Bug 865800 - SELinux prevents /usr/sbin/slpd (slpd_t) from reading /dev/urandom (urandom_device_t)
SELinux prevents /usr/sbin/slpd (slpd_t) from reading /dev/urandom (urandom_d...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.0
All Linux
medium Severity medium
: rc
: ---
Assigned To: Daniel Walsh
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-12 09:31 EDT by Milos Malik
Modified: 2014-06-17 22:16 EDT (History)
1 user (show)

See Also:
Fixed In Version: selinux-policy-3.11.1-38.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 05:25:54 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Milos Malik 2012-10-12 09:31:31 EDT
Description of problem:


Version-Release number of selected component (if applicable):
openslp-1.2.1-17.el7.x86_64
openslp-server-1.2.1-17.el7.x86_64
selinux-policy-3.11.1-33.el7.noarch
selinux-policy-devel-3.11.1-33.el7.noarch
selinux-policy-doc-3.11.1-33.el7.noarch
selinux-policy-minimum-3.11.1-33.el7.noarch
selinux-policy-mls-3.11.1-33.el7.noarch
selinux-policy-targeted-3.11.1-33.el7.noarch

How reproducible:
always

Steps to Reproduce:
# service openslp restart
# ausearch -m avc -ts recent -i
  
Actual results:
----
type=PATH msg=audit(10/12/2012 15:22:00.737:148) : item=0 name=/dev/urandom inode=1033 dev=00:05 mode=character,666 ouid=root ogid=root rdev=01:09 obj=system_u:object_r:urandom_device_t:s0 
type=CWD msg=audit(10/12/2012 15:22:00.737:148) :  cwd=/ 
type=SYSCALL msg=audit(10/12/2012 15:22:00.737:148) : arch=x86_64 syscall=open success=yes exit=7 a0=0x7fa65137d86c a1=O_RDONLY a2=0x0 a3=0x7fff90bdb350 items=1 ppid=1100 pid=1101 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=slpd exe=/usr/sbin/slpd subj=system_u:system_r:slpd_t:s0 key=(null) 
type=AVC msg=audit(10/12/2012 15:22:00.737:148) : avc:  denied  { open } for  pid=1101 comm=slpd path=/dev/urandom dev="devtmpfs" ino=1033 scontext=system_u:system_r:slpd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file 
type=AVC msg=audit(10/12/2012 15:22:00.737:148) : avc:  denied  { read } for  pid=1101 comm=slpd name=urandom dev="devtmpfs" ino=1033 scontext=system_u:system_r:slpd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file 
----

Expected results:
 * no AVCs
Comment 1 Daniel Walsh 2012-10-12 15:02:22 EDT
Fixed in selinux-policy-3.11.1-38.fc18.noarch
Comment 3 Ludek Smid 2014-06-13 05:25:54 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.