Bug 1699278

Summary: SELinux is preventing rngd from write access on the file write_wakeup_threshold
Product: [Fedora] Fedora Reporter: Lukas Slebodnik <lslebodn>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 30CC: dwalsh, kmansoft, lvrabec, mgrepl, plautrba, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-31.fc30 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1700222 (view as bug list) Environment:
Last Closed: 2019-04-27 21:27:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukas Slebodnik 2019-04-12 10:03:41 UTC 
SELinux is preventing rngd from write access on the file write_wakeup_threshold.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that rngd should be allowed write access on the write_wakeup_threshold file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rngd' --raw | audit2allow -M my-rngd
# semodule -X 300 -i my-rngd.pp


Additional Information:
Source Context                system_u:system_r:rngd_t:s0
Target Context                system_u:object_r:sysctl_kernel_t:s0
Target Objects                write_wakeup_threshold [ file ]
Source                        rngd
Source Path                   rngd
Port                          <Unknown>
Host                          ibm-x3650m4-02-vm-04.lab.eng.bos.redhat.com
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.3-28.fc30.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     ibm-x3650m4-02-vm-04.lab.eng.bos.redhat.com
Platform                      Linux ibm-x3650m4-02-vm-04.lab.eng.bos.redhat.com
                              5.0.7-300.fc30.x86_64 #1 SMP Mon Apr 8 18:28:09
                              UTC 2019 x86_64 x86_64
Alert Count                   2
First Seen                    2019-04-12 06:00:13 EDT
Last Seen                     2019-04-12 06:00:20 EDT
Local ID                      daff11fc-bd6e-4778-af0c-e900e583350e

Raw Audit Messages
type=AVC msg=audit(1555063220.388:325): avc:  denied  { write } for  pid=17376 comm="rngd" name="write_wakeup_threshold" dev="proc" ino=37714 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1


Hash: rngd,rngd_t,sysctl_kernel_t,file,write
Comment 1 Lukas Slebodnik 2019-04-12 10:07:19 UTC 
sh# ausearch -m avc -i
----
type=AVC msg=audit(04/12/2019 05:58:15.032:303) : avc:  denied  { write } for  pid=16804 comm=rngd name=write_wakeup_threshold dev="proc" ino=37714 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(04/12/2019 06:00:13.302:318) : avc:  denied  { write } for  pid=17366 comm=rngd name=write_wakeup_threshold dev="proc" ino=37714 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(04/12/2019 06:00:20.388:325) : avc:  denied  { write } for  pid=17376 comm=rngd name=write_wakeup_threshold dev="proc" ino=37714 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(04/12/2019 06:04:09.176:332) : avc:  denied  { write } for  pid=17433 comm=rngd name=write_wakeup_threshold dev="proc" ino=37714 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1

