Not sure where these come from (possibly it's because of my using the vnc module in X). Safe to dontaudit?
audit(1079686139.241:0): avc: denied { getattr } for pid=9439 exe=/usr/X11R6/bin/XFree86 path=/dev/urandom dev=hda2 ino=2689265 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file audit(1079686139.241:0): avc: denied { ioctl } for pid=9439 exe=/usr/X11R6/bin/XFree86 path=/dev/urandom dev=hda2 ino=2689265 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file
On Fri, 19 Mar 2004 19:52, Aleksey Nogin aleksey@nogin.org wrote:
Not sure where these come from (possibly it's because of my using the vnc module in X). Safe to dontaudit?
audit(1079686139.241:0): avc: denied { getattr } for pid=9439 exe=/usr/X11R6/bin/XFree86 path=/dev/urandom dev=hda2 ino=2689265 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file audit(1079686139.241:0): avc: denied { ioctl } for pid=9439 exe=/usr/X11R6/bin/XFree86 path=/dev/urandom dev=hda2 ino=2689265 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file
As far as I am aware there is no valid ioctl for the urandom device, it takes reads as requests for random data and writes as additions to the entropy pool. Programs that do an IOCTL are bogus, but there's no harm in allowing it. As for getattr, that's valid so I've changed my tree to allow that too.
Read was already allowed for SSP (which only does blind reads with no getattr and no ioctl).
selinux@lists.fedoraproject.org