Bug 1627937
| Summary: | SELinux is preventing dnssec-trigger- from read/open/getattr access on the chr_file random. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Chris Murphy <bugzilla> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 29 | CC: | dwalsh, lvrabec, mgrepl, plautrba, pmoore |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-09-15 22:13:10 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
OK and rebooting with enforcing I get only these:
Sep 11 18:31:33 f28h.local audit[915]: AVC avc: denied { read } for pid=915 comm="dnssec-trigger-" name="random" dev="devtmpfs" ino=3083 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=0
Sep 11 18:31:33 f28h.local audit[950]: AVC avc: denied { read } for pid=950 comm="dnssec-trigger-" name="random" dev="devtmpfs" ino=3083 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=0
Sep 11 18:31:40 f28h.local audit[1327]: AVC avc: denied { read } for pid=1327 comm="dnssec-trigger-" name="random" dev="devtmpfs" ino=3083 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=0
Sep 11 18:31:40 f28h.local audit[1343]: AVC avc: denied { read } for pid=1343 comm="dnssec-trigger-" name="random" dev="devtmpfs" ino=3083 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=0
Missed one:
Sep 11 18:32:36 f29h.local audit[2396]: AVC avc: denied { read } for pid=2396 comm="dnssec-trigger-" name="random" dev="devtmpfs" ino=3083 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=0
*** This bug has been marked as a duplicate of bug 1624554 *** |
Description of problem: Three dnssec-trigger AVC's triggered during boot/login (nothing else launched, I see the notification as login to GNOME completes). Version-Release number of selected component (if applicable): selinux-policy-3.14.2-34.fc29.noarch System has had restorecon -rv applied 1. SELinux is preventing dnssec-trigger- from read access on the chr_file random. type=AVC msg=audit(1536703714.624:219): avc: denied { read } for pid=1323 comm="dnssec-trigger-" name="random" dev="devtmpfs" ino=1037 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=1 2. SELinux is preventing dnssec-trigger- from open access on the chr_file /dev/random. type=AVC msg=audit(1536703714.624:220): avc: denied { open } for pid=1323 comm="dnssec-trigger-" path="/dev/random" dev="devtmpfs" ino=1037 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=1 3. SELinux is preventing dnssec-trigger- from getattr access on the chr_file /dev/random. type=AVC msg=audit(1536703714.624:221): avc: denied { getattr } for pid=1323 comm="dnssec-trigger-" path="/dev/random" dev="devtmpfs" ino=1037 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=1 Additional info: Note that the first one is on the file "random" whereas second and third are on /dev/random - not sure what the distinction is.