Bug 2058914
| Summary: | SELinux is preventing rngd from using the 'setgid' capabilities. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Matt Fagnani <matt.fagnani> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 36 | CC: | decathorpe, dwalsh, grepl.miroslav, gtwilliams, lvrabec, mmalik, omosnace, pkoncity, vdronov, vmojzis, zpytela |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | abrt_hash:f98b1f95d3fcc4ba24814d5ddbc1c7bd7ec3bafda192d6ed6f56c19b27e60e2c;VARIANT_ID=kde; | ||
| Fixed In Version: | selinux-policy-36.5-1.fc36 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-03-24 19:34:02 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I ran the following to allow the rngd setgid capability
sudo ausearch -c 'rngd' --raw | audit2allow -M my-rngd
sudo semodule -X 300 -i my-rngd.pp
I restarted rngd.service with sudo systemctl restart rngd. rngd was denied using the setuid capability which made rngd.service fail to start.
Feb 26 16:59:34 systemd[1]: Started rngd.service - Hardware RNG Entropy Gatherer Daemon.
Feb 26 16:59:34 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rngd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb 26 16:59:34 sudo[4356]: pam_unix(sudo:session): session closed for user root
Feb 26 16:59:34 audit[4356]: USER_END pid=4356 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 26 16:59:34 audit[4356]: CRED_DISP pid=4356 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 26 16:59:34 rngd[4359]: Disabling 7: PKCS11 Entropy generator (pkcs11)
Feb 26 16:59:34 rngd[4359]: Disabling 5: NIST Network Entropy Beacon (nist)
Feb 26 16:59:34 rngd[4359]: Initializing available sources
Feb 26 16:59:34 rngd[4359]: [hwrng ]: Initialization Failed
Feb 26 16:59:34 rngd[4359]: [rdrand]: Initialization Failed
Feb 26 16:59:34 rngd[4359]: [jitter]: Initializing AES buffer
Feb 26 16:59:37 rngd[4359]: [jitter]: Enabling JITTER rng support
Feb 26 16:59:37 rngd[4359]: [jitter]: Initialized
Feb 26 16:59:37 rngd[4359]: [rtlsdr]: Initialization Failed
Feb 26 16:59:37 audit[4359]: AVC avc: denied { setuid } for pid=4359 comm="rngd" capability=7 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=0
Feb 26 16:59:37 audit[4359]: AVC avc: denied { setuid } for pid=4359 comm="rngd" capability=7 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=0
Feb 26 16:59:37 audit[4359]: AVC avc: denied { setuid } for pid=4359 comm="rngd" capability=7 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=0
Feb 26 16:59:37 audit[4359]: AVC avc: denied { setuid } for pid=4359 comm="rngd" capability=7 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=0
Feb 26 16:59:37 audit[4359]: AVC avc: denied { setuid } for pid=4359 comm="rngd" capability=7 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=0
Feb 26 16:59:37 rngd[4359]: setresuid() failed: Operation not permitted
Feb 26 16:59:37 systemd[1]: rngd.service: Main process exited, code=exited, status=1/FAILURE
Feb 26 16:59:37 systemd[1]: rngd.service: Failed with result 'exit-code'.
Feb 26 16:59:38 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rngd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Feb 26 16:59:38 systemd[1]: rngd.service: Consumed 15.588s CPU time.
I ran the following to allow the rngd setuid capability
sudo ausearch -c 'rngd' --raw | audit2allow -M my-rngd
sudo semodule -X 300 -i my-rngd.pp
I restarted rngd.service with sudo systemctl restart rngd. rngd was denied using setcap to set the CAP_SYS_ADMIN capability which made rngd.service fail to start.
Feb 26 17:03:15 systemd[1]: Started rngd.service - Hardware RNG Entropy Gatherer Daemon.
