Bug 1289274 - SELinux prevents dmidecode from reading /dev/urandom [NEEDINFO]
SELinux prevents dmidecode from reading /dev/urandom
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.2
All Linux
medium Severity unspecified
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-07 14:43 EST by Vasu Kulkarni
Modified: 2017-04-06 08:38 EDT (History)
7 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-60.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-03 22:25:45 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
ksrot: needinfo? (vakulkar)


Attachments (Terms of Use)

  None (edit)
Description Vasu Kulkarni 2015-12-07 14:43:59 EST
Description of problem:

During Ceph product testing using 7.2GA, there are many denials that show up from dmidecode process in audit log, Is this a dmidecode issue?

 ['type=AVC msg=audit(1449285376.434:1350): avc: denied { read } for pid=6080 comm="dmidecode" path="/dev/urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:dmidecode_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file'] 


Version-Release number of selected component (if applicable):

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

uname:
Linux magna036 3.10.0-229.el7.x86_64 #1 SMP Thu Jan 29 18:37:38 EST 2015 x86_64 x86_64 x86_64 GNU/Linux

rpn package:
dmidecode-2.12-5.el7.x86_64
python-dmidecode-3.10.13-11.el7.x86_64



How reproducible:


Steps to Reproduce:
7.2 GA build with Selinux enabled


Actual results:

Denials in audit.log from dmidecode


Expected results:



Additional info:
Comment 1 Milos Malik 2015-12-08 02:31:49 EST
# rpm -qa selinux-policy\*
selinux-policy-sandbox-3.13.1-60.el7.noarch
selinux-policy-mls-3.13.1-60.el7.noarch
selinux-policy-3.13.1-60.el7.noarch
selinux-policy-minimum-3.13.1-60.el7.noarch
selinux-policy-devel-3.13.1-60.el7.noarch
selinux-policy-doc-3.13.1-60.el7.noarch
selinux-policy-targeted-3.13.1-60.el7.noarch
# sesearch -s dmidecode_t -t urandom_device_t -c chr_file -A -C -p read
Found 2 semantic av rules:
   allow domain urandom_device_t : chr_file { ioctl read getattr lock open } ; 
DT allow domain urandom_device_t : chr_file { ioctl read getattr lock open } ; [ global_ssp ]

# 

Which version of selinux-policy was installed on that machine?
Comment 2 Vasu Kulkarni 2015-12-08 14:31:43 EST
Following version is installed

[ubuntu@magna031 cd]$ rpm -qa selinux-policy\*
selinux-policy-3.13.1-60.el7.noarch
selinux-policy-targeted-3.13.1-60.el7.noarch
Comment 3 Lukas Vrabec 2016-03-17 08:02:42 EDT
#============= dmidecode_t ==============

#!!!! This avc is allowed in the current policy
allow dmidecode_t urandom_device_t:chr_file read;

[root@bkr-hv10-guest16 ~]# rpm -q selinux-policy 
selinux-policy-3.13.1-60.el7_2.3.noarch

[root@bkr-hv10-guest16 ~]# sesearch -s dmidecode_t -t urandom_device_t -c chr_file -A -C -p read
Found 2 semantic av rules:
   allow domain urandom_device_t : chr_file { ioctl read getattr lock open } ; 
DT allow domain urandom_device_t : chr_file { ioctl read getattr lock open } ; [ global_ssp ]


selinux-policy-3.13.1-60.el7.noarch looks fine.
Comment 8 errata-xmlrpc 2016-11-03 22:25:45 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html

Note You need to log in before you can comment on or make changes to this bug.