Hi, Am Thu, 10 Jan 2013 00:11:17 +0200 schrieb Marius Gavrilescu <mar...@ieval.ro>: > For some reason exim4 and bitlbee are trying to read > /proc/sys/crypto/fips_enabled and SELinux doesn't let them.
Seems to me they are using libgcrypt which tries to read /proc/sys/crypto/fips_enabled to determine if it should enable fips mode. Most applications are however not allowed to do so, in debian atm only chkpwd_t, rpm_t, rpm_script_t, puppet_t, puppetmaster_t are allowed access via the kernel_read_crypto_sysctls interface (defined in kernel.if). In latest upstream git there are quite some additional types which are allowed access, but exim4 and bitlbee are not among those. fedora adds kernel_read_crypto_sysctls(domain) which will allow this for a /lot/ of other programs, basically everybody (for example bitlbee and exim, which are init_daemon_domain). As (at least on my system) there is only the fips_enabled file in /proc/sys/crypto, the possible harm from allowing this for everybody seems very small. It is only the information if the system is in fips mode. How should we proceed? Add kernel_read_crypto_sysctls for everyone who needs it (which could be quite some list considering that libgrypt11 has about 200 reverse dependencies…) or follow the fedora way and allow it for everybody? However, this only breaks fips mode for the affected programs so maybe the impact is so low that we don't fix it for wheezy and therefore only work for a solution upstream. How many people use system wide fips mode? Cheers, Mika --
signature.asc
Description: PGP signature