Feb 26 17:03:15 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rngd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb 26 17:03:15 sudo[4494]: pam_unix(sudo:session): session closed for user root
Feb 26 17:03:15 audit[4494]: USER_END pid=4494 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 26 17:03:15 audit[4494]: CRED_DISP pid=4494 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 26 17:03:15 rngd[4497]: Disabling 7: PKCS11 Entropy generator (pkcs11)
Feb 26 17:03:15 rngd[4497]: Disabling 5: NIST Network Entropy Beacon (nist)
Feb 26 17:03:15 rngd[4497]: Initializing available sources
Feb 26 17:03:15 rngd[4497]: [hwrng ]: Initialization Failed
Feb 26 17:03:15 rngd[4497]: [rdrand]: Initialization Failed
Feb 26 17:03:15 rngd[4497]: [jitter]: Initializing AES buffer
Feb 26 17:03:19 rngd[4497]: [jitter]: Enabling JITTER rng support
Feb 26 17:03:19 rngd[4497]: [jitter]: Initialized
Feb 26 17:03:19 rngd[4497]: [rtlsdr]: Initialization Failed
Feb 26 17:03:19 rngd[4497]: Cannot set CAP_SYS_ADMIN capability: Permission denied
Feb 26 17:03:19 audit[4497]: AVC avc: denied { setcap } for pid=4497 comm="rngd" scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=process permissive=0
Feb 26 17:03:19 systemd[1]: rngd.service: Main process exited, code=exited, status=1/FAILURE
Feb 26 17:03:19 systemd[1]: rngd.service: Failed with result 'exit-code'.
Feb 26 17:03:19 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rngd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Feb 26 17:03:19 systemd[1]: rngd.service: Consumed 15.595s CPU time.
I ran the following to allow rngd to use setcap
sudo ausearch -c 'rngd' --raw | audit2allow -M my-rngd
sudo semodule -X 300 -i my-rngd.pp
rngd.service started with the uid:gid daemon:daemon after that as changed in rngd.sysconfig at https://src.fedoraproject.org/rpms/rng-tools/c/51036602f71a3a117389aa5acb92adc1c29d1487?branch=f36
hi Matt, thanks a ton for your report, it helps a lot. indeed, rngd was updated with a code that drops privileges so rngd process runs as non-root user. uid/gid/cap-changing syscalls are used for that. the selinux part indeed has the above issues. this will be fixed, for now i can thing of the following workarounds: 1) your workaround with audit2allow/semodule 2) remove "-D daemon:daemon" from /etc/sysconfig/rngd. this will make rngd to run as root as before. 3) downgrade to the previous v6.14 rng-tools. the update was unpushed so fedora repos should have the previous v6.14 version. thanks again, your help and report are much appreciated! *** Bug 2059166 has been marked as a duplicate of this bug. *** Instead of adding the permission I updated the service unit the following: # cat /etc/sysconfig/rngd # Optional arguments passed to rngd. See rngd(8) and # https://bugzilla.redhat.com/show_bug.cgi?id=1252175#c21 #RNGD_ARGS="-x pkcs11 -x nist -D daemon:daemon" RNGD_ARGS="-x pkcs11 -x nist" # systemctl cat rngd # /etc/systemd/system/rngd.service [Unit] Description=Hardware RNG Entropy Gatherer Daemon ConditionVirtualization=!container # The "-f" option is required for the systemd service rngd to work with Type=simple [Service] Type=simple EnvironmentFile=/etc/sysconfig/rngd ExecStart=/usr/sbin/rngd -f $RNGD_ARGS User=daemon Group=daemon [Install] WantedBy=multi-user.target # systemctl restart rngd; systemctl status rngd; ps -eo pid,ppid,euid,egid,command,context | grep -e COMMAND -e rngd ● rngd.service - Hardware RNG Entropy Gatherer Daemon Loaded: loaded (/etc/systemd/system/rngd.