Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9D5AFC46475 for ; Sat, 27 Oct 2018 19:11:31 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D08762082C for ; Sat, 27 Oct 2018 19:11:30 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="SBzpVQkF" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D08762082C Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=ieee.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728459AbeJ1Dx0 (ORCPT ); Sat, 27 Oct 2018 23:53:26 -0400 Received: from mail-qt1-f194.google.com ([209.85.160.194]:40169 "EHLO mail-qt1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728213AbeJ1DxZ (ORCPT ); Sat, 27 Oct 2018 23:53:25 -0400 Received: by mail-qt1-f194.google.com with SMTP id l11-v6so4356236qtf.7 for ; Sat, 27 Oct 2018 12:11:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=uDuht6SYKQ+UStsLeHewID1rY5E0K4enl4ow8E5E298=; b=SBzpVQkFoA50gSWrdS532cru9m7lrqd84dSSmpaMgKOX3pM4TA/D8whSnrVr/0q6Di pw5VDw1wmnPFPRf1DU0GtmU8D4gJdZfFzug1WqrlhbPf0A37YBYvh7fypK/CXldT8vLO 24eRZi+F2jh8i4kLdJBpGubYMB5Y+4zBpJk3w= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=uDuht6SYKQ+UStsLeHewID1rY5E0K4enl4ow8E5E298=; b=VW0u/AQiv/QEK44GEd/aQADDfNjy2EWyzVH1ymPMFgScbl5F84/jC28AyY6vVZPj8p BfbICDeIXghcnt/FzPOZph7ykGdI/hgLsHhvvOBStJVKn6TNUquzwiVGAgYOe8n9esmX XslAEUCsFgByuxo/nLyAt3Psgwpxc51jobfJcY8R6Iml/DgQkG67buKyaD1iJUTwFLYT uPVaAI9Cc5F5IY0D+OlO/DL5SPjGoMClQuefNzAL40NtTfW2cr/79hkMZiRmrQw6dCCv uhFkm0aE7/3MmUbAPkLvuUrpyUbANam09jcHLe2edvmDJpVe2SrphZNPATdad1DOYYHs i7jg== X-Gm-Message-State: AGRZ1gJ4Jt2qNEOLWKmWAkBrQz4yxhQORGE3b/aPN/H6YBuq/xXNyPMp aG3td5Kwa5bM9HKpShEo7uMrciM7lEM= X-Google-Smtp-Source: AJdET5cDB/6xsX6aI/H4HHCsFMMnkfnXwF6fAaNdSMckq7iLMKskNYXqnGQKMHZ/BRr3Z7fQTVZ7cg== X-Received: by 2002:a0c:95e6:: with SMTP id t35mr7785412qvt.163.1540667489125; Sat, 27 Oct 2018 12:11:29 -0700 (PDT) Received: from [192.168.1.190] (pool-68-134-29-209.bltmmd.fios.verizon.net. [68.134.29.209]) by smtp.gmail.com with ESMTPSA id q24-v6sm10282306qtb.26.2018.10.27.12.11.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 27 Oct 2018 12:11:28 -0700 (PDT) Subject: Re: [PATCH] services/ssh: Don't audit accesses from ssh_t to /dev/random To: Luis Ressel , selinux-refpolicy@vger.kernel.org References: <20181027124703.2283-1-aranea@aixah.de> From: Chris PeBenito Message-ID: <6a7039f5-9dc4-aa7d-c990-bd098726ed3f@ieee.org> Date: Sat, 27 Oct 2018 15:10:51 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <20181027124703.2283-1-aranea@aixah.de> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 10/27/2018 08:47 AM, Luis Ressel wrote: > OpenSSL 1.1 always opens both /dev/urandom and /dev/random, which > generates spurious denial messages for ssh_t, ssh_keygen_t and probably > various other domains too. > > The code only uses /dev/random as a fallback and can cope with an open() > failure just fine, so I'm dontauditing the access. However, I don't have > strong feelings about this -- if someone would prefer to allow these > accesses instead, I'd be okay with that too. > --- > policy/modules/services/ssh.te | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te > index 092fe422..4e37a264 100644 > --- a/policy/modules/services/ssh.te > +++ b/policy/modules/services/ssh.te > @@ -156,6 +156,7 @@ corenet_tcp_connect_ssh_port(ssh_t) > corenet_sendrecv_ssh_client_packets(ssh_t) > > dev_read_urand(ssh_t) > +dev_dontaudit_read_rand(ssh_t) > > fs_getattr_all_fs(ssh_t) > fs_search_auto_mountpoints(ssh_t) > @@ -352,6 +353,7 @@ fs_search_auto_mountpoints(ssh_keygen_t) > > dev_read_sysfs(ssh_keygen_t) > dev_read_urand(ssh_keygen_t) > +dev_dontaudit_read_rand(ssh_keygen_t) > > term_dontaudit_use_console(ssh_keygen_t) Merged. -- Chris PeBenito