Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 379301

Summary: semodule crashes (cannot read /dev/random)
Product: Gentoo Linux Reporter: Matthew Thode ( prometheanfire ) <prometheanfire>
Component: HardenedAssignee: Sven Vermeulen (RETIRED) <swift>
Status: VERIFIED FIXED    
Severity: normal CC: prometheanfire, selinux
Priority: Highest    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: ptrace of semodule (just the fun bits)

Description Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2011-08-15 17:48:48 UTC 
ptrace attached

1. log in as a ldap user
2. use semodule -i
3. ???
4. FAIL
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2011-08-15 17:49:18 UTC 
Created attachment 283457 [details]
ptrace of semodule (just the fun bits)
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2011-08-15 20:29:53 UTC 
Thanks. Indeed, the semodule application wants to get some information from the user. Since you're using an LDAP-managed authentication/authorization system, the libnss contacts the OpenLDAP. However, you use LDAPS (secure) instead of LDAP, and the current SELinux policy for sysnet_use_ldap() didn't allow that.

I'll add
  dev_read_rand()
  dev_read_urand()
to that interface in base r2.
Comment 3 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2011-08-17 06:53:52 UTC 
I tested it from your overlay.  It worked :D
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2011-08-19 20:54:00 UTC 
In hardened-dev overlay
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2011-08-29 09:25:09 UTC 
In portage tree (~arch)