From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 46967138334 for ; Sun, 11 Nov 2018 23:29:40 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 6A9A7E0D23; Sun, 11 Nov 2018 23:29:37 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 3C6B8E0D1D for ; Sun, 11 Nov 2018 23:29:37 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 08F33335CF5 for ; Sun, 11 Nov 2018 23:29:36 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id B99B846E for ; Sun, 11 Nov 2018 23:29:32 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1541978251.1a660dec08464a41b9dabc0c7d9718405bf59035.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/services/ssh.te X-VCS-Directories: policy/modules/services/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 1a660dec08464a41b9dabc0c7d9718405bf59035 X-VCS-Branch: master Date: Sun, 11 Nov 2018 23:29:32 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: fc65f0c5-a9ca-4c1d-b3d5-742b12a9fee0 X-Archives-Hash: 27d434682f0725735fff178b31edd8bc commit: 1a660dec08464a41b9dabc0c7d9718405bf59035 Author: Luis Ressel aixah de> AuthorDate: Sat Oct 27 12:47:03 2018 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sun Nov 11 23:17:31 2018 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1a660dec services/ssh: Don't audit accesses from ssh_t to /dev/random OpenSSL 1.1 always opens both /dev/urandom and /dev/random, which generates spurious denial messages for ssh_t, ssh_keygen_t and probably various other domains too. The code only uses /dev/random as a fallback and can cope with an open() failure just fine, so I'm dontauditing the access. However, I don't have strong feelings about this -- if someone would prefer to allow these accesses instead, I'd be okay with that too. Signed-off-by: Jason Zaman perfinion.com> policy/modules/services/ssh.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 19ebd9d9..0403842b 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -156,6 +156,7 @@ corenet_tcp_connect_ssh_port(ssh_t) corenet_sendrecv_ssh_client_packets(ssh_t) dev_read_urand(ssh_t) +dev_dontaudit_read_rand(ssh_t) fs_getattr_all_fs(ssh_t) fs_search_auto_mountpoints(ssh_t) @@ -352,6 +353,7 @@ fs_search_auto_mountpoints(ssh_keygen_t) dev_read_sysfs(ssh_keygen_t) dev_read_urand(ssh_keygen_t) +dev_dontaudit_read_rand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t)