Bug 2076641

Summary: rhel8.7: SELinux rules for rng-tools
Product: Red Hat Enterprise Linux 8 Reporter: Vladis Dronov <vdronov>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.7CC: lvrabec, mmalik, ssekidde
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: 8.7Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-98.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-08 10:44:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2075974    

Description Vladis Dronov 2022-04-19 14:31:35 UTC 
This bug was initially created as a copy of Fedora's Bug #2058914.

Changes from Fedora PR are needed in RHEL-8.7 to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/1104

selinux-policy-36.5-1 was published for F37 and F36:
https://bodhi.fedoraproject.org/updates/FEDORA-2022-7d08b012c3
https://bodhi.fedoraproject.org/updates/FEDORA-2022-b0805acc47
Comment 1 Vladis Dronov 2022-04-25 10:03:39 UTC 
hi, Zdenek,

i've just completed the scratch builds:

rhel8: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=44827167

notes:

1) you would need jansson{,-devel}-2.14-1.el8 from the latest 8.7 compose, the earlier one has a conflict

2) add "-x jitter" to /etc/sysconfig/rngd so long-running init section of jitter is skipped and errors are returned immediately

3) the rngd binary should be run as a systemd unit, not from a root shell because of selinux domains:

root shell: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 (everything is allowed, no errors)
systemd unit: system_u:system_r:rngd_t:s0 (selinux rules apply)

4) test with just:

systemctl start rngd && systemctl status rngd

the error looks like:

Apr 25 12:02:32 rhel8.vsd.localdomain rngd[1752]: [rdrand]: Enabling RDRAND rng support
Apr 25 12:02:32 rhel8.vsd.localdomain rngd[1752]: [rdrand]: Initialized
Apr 25 12:02:32 rhel8.vsd.localdomain rngd[1752]: setgroups() failed: Operation not permitted
Apr 25 12:02:32 rhel8.vsd.localdomain systemd[1]: rngd.service: Main process exited, code=exited, status=1/FAILURE
Apr 25 12:02:32 rhel8.vsd.localdomain systemd[1]: rngd.service: Failed with result 'exit-code'.

unfortunately, there are more selinux issues, see below.
Comment 2 Vladis Dronov 2022-04-25 10:14:22 UTC 
1) rngd unit fails to start on RHEL8 with:

Apr 25 12:04:40 rhel8.vsd.localdomain rngd[1850]: User 'daemon' not found

this means it cannot read user and group list.

2) avc messages show:

type=AVC msg=audit(1650823966.420:424): avc:  denied  { search } for  pid=4085 comm="rngd" name="sss" dev="vda3" ino=25829267 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0

/etc/nsswitch.conf is:

passwd:      sss files systemd
group:       sss files systemd

3) after removing "sss" the error stays and one of avc messages is:

type=AVC msg=audit(1650824451.123:436): avc:  denied  { search } for  pid=4210 comm="rngd" name="dbus" dev="tmpfs" ino=12985 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir permissive=0
 
the library tries to talk to systemd

4) after removing "systemd" the error stays and the last avc messages is:

type=AVC msg=audit(1650824451.122:435): avc:  denied  { read } for  pid=4210 comm="rngd" name="passwd" dev="vda3" ino=8398262 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0

this is because:

system_u:object_r:passwd_file_t:s0 /etc/group
system_u:object_r:passwd_file_t:s0 /etc/passwd

after changing these both:

chcon system_u:object_r:etc_t:s0 /etc/passwd /etc/group

we get to our initial ("setgroups() failed") error at last. what's weird - this errors are not on RHEL9, though /etc/nsswitch.conf is the same and ctx on /etc/passwd|group is the same.
Comment 4 Zdenek Pytela 2022-04-28 14:56:52 UTC 
List of additional rules required to pass the test on RHEL 8.7:

(allow rngd_t passwd_file_t (file (getattr open read)))
(allow rngd_t sssd_var_lib_t (dir (search)))
(allow rngd_t sssd_var_lib_t (sock_file (write)))
(allow rngd_t sssd_public_t (dir (search)))
(allow rngd_t sssd_public_t (file (getattr open read map)))
(allow rngd_t system_dbusd_var_run_t (dir (search)))
(allow rngd_t system_dbusd_var_run_t (sock_file (write)))
(allow rngd_t sssd_t (unix_stream_socket (connectto)))

Neither in Fedora nor RHEL 9 they are necessary.
Comment 5 Zdenek Pytela 2022-05-02 09:42:07 UTC 
Commits to backport:

commit c8c0a3991634436928d25282eda22eac2efcd456
Author: Lukas Vrabec <lvrabec>
Date:   Fri Jan 10 13:20:52 2020 +0100

    Allow rngd_t domain to use nsswitch BZ(1787661)

commit 62d5fd70550ba0f6564c5240c369c421b1415eb9
Author: Zdenek Pytela <zpytela>
Date:   Thu Mar 3 16:57:41 2022 +0100

    Allow rngd drop privileges via setuid/setgid/setcap
Comment 15 errata-xmlrpc 2022-11-08 10:44:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7691