Bug 1124832 - selinux prevents rndc to read urandom in FIPS
Summary: selinux prevents rndc to read urandom in FIPS
Keywords:
Status: CLOSED DUPLICATE of bug 1110397
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.6
Hardware: All
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-30 12:21 UTC by Ondrej Moriš
Modified: 2014-07-30 16:10 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-07-30 16:10:30 UTC


Attachments (Terms of Use)

Description Ondrej Moriš 2014-07-30 12:21:38 UTC
Description of problem:

In FIPS mode, selinux prevents /usr/sbin/rndc to read urandom with the following AVC:

time->Thu Jul 10 11:56:41 2014
type=SYSCALL msg=audit(1405007801.451:984): arch=40000003 syscall=5 success=no exit=-13 a0=7e194a a1=900 a2=b775bcb8 a3=0 items=0 ppid=14077 pid=14080 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rndc" exe="/usr/sbin/rndc" subj=unconfined_u:system_r:ndc_t:s0 key=(null)
type=AVC msg=audit(1405007801.451:984): avc:  denied  { read } for  pid=14080 comm="rndc" name="urandom" dev=devtmpfs ino=3913 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file

Version-Release number of selected component (if applicable):

selinux-policy-3.7.19-231.el6_5.3

How reproducible:

100%

Steps to Reproduce:

1. Execute the following test in FIPS mode:
   - /CoreOS/openssh/Security/bz1081343-openssh-failure-to-check-DNS-SSHFP-records-in

Actual results:

AVC found, test fails.

Expected results:

No AVC, test should pass.

Additional info:

Comment 2 Ondrej Moriš 2014-07-30 12:25:48 UTC
Please notice that no such AVC is reported with FIPS mode disabled, aforementioned rndc call comes somewhere from bind-utils package (my guess is that it is called only in FIPS mode and that the issue can be reproduced simply by calling rndc).

Comment 3 Milos Malik 2014-07-30 14:34:11 UTC
Similar to BZ#1110397.

Comment 5 Miroslav Grepl 2014-07-30 16:10:30 UTC

*** This bug has been marked as a duplicate of bug 1110397 ***


Note You need to log in before you can comment on or make changes to this bug.