Summary: SELinux prevented restorecon from reading from the urandom device. Detailed Description: [restorecon has a permissive type (setfiles_t). This access was not denied.] SELinux prevented restorecon from reading from the urandom device. This access should be allowed for individual applications, but there are situations where all applications require the access (for example, when ProPolice/SSP stack smashing protection is used). Allowing this access may allow malicious applications to drain the kernel entropy pool. This can compromise the ability of some software that is dependent on high quality random numbers (e.g., ssh-keygen) to operate effectively. The risk of this type of attack is relatively low. Allowing Access: Changing the "global_ssp" boolean to true will allow this access: "setsebool -P global_ssp=1." Fix Command: setsebool -P global_ssp=1 Additional Information: Source Context unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c102 3 Target Context system_u:object_r:urandom_device_t:s0 Target Objects /dev/urandom [ chr_file ] Source restorecon Source Path /sbin/setfiles Port <Unknown> Host (removed) Source RPM Packages policycoreutils-2.0.82-18.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-21.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name global_ssp Host Name (removed) Platform Linux (removed) 2.6.33.5-112.fc13.x86_64 #1 SMP Thu May 27 02:28:31 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Mon 31 May 2010 10:19:34 PM EDT Last Seen Mon 31 May 2010 10:19:34 PM EDT Local ID 9a09c65d-a4c4-4349-bb7f-e4e005306ea8 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1275358774.504:24926): avc: denied { read } for pid=14378 comm="restorecon" path="/dev/urandom" dev=devtmpfs ino=3983 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file node=(removed) type=SYSCALL msg=audit(1275358774.504:24926): arch=c000003e syscall=59 success=yes exit=0 a0=22fb660 a1=22fb880 a2=22fbc20 a3=7fff6294e2c0 items=0 ppid=14193 pid=14378 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=6 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) Hash String generated from global_ssp,restorecon,setfiles_t,urandom_device_t,chr_file,read audit2allow suggests: #============= setfiles_t ============== #!!!! This avc can be allowed using the boolean 'global_ssp' allow setfiles_t urandom_device_t:chr_file read;
This selinux alert popped out while I was adding/deleting printers to try to identify the correct ppd file to use by trial and error.
This could be cups or some other app used to setup printers leaking an open descriptor to /dev/urand. You can safely ignore it.
*** This bug has been marked as a duplicate of bug 587830 ***