From: chas@cmf.nrl.navy.mil (chas williams - CONTRACTOR) Date: Mon, 5 Jan 2015 13:58:43 -0500 Subject: [refpolicy] [PATCH] afs: update labels, file contexts and allow access to urandom In-Reply-To: <20150105181043.GA12231@bigboy.network2> References: <20150105101436.71aed0fd@thirdoffive.cmf.nrl.navy.mil> <20150105181043.GA12231@bigboy.network2> Message-ID: <20150105135843.5edcfd7b@thirdoffive.cmf.nrl.navy.mil> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 5 Jan 2015 19:10:45 +0100 Dominick Grift wrote: > I suspect that the urandom access is part of nsswitch functionality (getpw?) because i also see other rules that match that pattern. I suspect it is due to more recent versions of OpenAFS being linked against heimdal (or your native krb5 libraries). I suspect it is possible that the libraries might attempt to read random but reading allowing urandom should hopefully be sufficient. >From hcrypto/rand-unix.c: int _hc_unix_device_fd(int flags, const char **fn) { static const char *rnd_devices[] = { "/dev/urandom", "/dev/random", "/dev/srandom", "/dev/arandom", NULL }; > When reviewing the afs policy i also noticed some obvious redundant and wrong rules which i removed in a different commit 8bc232786bb2f84054108c6b8d22e312d40c256f Thanks!