This happens at every boot since I updated to tuned 0.2.9. It's not clear to me on why would tuned want to access urandom though. Sommario: SELinux prevented tuned from reading from the urandom device. Descrizione dettagliata: [SELinux è in modalità permissiva. Questo accesso non è stato negato.] SELinux prevented tuned from reading from the urandom device. This access should be allowed for individual applications, but there are situations where all applications require the access (for example, when ProPolice/SSP stack smashing protection is used). Allowing this access may allow malicious applications to drain the kernel entropy pool. This can compromise the ability of some software that is dependent on high quality random numbers (e.g., ssh-keygen) to operate effectively. The risk of this type of attack is relatively low. Abilitazione accesso in corso: Changing the "global_ssp" boolean to true will allow this access: "setsebool -P global_ssp=1." Comando fix: setsebool -P global_ssp=1 Informazioni aggiuntive: Contesto della sorgente system_u:system_r:tuned_t:s0 Contesto target system_u:object_r:urandom_device_t:s0 Oggetti target urandom [ chr_file ] Sorgente tuned Percorso della sorgente /usr/bin/python Porta <Sconosciuto> Host (removed) Sorgente Pacchetti RPM python-2.6.2-6.fc12 Pacchetti RPM target RPM della policy selinux-policy-3.6.32-78.fc12 Selinux abilitato True Tipo di policy targeted Modalità Enforcing Permissive Nome plugin global_ssp Host Name (removed) Piattaforma Linux (removed) 2.6.32.7-39.fc12.x86_64 #1 SMP Mon Feb 1 00:35:43 UTC 2010 x86_64 x86_64 Conteggio avvisi 2 Primo visto mar 02 feb 2010 18:43:02 CET Ultimo visto mar 02 feb 2010 18:43:02 CET ID locale 03939224-2458-4d98-b1f5-d1502fe7679f Numeri di linea Messaggi Raw Audit node=(removed) type=AVC msg=audit(1265132582.304:11830): avc: denied { read } for pid=1506 comm="tuned" name="urandom" dev=devtmpfs ino=3482 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file node=(removed) type=AVC msg=audit(1265132582.304:11830): avc: denied { open } for pid=1506 comm="tuned" name="urandom" dev=devtmpfs ino=3482 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file node=(removed) type=SYSCALL msg=audit(1265132582.304:11830): arch=c000003e syscall=2 success=yes exit=4294967424 a0=192e130 a1=0 a2=1ff a3=7fff97f1ea18 items=0 ppid=1505 pid=1506 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tuned" exe="/usr/bin/python" subj=system_u:system_r:tuned_t:s0 key=(null) Hash String generated from selinux-policy-3.6.32-78.fc12,global_ssp,tuned,tuned_t,urandom_device_t,chr_file,read audit2allow suggests: #============= tuned_t ============== #!!!! This avc can be allowed using the boolean 'global_ssp' allow tuned_t urandom_device_t:chr_file { read open };
Miroslav add dev_read_urand(tuned_t)
Fixed in selinux-policy-3.6.32-81.fc12
selinux-policy-3.6.32-82.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-82.fc12
selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1492
selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.