Bug 844477

Summary: SELinux prevents /usr/sbin/dkim-filter (dkim_milter_t) from reading both /dev/random (random_device_t) and /dev/urandom (urandom_device_t)
Product: Red Hat Enterprise Linux 7 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.0CC: mgrepl
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 11:07:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2012-07-30 20:25:42 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-minimum-3.10.0-137.el7.noarch
selinux-policy-doc-3.10.0-137.el7.noarch
selinux-policy-3.10.0-137.el7.noarch
selinux-policy-mls-3.10.0-137.el7.noarch
selinux-policy-devel-3.10.0-137.el7.noarch
selinux-policy-targeted-3.10.0-137.el7.noarch
dkim-milter-2.8.3-8.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. get a RHEL-7.0 machine
2. run following automated test:
 * /CoreOS/selinux-policy/Regression/bz718219-dkim-milter-and-similar
3. search for AVCs
  
Actual results:
----
time->Mon Jul 30 22:09:38 2012
type=PATH msg=audit(1343678978.389:35585): item=0 name="/dev/urandom" inode=2057 dev=00:05 mode=020666 ouid=0 ogid=0 rdev=01:09 obj=system_u:object_r:urandom_device_t:s0
type=CWD msg=audit(1343678978.389:35585):  cwd="/"
type=SYSCALL msg=audit(1343678978.389:35585): arch=c000003e syscall=2 success=no exit=-13 a0=3304b5ab73 a1=900 a2=4223 a3=7fffd8381680 items=1 ppid=1 pid=16931 auid=4294967295 uid=990 gid=987 euid=990 suid=990 fsuid=990 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm="dkim-filter" exe="/usr/sbin/dkim-filter" subj=system_u:system_r:dkim_milter_t:s0 key=(null)
type=AVC msg=audit(1343678978.389:35585): avc:  denied  { read } for  pid=16931 comm="dkim-filter" name="urandom" dev="devtmpfs" ino=2057 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
----
time->Mon Jul 30 22:09:38 2012
type=PATH msg=audit(1343678978.390:35586): item=0 name="/dev/random" inode=2056 dev=00:05 mode=020666 ouid=0 ogid=0 rdev=01:08 obj=system_u:object_r:random_device_t:s0
type=CWD msg=audit(1343678978.390:35586):  cwd="/"
type=SYSCALL msg=audit(1343678978.390:35586): arch=c000003e syscall=2 success=no exit=-13 a0=3304b5ab80 a1=900 a2=d a3=7fffd8381680 items=1 ppid=1 pid=16931 auid=4294967295 uid=990 gid=987 euid=990 suid=990 fsuid=990 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm="dkim-filter" exe="/usr/sbin/dkim-filter" subj=system_u:system_r:dkim_milter_t:s0 key=(null)
type=AVC msg=audit(1343678978.390:35586): avc:  denied  { read } for  pid=16931 comm="dkim-filter" name="random" dev="devtmpfs" ino=2056 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file
----

Expected results:
 * no AVCs
Comment 1 Daniel Walsh 2012-07-31 15:20:26 UTC 
And this machine is not using ldap as the back end for passwd info?
Comment 2 Milos Malik 2012-08-01 11:51:03 UTC 
I believe it's not using any LDAP back-end.

# authconfig --test
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
 hesiod LHS = ""
 hesiod RHS = ""
nss_ldap is disabled
 LDAP+TLS is disabled
 LDAP server = "ldap://ldap.corp.redhat.com/"
 LDAP base DN = "dc=redhat,dc=com"
nss_nis is disabled
 NIS server = ""
 NIS domain = ""
nss_nisplus is disabled
nss_winbind is enabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
 Winbind template shell = "/bin/false"
 SMB idmap uid = "16777216-33554431"
 SMB idmap gid = "16777216-33554431"
nss_sss is disabled by default
nss_wins is disabled
nss_mdns4_minimal is disabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
 shadow passwords are enabled
 password hashing algorithm is sha512
pam_krb5 is enabled
 krb5 realm = "REDHAT.COM"
 krb5 realm via dns is disabled
 krb5 kdc = "kerberos.corp.redhat.com"
 krb5 kdc via dns is disabled
 krb5 admin server = "kerberos.corp.redhat.com"
pam_ldap is disabled
 LDAP+TLS is disabled
 LDAP server = "ldap://ldap.corp.redhat.com/"
 LDAP base DN = "dc=redhat,dc=com"
 LDAP schema = "rfc2307"
pam_pkcs11 is disabled
 use only smartcard for login is disabled
 smartcard module = ""
 smartcard removal action = ""
pam_fprintd is disabled
pam_ecryptfs is disabled
pam_winbind is enabled
 SMB workgroup = "MYGROUP"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
pam_sss is disabled by default
 credential caching in SSSD is enabled
 SSSD use instead of legacy services if possible is enabled
IPAv2 is disabled
IPAv2 domain was not joined
 IPAv2 server = ""
 IPAv2 realm = ""
 IPAv2 domain = ""
pam_pwquality is enabled (try_first_pass retry=3 type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir or pam_oddjob_mkhomedir is enabled ()
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled
#
Comment 3 Daniel Walsh 2012-08-01 19:39:33 UTC 
fixed in selinux-policy-3.11.0-15.el7
Comment 5 Ludek Smid 2014-06-13 11:07:10 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.