random and urandom are allowed by domain, this is an MLS issue. Try applying this patch:
diff --git a/device.te b/device.te index 7818ce8..72c3e54 100644 --- a/device.te +++ b/device.te @@ -29,11 +29,11 @@ type ptmx_device, dev_type, mlstrustedobject; type qemu_device, dev_type; type kmsg_device, dev_type; type null_device, dev_type, mlstrustedobject; -type random_device, dev_type; +type random_device, dev_type, mlstrustedobject; type serial_device, dev_type; type socket_device, dev_type; type tty_device, dev_type; -type urandom_device, dev_type; +type urandom_device, dev_type, mlstrustedobject; type video_device, dev_type; type vcs_device, dev_type; type zero_device, dev_type; On Mon, Jan 28, 2013 at 2:30 PM, Peck, Michael A <[email protected]> wrote: > A crypto (secure voice) app I am testing fails to start – it is trying to > read /dev/random: > > <5>[ 2951.029571] type=1400 audit(1359410942.187:32): avc: denied { read } > for > > pid=2435 comm=4173796E635461736B202331 name="random" dev=tmpfs ino=4012 > scontext=u:r:untrusted_app:s0:c50,c256 tcontext=u:object_r:random_device:s0 > tclass=chr_file > > > > Would it be reasonable to add a “allow domain random_device:chr_file > r_file_perms;” rule to allow all apps to read /dev/random? > > > > I think the main threat is that a malicious app could potentially keep > reading from /dev/random and use up the entropy pool (preventing others from > reading /dev/random). > > > > Some might say the app should use /dev/urandom instead. At which time > others would probably then complain that /dev/urandom is “not good enough”. > Not sure that I personally want to take sides on /dev/random vs. > /dev/urandom. J > > > > -- > > Michael Peck > > The MITRE Corporation > > -- Respectfully, William C Roberts -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