sh# find /proc/ -inum 37714
/proc/sys/kernel/random/write_wakeup_threshold

And output from journald in enforcing and permissive mode

Apr 12 06:00:13 ibm-x3650m4.example.com rngd[17366]: Initalizing AES buffer
Apr 12 06:00:13 ibm-x3650m4.example.com rngd[17366]: Enabling JITTER rng support
Apr 12 06:00:13 ibm-x3650m4.example.com rngd[17366]: Initalizing entropy source jitter
Apr 12 06:00:13 ibm-x3650m4.example.com rngd[17366]: PKCS11 Engine /usr/lib64/opensc-pkcs11.so Error: No such file or directory
Apr 12 06:00:13 ibm-x3650m4.example.com rngd[17366]: Failed to init entropy source pkcs11
Apr 12 06:00:13 ibm-x3650m4.example.com rngd[17366]: unable to adjust write_wakeup_threshold: Permission denied
Apr 12 06:00:16 ibm-x3650m4.example.com systemd[1]: Stopping Hardware RNG Entropy Gatherer Daemon...
Apr 12 06:00:17 ibm-x3650m4.example.com systemd[1]: rngd.service: Succeeded.
Apr 12 06:00:17 ibm-x3650m4.example.com systemd[1]: Stopped Hardware RNG Entropy Gatherer Daemon.
Apr 12 06:00:17 ibm-x3650m4.example.com systemd[1]: Started Hardware RNG Entropy Gatherer Daemon.
Apr 12 06:00:17 ibm-x3650m4.example.com rngd[17376]: Initalizing available sources
Apr 12 06:00:17 ibm-x3650m4.example.com rngd[17376]: Initalizing entropy source hwrng
Apr 12 06:00:17 ibm-x3650m4.example.com rngd[17376]: Failed to init entropy source rdrand
Apr 12 06:00:20 ibm-x3650m4.example.com rngd[17376]: Initalizing AES buffer
Apr 12 06:00:20 ibm-x3650m4.example.com rngd[17376]: Enabling JITTER rng support
Apr 12 06:00:20 ibm-x3650m4.example.com rngd[17376]: Initalizing entropy source jitter
Apr 12 06:00:20 ibm-x3650m4.example.com rngd[17376]: PKCS11 Engine /usr/lib64/opensc-pkcs11.so Error: No such file or directory
Apr 12 06:00:20 ibm-x3650m4.example.com rngd[17376]: Failed to init entropy source pkcs11
Comment 2 Lukas Slebodnik 2019-04-12 10:41:19 UTC 
BTW in out put you can see that it tried to load /usr/lib64/opensc-pkcs11.so which was not installed

So it might be a reason  why I could see different AVC with rngd (which is already allowed IIRC)

type=PROCTITLE msg=audit(04/10/2019 10:37:30.734:11464) : proctitle=/sbin/rngd -f 
type=PATH msg=audit(04/10/2019 10:37:30.734:11464) : item=0 name=/var/run/pcscd/pcscd.comm inode=23357770 dev=00:17 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:pcscd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(04/10/2019 10:37:30.734:11464) : cwd=/ 
type=SOCKADDR msg=audit(04/10/2019 10:37:30.734:11464) : saddr={ fam=local path=/var/run/pcscd/pcscd.comm } 
type=SYSCALL msg=audit(04/10/2019 10:37:30.734:11464) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x6 a1=0x7ffc5ffeb9e0 a2=0x1c a3=0x55574c2f28a0 items=1 ppid=1 pid=27942 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rngd exe=/usr/sbin/rngd subj=system_u:system_r:rngd_t:s0 key=(null) 
type=AVC msg=audit(04/10/2019 10:37:30.734:11464) : avc:  denied  { connectto } for  pid=27942 comm=rngd path=/run/pcscd/pcscd.comm scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=unix_stream_socket permissive=1
Comment 3 Kostya Vasilyev 2019-04-14 11:32:50 UTC 
Can't reproduce "write_wakeup_threshold" anymore with selinux-policy-targeted-3.14.3-29.fc30.noarch - fixed and released?
Comment 4 Zdenek Pytela 2019-04-15 07:58:25 UTC 
Both the missing permissions reported in this bz:

type=AVC msg=audit(04/12/2019 06:04:09.176:332) : avc:  denied  { write } for  pid=17433 comm=rngd name=write_wakeup_threshold dev="proc" ino=37714 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1
type=AVC msg=audit(04/10/2019 10:37:30.734:11464) : avc:  denied  { connectto } for  pid=27942 comm=rngd path=/run/pcscd/pcscd.comm scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=unix_stream_socket permissive=1

seem to be present in the current policy:

# sesearch -A -s rngd_t -t pcscd_t -c unix_stream_socket -p connectto
allow daemon daemon:unix_stream_socket connectto; [ daemons_enable_cluster_mode ]:True
allow rngd_t pcscd_t:unix_stream_socket connectto;

# sesearch -A -s rngd_t -t sysctl_kernel_t -c file -p write
allow rngd_t sysctl_kernel_t:file { append getattr ioctl lock open read write };
Comment 5 Fedora Update System 2019-04-19 21:58:32 UTC 
selinux-policy-3.14.3-31.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-3055c546d6
Comment 6 Fedora Update System 2019-04-20 14:42:12 UTC 
selinux-policy-3.14.3-31.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-3055c546d6
Comment 7 Fedora Update System 2019-04-27 21:27:00 UTC 
selinux-policy-3.14.3-31.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.