2018-10-27 12:47:36

by Luis Ressel

[permalink] [raw]
Subject: [PATCH] services/ssh: Don't audit accesses from ssh_t to /dev/random

OpenSSL 1.1 always opens both /dev/urandom and /dev/random, which
generates spurious denial messages for ssh_t, ssh_keygen_t and probably
various other domains too.

The code only uses /dev/random as a fallback and can cope with an open()
failure just fine, so I'm dontauditing the access. However, I don't have
strong feelings about this -- if someone would prefer to allow these
accesses instead, I'd be okay with that too.
---
policy/modules/services/ssh.te | 2 ++
1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 092fe422..4e37a264 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -156,6 +156,7 @@ corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t)

dev_read_urand(ssh_t)
+dev_dontaudit_read_rand(ssh_t)

fs_getattr_all_fs(ssh_t)
fs_search_auto_mountpoints(ssh_t)
@@ -352,6 +353,7 @@ fs_search_auto_mountpoints(ssh_keygen_t)

dev_read_sysfs(ssh_keygen_t)
dev_read_urand(ssh_keygen_t)
+dev_dontaudit_read_rand(ssh_keygen_t)

term_dontaudit_use_console(ssh_keygen_t)

--
2.19.1



2018-10-27 19:11:31

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH] services/ssh: Don't audit accesses from ssh_t to /dev/random

On 10/27/2018 08:47 AM, Luis Ressel wrote:
> OpenSSL 1.1 always opens both /dev/urandom and /dev/random, which
> generates spurious denial messages for ssh_t, ssh_keygen_t and probably
> various other domains too.
>
> The code only uses /dev/random as a fallback and can cope with an open()
> failure just fine, so I'm dontauditing the access. However, I don't have
> strong feelings about this -- if someone would prefer to allow these
> accesses instead, I'd be okay with that too.
> ---
> policy/modules/services/ssh.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index 092fe422..4e37a264 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -156,6 +156,7 @@ corenet_tcp_connect_ssh_port(ssh_t)
> corenet_sendrecv_ssh_client_packets(ssh_t)
>
> dev_read_urand(ssh_t)
> +dev_dontaudit_read_rand(ssh_t)
>
> fs_getattr_all_fs(ssh_t)
> fs_search_auto_mountpoints(ssh_t)
> @@ -352,6 +353,7 @@ fs_search_auto_mountpoints(ssh_keygen_t)
>
> dev_read_sysfs(ssh_keygen_t)
> dev_read_urand(ssh_keygen_t)
> +dev_dontaudit_read_rand(ssh_keygen_t)
>
> term_dontaudit_use_console(ssh_keygen_t)

Merged.

--
Chris PeBenito