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2022-03-01 06:34:45 EST; 79ms ago Main PID: 706 (rngd) Tasks: 2 (limit: 2297) Memory: 1.2M CPU: 33ms CGroup: /system.slice/rngd.service └─706 /usr/sbin/rngd -f -x pkcs11 -x nist Mar 01 06:34:45 fedora systemd[1]: Started rngd.service - Hardware RNG Entropy Gatherer Daemon. Mar 01 06:34:45 fedora rngd[706]: Disabling 7: PKCS11 Entropy generator (pkcs11) Mar 01 06:34:45 fedora rngd[706]: Disabling 5: NIST Network Entropy Beacon (nist) Mar 01 06:34:45 fedora rngd[706]: Initializing available sources Mar 01 06:34:45 fedora rngd[706]: [hwrng ]: Initialization Failed Mar 01 06:34:45 fedora rngd[706]: [rdrand]: Enabling RDSEED rng support Mar 01 06:34:45 fedora rngd[706]: [rdrand]: Initialized PID PPID EUID EGID COMMAND CONTEXT 706 1 2 2 /usr/sbin/rngd -f -x pkcs11 system_u:system_r:rngd_t:s0 # ausearch -i -m avc,user_avc -ts boot <no matches> Does this solve your problem? (In reply to Zdenek Pytela from comment #4) > Does this solve your problem? unfortunately, not: Mar 01 06:34:45 fedora rngd[706]: [hwrng ]: Initialization Failed rngd should start as root and then drop privileges via setuid/setgid/setcap. Caught in enforcing mode:
----
type=PROCTITLE msg=audit(03/02/2022 15:45:22.382:572) : proctitle=/usr/sbin/rngd -f -x pkcs11 -x nist -D daemon:daemon
type=SYSCALL msg=audit(03/02/2022 15:45:22.382:572) : arch=x86_64 syscall=setgroups success=no exit=EPERM(Operation not permitted) a0=0x1 a1=0x7ffd37ac9300 a2=0x7f5c649e8c91 a3=0x7ffd37ba7080 items=0 ppid=1 pid=1551 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rngd exe=/usr/sbin/rngd subj=system_u:system_r:rngd_t:s0 key=(null)
type=AVC msg=audit(03/02/2022 15:45:22.382:572) : avc: denied { setgid } for pid=1551 comm=rngd capability=setgid scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=0
----
# rpm -qa selinux\* rng\* | sort
rng-tools-6.15-1.fc37.x86_64
selinux-policy-36.4-1.fc37.noarch
selinux-policy-targeted-36.4-1.fc37.noarch
#
Caught in permissive mode:
----
type=PROCTITLE msg=audit(03/02/2022 15:48:29.403:578) : proctitle=/usr/sbin/rngd -f -x pkcs11 -x nist -D daemon:daemon
type=SYSCALL msg=audit(03/02/2022 15:48:29.403:578) : arch=x86_64 syscall=setgroups success=yes exit=0 a0=0x1 a1=0x7ffe67d8ad70 a2=0x7f4b3aedac91 a3=0x7ffe67db2080 items=0 ppid=1 pid=1581 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rngd exe=/usr/sbin/rngd subj=system_u:system_r:rngd_t:s0 key=(null)
type=AVC msg=audit(03/02/2022 15:48:29.403:578) : avc: denied { setgid } for pid=1581 comm=rngd capability=setgid scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=1
----
type=PROCTITLE msg=audit(03/02/2022 15:48:29.404:579) : proctitle=/usr/sbin/rngd -f -x pkcs11 -x nist -D daemon:daemon
type=SYSCALL msg=audit(03/02/2022 15:48:29.404:579) : arch=x86_64 syscall=setresuid success=yes exit=0 a0=daemon a1=daemon a2=daemon a3=0x7ffe67db2080 items=0 ppid=1 pid=1581 auid=unset uid=daemon gid=daemon euid=daemon suid=daemon fsuid=daemon egid=daemon sgid=daemon fsgid=daemon tty=(none) ses=unset comm=rngd exe=/usr/sbin/rngd subj=system_u:system_r:rngd_t:s0 key=(null)
