Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CF1BCC46475 for ; Sat, 27 Oct 2018 12:47:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 3C21A2082C for ; Sat, 27 Oct 2018 12:47:36 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3C21A2082C Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=aixah.de Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728252AbeJ0V22 (ORCPT ); Sat, 27 Oct 2018 17:28:28 -0400 Received: from wp260.webpack.hosteurope.de ([80.237.133.29]:59086 "EHLO wp260.webpack.hosteurope.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728236AbeJ0V22 (ORCPT ); Sat, 27 Oct 2018 17:28:28 -0400 Received: from p549a87be.dip0.t-ipconnect.de ([84.154.135.190] helo=vega.skynet.aixah.de); authenticated by wp260.webpack.hosteurope.de running ExIM with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) id 1gGO06-0007EO-1Z; Sat, 27 Oct 2018 14:47:34 +0200 Received: by vega.skynet.aixah.de (Postfix, from userid 1000) id 90E6F260D4C; Sat, 27 Oct 2018 14:47:33 +0200 (CEST) From: Luis Ressel To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] services/ssh: Don't audit accesses from ssh_t to /dev/random Date: Sat, 27 Oct 2018 14:47:03 +0200 Message-Id: <20181027124703.2283-1-aranea@aixah.de> X-Mailer: git-send-email 2.19.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-bounce-key: webpack.hosteurope.de;aranea@aixah.de;1540644455;b41e51a3; X-HE-SMSGID: 1gGO06-0007EO-1Z Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org OpenSSL 1.1 always opens both /dev/urandom and /dev/random, which generates spurious denial messages for ssh_t, ssh_keygen_t and probably various other domains too. The code only uses /dev/random as a fallback and can cope with an open() failure just fine, so I'm dontauditing the access. However, I don't have strong feelings about this -- if someone would prefer to allow these accesses instead, I'd be okay with that too. --- policy/modules/services/ssh.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 092fe422..4e37a264 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -156,6 +156,7 @@ corenet_tcp_connect_ssh_port(ssh_t) corenet_sendrecv_ssh_client_packets(ssh_t) dev_read_urand(ssh_t) +dev_dontaudit_read_rand(ssh_t) fs_getattr_all_fs(ssh_t) fs_search_auto_mountpoints(ssh_t) @@ -352,6 +353,7 @@ fs_search_auto_mountpoints(ssh_keygen_t) dev_read_sysfs(ssh_keygen_t) dev_read_urand(ssh_keygen_t) +dev_dontaudit_read_rand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -- 2.19.1