Bug 621121 - denied access to z90crypt device for sshd
Summary: denied access to z90crypt device for sshd
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy   
(Show other bugs)
Version: 6.0
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Miroslav Vadkerti
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-08-04 10:31 UTC by Miroslav Vadkerti
Modified: 2018-01-05 10:19 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.7.19-36.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-11-10 21:35:58 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Miroslav Vadkerti 2010-08-04 10:31:16 UTC
Description of problem:
type=AVC msg=audit(1280223091.264:18859): avc:  denied  { read write } for  pid=3148 comm="sshd" name="z90crypt" dev=devtmpfs ino=12534 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 
                 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-34

Actual results:
AVC denial

Expected results:
No AVC denial

Additional info:
sshd is using z90crypt device on s390x mainframes when CPACF is enabled

Comment 2 Miroslav Grepl 2010-08-04 12:01:37 UTC
> Additional info:
> sshd is using z90crypt device on s390x mainframes when CPACF is enabled    

Then we should add

dev_rw_crypto(sshd_t)

Comment 4 Miroslav Grepl 2010-08-06 13:16:23 UTC
Fixed in selinux-policy-3.7.19-36.el6.noarch.

Comment 6 Miroslav Vadkerti 2010-08-18 06:23:50 UTC
VERIFIED as fixed in selinux-policy-3.7.19-38.el6.

No AVC detected anymore. 

# sesearch -s sshd_t -t crypt_device_t -c chr_file --allow
Found 1 semantic av rules:
   allow sshd_t crypt_device_t : chr_file { ioctl read write getattr lock append open } ;

Comment 7 releng-rhel@redhat.com 2010-11-10 21:35:58 UTC
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.