Bug 1200161

Summary:	Non-Fatal SELINUX Faults exist during bootup of 22_Alpha_RC3
Product:	[Fedora] Fedora	Reporter:	Robert Lightfoot <BobLfoot>
Component:	rng-tools	Assignee:	Jeff Garzik <jgarzik>
Status:	CLOSED DUPLICATE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	22	CC:	awilliam, BobLfoot, danofsatx, dgay, dominick.grift, dwalsh, jcapik, jgarzik, lmacken, lvrabec, mgrepl, plautrba, robatino
Target Milestone:	---
Target Release:	---
Hardware:	i386
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2015-05-12 00:48:18 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Robert Lightfoot 2015-03-09 21:40:20 UTC

Description of problem: Several SELinux Faults occur douring bootup


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Boot System
2. journalctl | grep SELinux | grep prevent 
3. receive output

Actual results:
Mar 09 17:10:04 localhost setroubleshoot[1018]: SELinux is preventing rngd from execmod access on the file /usr/sbin/rngd. For complete SELinux messages. run sealert -l 7d47cd2a-14eb-4582-940c-9ba4c905b65f
Mar 09 17:10:04 localhost python[1018]: SELinux is preventing rngd from execmod access on the file /usr/sbin/rngd.
Mar 09 17:10:04 localhost setroubleshoot[1018]: SELinux is preventing abrt-dump-journ from read access on the file passwd. For complete SELinux messages. run sealert -l cf61bd03-da4e-4e09-85e9-7f72c634bdd6
Mar 09 17:10:04 localhost python[1018]: SELinux is preventing abrt-dump-journ from read access on the file passwd.
Mar 09 17:10:05 localhost setroubleshoot[1018]: SELinux is preventing abrt-dump-journ from read access on the file passwd. For complete SELinux messages. run sealert -l cf61bd03-da4e-4e09-85e9-7f72c634bdd6
Mar 09 17:10:05 localhost python[1018]: SELinux is preventing abrt-dump-journ from read access on the file passwd.


Expected results:
No SeLinux Issues

Additional info:

Comment 1 Lukas Vrabec 2015-03-10 09:10:07 UTC

Hi, 
Please attach raw AVCs and "$rpm -q selinux-policy".

Thank you.

Comment 2 Robert Lightfoot 2015-03-10 20:22:31 UTC

Not sure what raw avc means but here is the output of sealert and grep /var/log/audit/audit.log

sealert -l for the rgnd instance -----
SELinux is preventing rngd from execmod access on the file /usr/sbin/rngd.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that rngd should be allowed execmod access on the rngd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep rngd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:rngd_t:s0
Target Context                system_u:object_r:rngd_exec_t:s0
Target Objects                /usr/sbin/rngd [ file ]
Source                        rngd
Source Path                   rngd
Port                          <Unknown>
Host                          localhost
Source RPM Packages           
Target RPM Packages           rng-tools-5-4.fc22.i686
Policy RPM                    selinux-policy-3.13.1-113.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost
Platform                      Linux localhost 4.0.0-0.rc1.git0.1.fc22.i686 #1
                              SMP Mon Feb 23 21:54:33 UTC 2015 i686 i686
Alert Count                   1
First Seen                    2015-03-10 16:08:17 EDT
Last Seen                     2015-03-10 16:08:17 EDT
Local ID                      402eaa0e-7b75-4192-8f2e-915da69e044b

Raw Audit Messages
type=AVC msg=audit(1426018097.959:103): avc:  denied  { execmod } for  pid=978 comm="rngd" path="/usr/sbin/rngd" dev="dm-0" ino=324418 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:rngd_exec_t:s0 tclass=file permissive=0


Hash: rngd,rngd_t,rngd_exec_t,file,execmod


sealert -l for the abrt-dump-journ instance -----
SELinux is preventing abrt-dump-journ from read access on the file passwd.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that abrt-dump-journ should be allowed read access on the passwd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep abrt-dump-journ /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:abrt_dump_oops_t:s0
Target Context                system_u:object_r:passwd_file_t:s0
Target Objects                passwd [ file ]
Source                        abrt-dump-journ
Source Path                   abrt-dump-journ
Port                          <Unknown>
Host                          localhost
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-113.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost
Platform                      Linux localhost 4.0.0-0.rc1.git0.1.fc22.i686 #1
                              SMP Mon Feb 23 21:54:33 UTC 2015 i686 i686
Alert Count                   2
First Seen                    2015-03-10 16:08:29 EDT
Last Seen                     2015-03-10 16:08:29 EDT
Local ID                      58fb67f7-b0c7-4202-ab16-73661c00cb94

Raw Audit Messages
type=AVC msg=audit(1426018109.537:148): avc:  denied  { read } for  pid=1124 comm="abrt-dump-journ" name="passwd" dev="dm-0" ino=324839 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0


Hash: abrt-dump-journ,abrt_dump_oops_t,passwd_file_t,file,read

grep rgnd stuff
type=SERVICE_START msg=audit(1426018097.809:102): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rngd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1426018097.959:103): avc:  denied  { execmod } for  pid=978 comm="rngd" path="/usr/sbin/rngd" dev="dm-0" ino=324418 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:rngd_exec_t:s0 tclass=file permissive=0
type=SERVICE_STOP msg=audit(1426018099.281:106): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rngd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'

grep abrt-dump-journ stuff
type=AVC msg=audit(1426018109.528:147): avc:  denied  { read } for  pid=1124 comm="abrt-dump-journ" name="passwd" dev="dm-0" ino=324839 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0
type=AVC msg=audit(1426018109.537:148): avc:  denied  { read } for  pid=1124 comm="abrt-dump-journ" name="passwd" dev="dm-0" ino=324839 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0

rpm -q selinux-poicy
selinux-policy-3.13.1-113.fc22.noarch

Comment 3 Lukas Vrabec 2015-03-11 12:35:43 UTC

Second issue is fixed:
#============= abrt_dump_oops_t ==============

#!!!! This avc is allowed in the current policy
allow abrt_dump_oops_t passwd_file_t:file read;

Comment 4 Lukas Vrabec 2015-03-12 15:14:22 UTC

Hi guys from rng-tools, 
Could you check first AVC? 

Thank you.

Comment 5 Dan Mossor [danofsatx] 2015-03-16 17:47:18 UTC

Discussed at Fedora Blocker Review Meeting 2015-03-16[0]:

AcceptedBlocker Final- This bug is a clear violation of the Final criterion[1]: "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop."

[0]: http://meetbot.fedoraproject.org/fedora-blocker-review/2015-03-16/f22-blocker-review.2015-03-16-16.01.log.txt
[1]: https://fedoraproject.org/wiki/Fedora_22_Final_Release_Criteria#SELinux_and_crash_notifications

Comment 6 David Gay 2015-04-28 23:10:51 UTC

Robert, are you still getting this issue on 22 Beta or Final TC1?

Comment 7 Adam Williamson 2015-05-12 00:48:18 UTC

I think the remaining part of this is a dupe of 1181308 . I haven't seen it in my 22 testing, so it may be system/hardware specific (depends if you actually have a hardware RNG, perhaps)? I think we could stand to re-discuss it, so I'm gonna close this as a dupe of that, and mark that as a proposed blocker.

*** This bug has been marked as a duplicate of bug 1181308 ***

Comment 8 Robert Lightfoot 2015-05-18 16:45:59 UTC

THanks adam - I was busy and had not yet downloaded a beta or final version.  Your input much appreciated.