On Debian, haveged fails to start with "haveged: Couldn't open random
device: Permission denied". strace shows:
openat(AT_FDCWD, "/dev/random", O_RDWR) = -1 EACCES (Permission denied)
audit.log has:
type=AVC msg=audit(1566048720.132:1338): avc: denied { search }
for pid=20235 comm="haveged" name="/" dev="tmpfs" ino=76666
scontext=system_u:system_r:entropyd_t
tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0
With systemd, /dev is a temporary filesystem (tmpfs_t), so haveged needs
the search permission to it in order to open /dev/random. Use the
newly-added interface to allow this access.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
haveged listens to commands using a Unix socket
(at path "\0/sys/entropy/haveged" according to
https://github.com/jirka-h/haveged/blob/1.9.4/src/havegecmd.h#L34).
The implementation of this server is available on
https://github.com/jirka-h/haveged/blob/1.9.4/src/havegecmd.c .
This fixes the following denial:
type=AVC msg=audit(1551002989.396:27): avc: denied { listen } for
pid=262 comm="haveged"
path=002F7379732F656E74726F70792F68617665676564
scontext=system_u:system_r:entropyd_t
tcontext=system_u:system_r:entropyd_t tclass=unix_stream_socket
permissive=1
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Chris PeBenito
Nicolas Iooss
Chris PeBenito