From: chas@cmf.nrl.navy.mil (chas williams - CONTRACTOR)
Date: Mon, 5 Jan 2015 13:58:43 -0500
Subject: [refpolicy] [PATCH] afs: update labels,
 file contexts and allow access to urandom
In-Reply-To: <20150105181043.GA12231@bigboy.network2>
References: <20150105101436.71aed0fd@thirdoffive.cmf.nrl.navy.mil>
	<20150105181043.GA12231@bigboy.network2>
Message-ID: <20150105135843.5edcfd7b@thirdoffive.cmf.nrl.navy.mil>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 5 Jan 2015 19:10:45 +0100
Dominick Grift <dac.override@gmail.com> wrote:

> I suspect that the urandom access is part of nsswitch functionality (getpw?) because i also see other rules that match that pattern.

I suspect it is due to more recent versions of OpenAFS being linked
against heimdal (or your native krb5 libraries).  I suspect it is
possible that the libraries might attempt to read random but reading
allowing urandom should hopefully be sufficient.

>From hcrypto/rand-unix.c:

int
_hc_unix_device_fd(int flags, const char **fn)
{
    static const char *rnd_devices[] = {
        "/dev/urandom",
        "/dev/random",
        "/dev/srandom",
        "/dev/arandom",
        NULL
    };


> When reviewing the afs policy i also noticed some obvious redundant and wrong rules which i removed in a different commit 8bc232786bb2f84054108c6b8d22e312d40c256f

Thanks!