Bug 1698575
Summary: | SELinux is preventing rngd from 'write' accesses on the file write_wakeup_threshold. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Matt Fagnani <matt.fagnani> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 30 | CC: | abhisek.mukherjee, anton4linux, awilliam, dwalsh, lvrabec, mailinglists35, mgrepl, plautrba, zpytela |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:fe6e851ea7db6b1d1d0f56937bff65f532542d68103f6c6d01088780e3fc5c63; | ||
Fixed In Version: | selinux-policy-3.14.3-29.fc30 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-04-13 00:05:26 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Matt Fagnani
2019-04-10 16:15:22 UTC
Someone on the Bodhi update reported another issue with write_wakeup_threshold: https://bodhi.fedoraproject.org/updates/FEDORA-2019-b514a5c8a3#comment-926118 It seems like it's possible something really did go wrong with that policy in the selinux-policy-3.14.3-28.fc30 build for some reason? I note this line in the -28 changelog: - Remove duplicate definition of kernel_rw_kernel_sysctl() Perhaps it wasn't exactly a duplicate after all? Yes. I think that's the problem. The definition that was removed is this: ==== interface(`kernel_rw_kernel_sysctl',` gen_require(` type proc_t, sysctl_t, sysctl_kernel_t; ') rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_kernel_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) ') ==== The definition that remains is this: ==== interface(`kernel_rw_kernel_sysctl',` gen_require(` type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t; ') rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_ns_last_pid_t) ') ==== Those don't seem to be duplicates at all, they are different rules for different purposes; it looks more like the one that is still there should have a different name. Perhaps it was copy/pasted from the original 'kernel_rw_kernel_sysctl' as a base, and then whoever did that forgot to change the name? Yeah. So you fixed this as a typo on 'rawhide' branch: https://github.com/fedora-selinux/selinux-policy/commit/cfd49d70cfbb8daf5ceb6617c3f05450fdf5d2dd But for some reason did not apply that change to the F30 branch, instead doing this erroneous "Remove duplicate definition" commit. Merged. Thanks. selinux-policy-3.14.3-29.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7cb094d99a Thanks for your explanation and fix. I updated to 3.14.3-29 from koji. I ran sudo semodule -X 300 -r my-rngd to remove the custom module I installed with the rules allow rngd_t self:process execmem; allow rngd_t sysctl_kernel_t:file write; When I ran sudo systemctl restart rngd, rngd didn't start due to the execmem denial I reported in #1697886 type=AVC msg=audit(1555086820.827:339): avc: denied { execmem } for pid=2651 comm="rngd" scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=process permissive=0 So I ran sudo ausearch -c 'rngd' --raw -ts today | audit2allow -M my-rngd-2 sudo semodule -i my-rngd-2.pp which just had the rule allow rngd_t self:process execmem; rngd started correctly when I ran sudo systemctl restart rngd again, and the write denial on /proc/sys/kernel/random/write_wakeup_threshold didn't happen. I didn't see the write denial on write_wakeup_threshold when rngd started during the next boot. This denial appears to be fixed in 3.14.3-29. selinux-policy-3.14.3-29.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. |