services/ssh: Don't audit accesses from ssh_t to /dev/random

OpenSSL 1.1 always opens both /dev/urandom and /dev/random, which generates spurious denial messages for ssh_t, ssh_keygen_t and probably various other domains too. The code only uses /dev/random as a fallback and can cope with an open() failure just fine, so I'm dontauditing the access. However, I don't have strong feelings about this -- if someone would prefer to allow these accesses instead, I'd be okay with that too.
2018-10-27 14:47:03 +02:00 · 2018-10-27 14:47:03 +02:00 · a42ff404bd
commit a42ff404bd
parent 1941eefa13
1 changed files with 2 additions and 0 deletions
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@ -156,6 +156,7 @@ corenet_tcp_connect_ssh_port(ssh_t)
 corenet_sendrecv_ssh_client_packets(ssh_t)

 dev_read_urand(ssh_t)
+dev_dontaudit_read_rand(ssh_t)

 fs_getattr_all_fs(ssh_t)
 fs_search_auto_mountpoints(ssh_t)
@ -352,6 +353,7 @@ fs_search_auto_mountpoints(ssh_keygen_t)

 dev_read_sysfs(ssh_keygen_t)
 dev_read_urand(ssh_keygen_t)
+dev_dontaudit_read_rand(ssh_keygen_t)

 term_dontaudit_use_console(ssh_keygen_t)