379301 – semodule crashes (cannot read /dev/random)

Bug 379301 - semodule crashes (cannot read /dev/random)

Summary: semodule crashes (cannot read /dev/random)

Status:	VERIFIED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	All Linux

Importance:	Highest normal (vote)
Assignee:	Sven Vermeulen (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-08-15 17:48 UTC by Matthew Thode ( prometheanfire )
Modified:	2011-10-23 13:14 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
ptrace of semodule (just the fun bits) (selinux.log,28.33 KB, text/plain) 2011-08-15 17:49 UTC, Matthew Thode ( prometheanfire )	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthew Thode ( prometheanfire ) archtester

2011-08-15 17:48:48 UTC

ptrace attached

1. log in as a ldap user
2. use semodule -i
3. ???
4. FAIL

Comment 1 Matthew Thode ( prometheanfire ) archtester

2011-08-15 17:49:18 UTC

Created attachment 283457 [details]
ptrace of semodule (just the fun bits)

Comment 2 Sven Vermeulen (RETIRED) gentoo-dev

2011-08-15 20:29:53 UTC

Thanks. Indeed, the semodule application wants to get some information from the user. Since you're using an LDAP-managed authentication/authorization system, the libnss contacts the OpenLDAP. However, you use LDAPS (secure) instead of LDAP, and the current SELinux policy for sysnet_use_ldap() didn't allow that.

I'll add
  dev_read_rand()
  dev_read_urand()
to that interface in base r2.

Comment 3 Matthew Thode ( prometheanfire ) archtester

2011-08-17 06:53:52 UTC

I tested it from your overlay.  It worked :D

Comment 4 Sven Vermeulen (RETIRED) gentoo-dev

2011-08-19 20:54:00 UTC

In hardened-dev overlay

Comment 5 Sven Vermeulen (RETIRED) gentoo-dev

2011-08-29 09:25:09 UTC

In portage tree (~arch)