Bug 1496260

Cross-filed ticket 01940127 on the Red Hat customer portal.

Note this regression is tricky, because rngd.service does (unfortunately)
not fail but is "running" even it is not able to access /dev/ttyUSB0, thus
this could be considered kind of a security relevant regression, because
an administrator may believe (without rngd.service output monitoring or
similar) that everything is working fine, given the service is running...

I wonder which package brought any rngd_t related allow rules to RHEL-7.3, because there are no allow rules for this particular scenario on clean RHEL-7.3 and RHEL-7.4 machines:

RHEL-7.3
========
# matchpathcon `which rngd`
/usr/sbin/rngd	system_u:object_r:rngd_exec_t:s0
# matchpathcon /dev/ttyUSB0
/dev/ttyUSB0	system_u:object_r:usbtty_device_t:s0
# sesearch -s rngd_t -t usbtty_device_t -c chr_file -A -D

#

RHEL-7.4
========
# matchpathcon `which rngd`
/usr/sbin/rngd	system_u:object_r:rngd_exec_t:s0
# matchpathcon /dev/ttyUSB0
/dev/ttyUSB0	system_u:object_r:usbtty_device_t:s0
# sesearch -s rngd_t -t usbtty_device_t -c chr_file -A -D

#

Worked for sure around time of selinux-policy-targeted-3.13.1-102.el7_3.16,
as I set up rngd then and verified that it is working, reboot-safe etc. The
RHEL 7.4 update also contained rng-tools-5-11.el7.x86_64, while at the time
of setup this was rng-tools-5-8.el7.x86_64 (I digged into that detail given
your comment #3). Maybe rng-tools changed, however bug #1454731 is private.

Could you run following commands on the machine where rngd access to /dev/ttyUSB0 is not blocked?

# ls -Z /dev/ttyUSB0
# ps -eZ | grep rngd
# sesearch -s rngd_t -t usbtty_device_t -c chr_file -A -C

I hope that output from these commands helps me understand where the problem is. Either the USB device has a different label than expected, or the RNG daemon has a different context than expected, or there is a rule which allows that access.

Thank you

I don't have a bare metal RHEL 7.3 around ad-hoc with HW RNG (all updated),
RHEL 7.4 bare metal it looks like this:

# ls -Z /dev/ttyUSB0
crw-rw----. root dialout system_u:object_r:usbtty_device_t:s0 /dev/ttyUSB0
#

# ps -eZ | grep rngd
system_u:system_r:rngd_t:s0      7146 ?        00:00:00 rngd
#

# sesearch -s rngd_t -t usbtty_device_t -c chr_file -A -C

#

# systemctl status rngd
[…]
Sep 28 12:13:36 tux rngd[7257]: Unable to open file: /dev/ttyUSB0
#

When downgrading from rng-tools-5-11.el7.x86_64 to rng-tools-5-8.el7.x86_64,
(RHEL 7.3 rngd) the output of above commands is still the same, *except* for 
"systemctl status rngd" (no "Unable to open file: /dev/ttyUSB0").

When granting the missing permissions while using rng-tools-5-11.el7.x86_64
from RHEL 7.4 via

  allow rngd_t usbtty_device_t:chr_file { read open };

the output of "ps -eZ | grep rngd" changes slightly:

# ps -eZ | grep rngd
system_u:system_r:rngd_t:s0     24045 ttyUSB0  00:00:33 rngd
#

Based on that, I think it's the mixture out of rngd change(s) between -8
and -11 vs. a non-adapted SELinux policy to cover these rngd change(s).

When checking the diff, https://git.centos.org/commitdiff/rpms!rng-tools.git
/f947d47a7d6fb027418d6a8af65fd2568b8547ab leads me to newly introduced sysfs-
related code, specifically rng-tools-init-entsource.patch line 49.

May I ask which package version should contain a fix (given POST)?

(In reply to Robert Scheck from comment #9)
> May I ask which package version should contain a fix (given POST)?

selinux-policy-3.13.1-175.el7

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763