XFree86 accessing /dev/urandom AVCs.
Russell Coker
russell at coker.com.au
Fri Mar 19 10:19:34 UTC 2004
On Fri, 19 Mar 2004 19:52, Aleksey Nogin <aleksey at nogin.org> wrote:
> Not sure where these come from (possibly it's because of my using the
> vnc module in X). Safe to dontaudit?
>
> audit(1079686139.241:0): avc: denied { getattr } for pid=9439
> exe=/usr/X11R6/bin/XFree86 path=/dev/urandom dev=hda2 ino=2689265
> scontext=system_u:system_r:xdm_xserver_t
> tcontext=system_u:object_r:urandom_device_t tclass=chr_file
> audit(1079686139.241:0): avc: denied { ioctl } for pid=9439
> exe=/usr/X11R6/bin/XFree86 path=/dev/urandom dev=hda2 ino=2689265
> scontext=system_u:system_r:xdm_xserver_t
> tcontext=system_u:object_r:urandom_device_t tclass=chr_file
As far as I am aware there is no valid ioctl for the urandom device, it takes
reads as requests for random data and writes as additions to the entropy
pool. Programs that do an IOCTL are bogus, but there's no harm in allowing
it. As for getattr, that's valid so I've changed my tree to allow that too.
Read was already allowed for SSP (which only does blind reads with no getattr
and no ioctl).
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-selinux-list
mailing list