Bug 1496260
Summary: | Regression: SELinux policy forbids rngd to access /dev/ttyUSB0 (USB-based HW RNG) | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Robert Scheck <redhat-bugzilla> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.4 | CC: | lvrabec, mgrepl, mmalik, pasteur, plautrba, redhat-bugzilla, robert.scheck, ssekidde, zpytela |
Target Milestone: | rc | Keywords: | Regression |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.13.1-175.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-04-10 12:43:43 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Robert Scheck
2017-09-26 20:07:14 UTC
Cross-filed ticket 01940127 on the Red Hat customer portal. Note this regression is tricky, because rngd.service does (unfortunately) not fail but is "running" even it is not able to access /dev/ttyUSB0, thus this could be considered kind of a security relevant regression, because an administrator may believe (without rngd.service output monitoring or similar) that everything is working fine, given the service is running... I wonder which package brought any rngd_t related allow rules to RHEL-7.3, because there are no allow rules for this particular scenario on clean RHEL-7.3 and RHEL-7.4 machines: RHEL-7.3 ======== # matchpathcon `which rngd` /usr/sbin/rngd system_u:object_r:rngd_exec_t:s0 # matchpathcon /dev/ttyUSB0 /dev/ttyUSB0 system_u:object_r:usbtty_device_t:s0 # sesearch -s rngd_t -t usbtty_device_t -c chr_file -A -D # RHEL-7.4 ======== # matchpathcon `which rngd` /usr/sbin/rngd system_u:object_r:rngd_exec_t:s0 # matchpathcon /dev/ttyUSB0 /dev/ttyUSB0 system_u:object_r:usbtty_device_t:s0 # sesearch -s rngd_t -t usbtty_device_t -c chr_file -A -D # Worked for sure around time of selinux-policy-targeted-3.13.1-102.el7_3.16, as I set up rngd then and verified that it is working, reboot-safe etc. The RHEL 7.4 update also contained rng-tools-5-11.el7.x86_64, while at the time of setup this was rng-tools-5-8.el7.x86_64 (I digged into that detail given your comment #3). Maybe rng-tools changed, however bug #1454731 is private. Could you run following commands on the machine where rngd access to /dev/ttyUSB0 is not blocked? # ls -Z /dev/ttyUSB0 # ps -eZ | grep rngd # sesearch -s rngd_t -t usbtty_device_t -c chr_file -A -C I hope that output from these commands helps me understand where the problem is. Either the USB device has a different label than expected, or the RNG daemon has a different context than expected, or there is a rule which allows that access. Thank you I don't have a bare metal RHEL 7.3 around ad-hoc with HW RNG (all updated), RHEL 7.4 bare metal it looks like this: # ls -Z /dev/ttyUSB0 crw-rw----. root dialout system_u:object_r:usbtty_device_t:s0 /dev/ttyUSB0 # # ps -eZ | grep rngd system_u:system_r:rngd_t:s0 7146 ? 00:00:00 rngd # # sesearch -s rngd_t -t usbtty_device_t -c chr_file -A -C # # systemctl status rngd […] Sep 28 12:13:36 tux rngd[7257]: Unable to open file: /dev/ttyUSB0 # When downgrading from rng-tools-5-11.el7.x86_64 to rng-tools-5-8.el7.x86_64, (RHEL 7.3 rngd) the output of above commands is still the same, *except* for "systemctl status rngd" (no "Unable to open file: /dev/ttyUSB0"). When granting the missing permissions while using rng-tools-5-11.el7.x86_64 from RHEL 7.4 via allow rngd_t usbtty_device_t:chr_file { read open }; the output of "ps -eZ | grep rngd" changes slightly: # ps -eZ | grep rngd system_u:system_r:rngd_t:s0 24045 ttyUSB0 00:00:33 rngd # Based on that, I think it's the mixture out of rngd change(s) between -8 and -11 vs. a non-adapted SELinux policy to cover these rngd change(s). When checking the diff, https://git.centos.org/commitdiff/rpms!rng-tools.git /f947d47a7d6fb027418d6a8af65fd2568b8547ab leads me to newly introduced sysfs- related code, specifically rng-tools-init-entsource.patch line 49. May I ask which package version should contain a fix (given POST)? (In reply to Robert Scheck from comment #9) > May I ask which package version should contain a fix (given POST)? selinux-policy-3.13.1-175.el7 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0763 |