commit: 1a660dec08464a41b9dabc0c7d9718405bf59035 Author: Luis Ressel <aranea <AT> aixah <DOT> de> AuthorDate: Sat Oct 27 12:47:03 2018 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sun Nov 11 23:17:31 2018 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1a660dec
services/ssh: Don't audit accesses from ssh_t to /dev/random OpenSSL 1.1 always opens both /dev/urandom and /dev/random, which generates spurious denial messages for ssh_t, ssh_keygen_t and probably various other domains too. The code only uses /dev/random as a fallback and can cope with an open() failure just fine, so I'm dontauditing the access. However, I don't have strong feelings about this -- if someone would prefer to allow these accesses instead, I'd be okay with that too. Signed-off-by: Jason Zaman <jason <AT> perfinion.com> policy/modules/services/ssh.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 19ebd9d9..0403842b 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -156,6 +156,7 @@ corenet_tcp_connect_ssh_port(ssh_t) corenet_sendrecv_ssh_client_packets(ssh_t) dev_read_urand(ssh_t) +dev_dontaudit_read_rand(ssh_t) fs_getattr_all_fs(ssh_t) fs_search_auto_mountpoints(ssh_t) @@ -352,6 +353,7 @@ fs_search_auto_mountpoints(ssh_keygen_t) dev_read_sysfs(ssh_keygen_t) dev_read_urand(ssh_keygen_t) +dev_dontaudit_read_rand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t)