type=AVC msg=audit(03/02/2022 15:48:29.404:579) : avc: denied { setuid } for pid=1581 comm=rngd capability=setuid scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=1
----
type=PROCTITLE msg=audit(03/02/2022 15:48:29.404:580) : proctitle=/usr/sbin/rngd -f -x pkcs11 -x nist -D daemon:daemon
type=CAPSET msg=audit(03/02/2022 15:48:29.404:580) : pid=1581 cap_pi=sys_admin cap_pp=sys_admin cap_pe=sys_admin cap_pa=none
type=SYSCALL msg=audit(03/02/2022 15:48:29.404:580) : arch=x86_64 syscall=capset success=yes exit=0 a0=0x55da4a18cd04 a1=0x55da4a18cd0c a2=0x55da4a18cd0c a3=0x7ffe67d8ad94 items=0 ppid=1 pid=1581 auid=unset uid=daemon gid=daemon euid=daemon suid=daemon fsuid=daemon egid=daemon sgid=daemon fsgid=daemon tty=(none) ses=unset comm=rngd exe=/usr/sbin/rngd subj=system_u:system_r:rngd_t:s0 key=(null)
type=AVC msg=audit(03/02/2022 15:48:29.404:580) : avc: denied { setcap } for pid=1581 comm=rngd scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=process permissive=1
----
thanks, Milos, indeed, selinux should allow rngd process to perform: setuid , setgid and setcap. there is a work being done for that and selinux policy will be updated. thank you for your report! I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/1104 rpms for testing can be downloaded from the PR: Checks -> Details -> Artifacts -> rpms i can confirm rngd.service works now in fedora-rawhide with the test selinux packages:
WITHOUT:
Installed Packages
selinux-policy.noarch 36.4-1.fc37 @rawhide
selinux-policy-targeted.noarch 36.4-1.fc37 @rawhide
Mar 08 14:51:51 fe34.vsd.localdomain rngd[736]: Initializing available sources
Mar 08 14:51:51 fe34.vsd.localdomain rngd[736]: [hwrng ]: Initialized
Mar 08 14:51:51 fe34.vsd.localdomain rngd[736]: [rdrand]: Enabling RDRAND rng support
Mar 08 14:51:51 fe34.vsd.localdomain rngd[736]: [rdrand]: Initialized
Mar 08 14:51:51 fe34.vsd.localdomain rngd[736]: [rtlsdr]: Initialization Failed
Mar 08 14:51:51 fe34.vsd.localdomain rngd[736]: setgroups() failed: Operation not permitted
Mar 08 14:51:51 fe34.vsd.localdomain systemd[1]: rngd.service: Main process exited, code=exited, status=1/FAILURE
Mar 08 14:51:51 fe34.vsd.localdomain systemd[1]: rngd.service: Failed with result 'exit-code'.
type=SERVICE_START msg=audit(1646747554.685:254): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rngd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=AVC msg=audit(1646747554.705:255): avc: denied { setgid } for pid=749 comm="rngd" capability=6 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=0
WITH:
Installed Packages
selinux-policy.noarch 36.4-1.20220303_160230.eb1cb79.fc36 @@commandline
selinux-policy-targeted.noarch 36.4-1.20220303_160230.eb1cb79.fc36 @@commandline
Mar 08 15:05:18 fe34.vsd.localdomain rngd[1810]: Initializing available sources
Mar 08 15:05:18 fe34.vsd.localdomain rngd[1810]: [hwrng ]: Initialized
Mar 08 15:05:18 fe34.vsd.localdomain rngd[1810]: [rdrand]: Enabling RDRAND rng support
Mar 08 15:05:18 fe34.vsd.localdomain rngd[1810]: [rdrand]: Initialized
Mar 08 15:05:18 fe34.vsd.localdomain rngd[1810]: [rtlsdr]: Initialization Failed
Mar 08 15:05:18 fe34.vsd.localdomain rngd[1810]: Process privileges have been dropped to 2:2
# ps -ef | grep rngd
daemon 1810 1 0 15:05 ? 00:00:00 /usr/sbin/rngd -f -x pkcs11 -x nist -x jitter -D daemon:daemon
Zdenek, any idea when this PR could be merged and gets to Rawhide and F36?
