SE-Linux error

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

SE-Linux error

Les Howell
Hi, everyone,
        I am working through the Cobalt stuff on Linux.  I received the
following error from SE-Linux:
SELinux prevented $SOURCE_NAME from reading from the urandom
device.Detailed DescriptionSELinux prevented $SOURCE_NAME from reading
from the urandom device. This access should be allowed for individual
applications, but there are situations where all applications require
the access (for example, when ProPolice/SSP stack smashing protection is
used). Allowing this access may allow malicious applications to drain
the kernel entropy pool. This can compromising the ability of some
software that is dependent on high quality random number (e.g.,
ssh-keygen) to operate effectively. The risk of this type of attack is
relatively low.

Source Context:  system_u:system_r:fsdaemon_t
Target Context:  system_u:object_r:urandom_device_t
Target Objects:  urandom [ chr_file ]
Affected RPM Packages:  
Policy RPM:  selinux-policy-2.6.4-70.fc7
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Permissive
Plugin Name:  plugins.global_ssp
Host Name:  localhost.localdomain
Platform:  Linux localhost.localdomain 2.6.23.15-80.fc7 #1 SMP Sun Feb
10 17:29:10 EST 2008 i686 i686Alert Count:  80
First Seen:  Tue 15 Jan 2008 06:47:19 PM PST
Last Seen:  Sat 12 Apr 2008 02:08:07 AM PDT
Local ID:  b9de5629-1271-4f0f-8f71-d33298e7f57d
Line Numbers:  
Raw Audit Messages :avc: denied { read } for comm="sh" dev=tmpfs egid=0
euid=0 exe="/bin/bash" exit=3 fsgid=0 fsuid=0 gid=0 items=0
name="urandom" pid=2556 scontext=system_u:system_r:fsdaemon_t:s0 sgid=0
subj=system_u:system_r:fsdaemon_t:s0 suid=0 tclass=chr_file
tcontext=system_u:object_r:urandom_device_t:s0 tty=(none) uid=0

I can't speculate yet on the cause.  It appears to have been happening
for some time, but I don't recall seeing the message before.  

There is a workaround for SELinux but it will reduce the security of the
system by opening the random number generator up to attack, which has
the potential to compromise other keys.

Regards,
Les H