 PM, Dominick Grift wrote:
>> On 03/31/2011 08:10 PM, Ted Toth wrote:
>>> When I was configuring a local dns server I noticed the following AVC:
>>
>>> type=AVC msg=audit(1301591991.675:24730): avc: denied { getattr }
>>> for pid=23587 comm="named" path="/dev/random" dev=dm-0 ino=533878
>>> scontext=system_u:system_r:named_t:s0
>>> tcontext=system_u:object_r:named_zone_t:s0 tclass=chr_file
>>
>>> [root at localhost BUILD]# find / -inum 533878
>>> /var/named/chroot/dev/random
>>
>>> I've included a proposed patch below.
>>
>>> Ted
>>
>>> --- serefpolicy-3.9.7/policy/modules/services/bind.fc.orig 2011-03-31
>>> 12:54:32.128829155 -0500
>>> +++ serefpolicy-3.9.7/policy/modules/services/bind.fc 2011-03-31
>>> 12:58:11.849410409 -0500
>>> @@ -60,4 +60,6 @@
>>> /var/named/chroot/var/named/named\.ca --
>>> gen_context(system_u:object_r:named_conf_t,s0)
>>> /var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
>>> /var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
>>> +/var/named/chroot/dev/random -- gen_context(system_u:object_r:random_device_t:s0)
>>> +/var/named/chroot/dev/zero -- gen_context(system_u:object_r:zero_device_t:s0)
>>
>> Already there in /policy/modules/kernel/devices.fc
>>
>> /var/named/chroot/dev/random -c
>> gen_context(system_u:object_r:random_device_t,s0)
>> /var/named/chroot/dev/zero -c
>> gen_context(system_u:object_r:zero_device_t,s0)
>>
>> Along with:
>>
>> /var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0)
>> /var/named/chroot/dev/null -c
>> gen_context(system_u:object_r:null_device_t,s0)
>>
>
> In theory your patch would not fix it since -- mean single file, and we
> are we 're dealing with character files here ( -c instead of -- ).
-c, right that's what I meant to type ;)
>
> I guess this may be a good case for "using last path component in type
> transition rules".
Yes it seem that this would be a reasonable use of this new type of
transition rule.
>
> So that i guess named or initrc can create these nodes with a proper
> type based on their name, instead of just relying on fc spec and restorecon.
>
>>> ')
>>> --
>>> selinux mailing list
>>> selinux at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.16 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk2U4ekACgkQMlxVo39jgT8avgCfeNgVrZclMYWLacP4LNSgXtXy
> TRQAn0WgGcTZVO+1gceaJ9VygsrnvlGN
> =PKt6
> -----END PGP SIGNATURE-----
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
More information about the selinux
mailing list