FEDORA-2022-b0805acc47 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-b0805acc47 selinux-policy-36.5-1 was published for F37 and F36: https://bodhi.fedoraproject.org/updates/FEDORA-2022-7d08b012c3 https://bodhi.fedoraproject.org/updates/FEDORA-2022-b0805acc47 rng-tools package will be updated to require this release of selinux rules after these updates get to a testing repo. FEDORA-2022-b0805acc47 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-b0805acc47` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-b0805acc47 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2022-b0805acc47 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report. |
Description of problem: I ran sudo dnf upgrade --refresh with updates-testing enabled in a Fedora 36 KDE Plasma installation. The update included rng-tools-6.15-1.fc36.x86_64. rngd.service was restarted as part of the update. rngd was denied the setgid capability five times which made rngd.service fail to start. The same denials happened when I ran sudo systemctl restart rngd and on the next boot. Feb 26 16:24:43 systemd[1]: Stopping rngd.service - Hardware RNG Entropy Gatherer Daemon... Feb 26 16:24:43 systemd[1]: rngd.service: Deactivated successfully. Feb 26 16:24:43 systemd[1]: Stopped rngd.service - Hardware RNG Entropy Gatherer Daemon. Feb 26 16:24:43 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rngd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Feb 26 16:24:43 systemd[1]: rngd.service: Consumed 49.068s CPU time. Feb 26 16:24:43 systemd[1]: Started rngd.service - Hardware RNG Entropy Gatherer Daemon. Feb 26 16:24:43 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rngd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Feb 26 16:24:43 rngd[6456]: Disabling 7: PKCS11 Entropy generator (pkcs11) Feb 26 16:24:43 rngd[6456]: Disabling 5: NIST Network Entropy Beacon (nist) Feb 26 16:24:43 rngd[6456]: Initializing available sources Feb 26 16:24:43 rngd[6456]: [hwrng ]: Initialization Failed Feb 26 16:24:43 rngd[6456]: [rdrand]: Initialization Failed Feb 26 16:24:43 rngd[6456]: [jitter]: Initializing AES buffer Feb 26 16:24:43 systemd[1]: Started run-r4ee5f639bad24e2198909180c131303b.service - /usr/bin/systemctl start man-db-cache-update. Feb 26 16:24:43 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=run-r4ee5f639bad24e2198909180c131303b comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Feb 26 16:24:47 audit[6272]: USER_END pid=6272 uid=1000 auid=1000 ses=6 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' Feb 26 16:24:47 audit[6272]: CRED_DISP pid=6272 uid=1000 auid=1000 ses=6 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_localuser,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' Feb 26 16:24:47 sudo[6272]: pam_unix(sudo:session): session closed for user root Feb 26 16:24:47 rngd[6456]: [jitter]: Enabling JITTER rng support Feb 26 16:24:47 rngd[6456]: [jitter]: Initialized Feb 26 16:24:47 rngd[6456]: [rtlsdr]: Initialization Failed Feb 26 16:24:47 audit[6456]: AVC avc: denied { setgid } for pid=6456 comm="rngd" capability=6 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=0 Feb 26 16:24:47 audit[6456]: AVC avc: denied { setgid } for pid=6456 comm="rngd" capability=6 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=0 Feb 26 16:24:47 audit[6456]: AVC avc: denied { setgid } for pid=6456 comm="rngd" capability=6 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=0 Feb 26 16:24:47 audit[6456]: AVC avc: denied { setgid } for pid=6456 comm="rngd" capability=6 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=0 Feb 26 16:24:47 audit[6456]: AVC avc: denied { setgid } for pid=6456 comm="rngd" capability=6 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=0 Feb 26 16:24:47 rngd[6456]: setgroups() failed: Operation not permitted Feb 26 16:24:47 systemd[1]: rngd.service: Main process exited, code=exited, status=1/FAILURE Feb 26 16:24:47 systemd[1]: rngd.service: Failed with result 'exit-code'. Feb 26 16:24:47 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rngd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' Feb 26 16:24:47 systemd[1]: rngd.service: Consumed 15.289s CPU time. SELinux is preventing rngd from using the 'setgid' capabilities. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that rngd should have the setgid capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'rngd' --raw | audit2allow -M my-rngd # semodule -X 300 -i my-rngd.pp Additional Information: Source Context system_u:system_r:rngd_t:s0 Target Context system_u:system_r:rngd_t:s0 Target Objects Unknown [ capability ] Source rngd Source Path rngd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-36.3-1.fc36.noarch Local Policy RPM selinux-policy-targeted-36.3-1.fc36.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.17.0-0.rc5.102.fc36.x86_64 #1 SMP PREEMPT Mon Feb 21 19:16:16 UTC 2022 x86_64 x86_64 Alert Count 15 First Seen 2022-02-26 16:24:47 EST Last Seen 2022-02-26 16:30:20 EST Local ID 7b7ec97c-e8a9-450d-8e08-f290c6dc8d95 Raw Audit Messages type=AVC msg=audit(1645911020.648:326): avc: denied { setgid } for pid=860 comm="rngd" capability=6 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=0 Hash: rngd,rngd_t,rngd_t,capability,setgid Version-Release number of selected component: selinux-policy-targeted-36.3-1.fc36.noarch Additional info: component: selinux-policy reporter: libreport-2.17.0 hashmarkername: setroubleshoot kernel: 5.17.0-0.rc5.102.fc36.x86_64 type: libreport