[DSE-Dev] Bug#697814: Bug#697814: selinux-policy-default: exim4 and bitlbee want access to sysctl_crypto_t

[Mika Pflüger]

Hi,

Am Thu, 10 Jan 2013 00:11:17 +0200
schrieb Marius Gavrilescu <marius at ieval.ro>:
> For some reason exim4 and bitlbee are trying to read
> /proc/sys/crypto/fips_enabled and SELinux doesn't let them.

Seems to me they are using libgcrypt which tries to
read /proc/sys/crypto/fips_enabled to determine if it should enable
fips mode. Most applications are however not allowed to do so, in
debian atm only
chkpwd_t, rpm_t, rpm_script_t, puppet_t, puppetmaster_t
are allowed access via the kernel_read_crypto_sysctls interface
(defined in kernel.if). In latest upstream git there are quite some
additional types which are allowed access, but exim4 and bitlbee are not
among those.
fedora adds
kernel_read_crypto_sysctls(domain)
which will allow this for a /lot/ of other programs, basically
everybody (for example bitlbee and exim, which are init_daemon_domain).
As (at least on my system) there is only the fips_enabled file
in /proc/sys/crypto, the possible harm from allowing this for everybody
seems very small. It is only the information if the system is in fips
mode.

How should we proceed? Add kernel_read_crypto_sysctls for everyone who
needs it (which could be quite some list considering that libgrypt11
has about 200 reverse dependencies…) or follow the fedora way and allow
it for everybody?

However, this only breaks fips mode for the affected programs so maybe
the impact is so low that we don't fix it for wheezy and therefore
only work for a solution upstream. How many people use system wide fips
mode?


Cheers,

Mika

-- 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20130110/e398992f/attachment.pgp>