SELinux-Refpolicy Archive on lore.kernel.org
 help / Atom feed
* [PATCH] services/ssh: Don't audit accesses from ssh_t to /dev/random
@ 2018-10-27 12:47 Luis Ressel
  2018-10-27 19:10 ` Chris PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Luis Ressel @ 2018-10-27 12:47 UTC (permalink / raw)
  To: selinux-refpolicy

OpenSSL 1.1 always opens both /dev/urandom and /dev/random, which
generates spurious denial messages for ssh_t, ssh_keygen_t and probably
various other domains too.

The code only uses /dev/random as a fallback and can cope with an open()
failure just fine, so I'm dontauditing the access. However, I don't have
strong feelings about this -- if someone would prefer to allow these
accesses instead, I'd be okay with that too.
---
 policy/modules/services/ssh.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 092fe422..4e37a264 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -156,6 +156,7 @@ corenet_tcp_connect_ssh_port(ssh_t)
 corenet_sendrecv_ssh_client_packets(ssh_t)
 
 dev_read_urand(ssh_t)
+dev_dontaudit_read_rand(ssh_t)
 
 fs_getattr_all_fs(ssh_t)
 fs_search_auto_mountpoints(ssh_t)
@@ -352,6 +353,7 @@ fs_search_auto_mountpoints(ssh_keygen_t)
 
 dev_read_sysfs(ssh_keygen_t)
 dev_read_urand(ssh_keygen_t)
+dev_dontaudit_read_rand(ssh_keygen_t)
 
 term_dontaudit_use_console(ssh_keygen_t)
 
-- 
2.19.1


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH] services/ssh: Don't audit accesses from ssh_t to /dev/random
  2018-10-27 12:47 [PATCH] services/ssh: Don't audit accesses from ssh_t to /dev/random Luis Ressel
@ 2018-10-27 19:10 ` Chris PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2018-10-27 19:10 UTC (permalink / raw)
  To: Luis Ressel, selinux-refpolicy

On 10/27/2018 08:47 AM, Luis Ressel wrote:
> OpenSSL 1.1 always opens both /dev/urandom and /dev/random, which
> generates spurious denial messages for ssh_t, ssh_keygen_t and probably
> various other domains too.
> 
> The code only uses /dev/random as a fallback and can cope with an open()
> failure just fine, so I'm dontauditing the access. However, I don't have
> strong feelings about this -- if someone would prefer to allow these
> accesses instead, I'd be okay with that too.
> ---
>   policy/modules/services/ssh.te | 2 ++
>   1 file changed, 2 insertions(+)
> 
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index 092fe422..4e37a264 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -156,6 +156,7 @@ corenet_tcp_connect_ssh_port(ssh_t)
>   corenet_sendrecv_ssh_client_packets(ssh_t)
>   
>   dev_read_urand(ssh_t)
> +dev_dontaudit_read_rand(ssh_t)
>   
>   fs_getattr_all_fs(ssh_t)
>   fs_search_auto_mountpoints(ssh_t)
> @@ -352,6 +353,7 @@ fs_search_auto_mountpoints(ssh_keygen_t)
>   
>   dev_read_sysfs(ssh_keygen_t)
>   dev_read_urand(ssh_keygen_t)
> +dev_dontaudit_read_rand(ssh_keygen_t)
>   
>   term_dontaudit_use_console(ssh_keygen_t)

Merged.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-10-27 12:47 [PATCH] services/ssh: Don't audit accesses from ssh_t to /dev/random Luis Ressel
2018-10-27 19:10 ` Chris PeBenito

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable: git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox