From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 13 Jul 2009 11:49:00 -0400 Subject: [refpolicy] AVC denials: hostname In-Reply-To: <87prckjvwq.fsf@anzu.internal.golden-gryphon.com> References: <873a9oi2ql.fsf@anzu.internal.golden-gryphon.com> <1245956314.4230.913.camel@gorn.columbia.tresys.com> <87prckjvwq.fsf@anzu.internal.golden-gryphon.com> Message-ID: <1247500140.25956.17.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2009-07-01 at 09:54 -0500, Manoj Srivastava wrote: > On Thu, Jun 25 2009, Christopher J. PeBenito wrote: > > > On Thu, 2009-06-25 at 13:32 -0500, Manoj Srivastava wrote: > > > Looks like mislabeled files. Are there any static device nodes under > > the udev /dev? > > Well, there were no static files, but there was an underlying > /dev directory that was unlabeled, and the warnings were from before > udev created the overlay mount. In any case, I used a liveCD to access, > and label, the static /dev underlay, and the avc denials have been much > mitigated. > > I updated the policy to the git version from the 29th, and I > have been noticing a whole slew of avc denials (about 23 distinct > entities) that were denied open/read access to /dev/urandom; the logs > are attached. These were not just early boot; I continue to get ping > and hostname denials periodically. > > If these attempts to read /dev/urandom are spurious, should > there be dontaudit clauses to prevent these from filling up the log? Does debian use SSP now? This is what I would expect if many programs, if not all, are compiled with SSP. If so, use the global_ssp tunable. > plain text document attachment (avc-urandom.txt), "avc denials for > urandom" > ---- > time->Mon Jun 29 13:44:46 2009 > type=SYSCALL msg=audit(1246301086.056:17): arch=c000003e syscall=2 success=yes exit=3 a0=7f7176904906 a1=0 a2=7f7176ae66f0 a3=22 items=0 ppid=2221 pid=2234 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="loadkeys" exe="/bin/loadkeys" subj=system_u:system_r:loadkeys_t:s0 key=(null) > type=AVC msg=audit(1246301086.056:17): avc: denied { open } for pid=2234 comm="loadkeys" name="urandom" dev=tmpfs ino=6857 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file > type=AVC msg=audit(1246301086.056:17): avc: denied { read } for pid=2234 comm="loadkeys" name="urandom" dev=tmpfs ino=6857 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150