Bug 2076642

Summary: rhel9.1: SELinux rules for rng-tools
Product: Red Hat Enterprise Linux 9 Reporter: Vladis Dronov <vdronov>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.1CC: lvrabec, mmalik, nknazeko, ssekidde
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: 9.1Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-34.1.31-2.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-15 11:13:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2075977    

Description Vladis Dronov 2022-04-19 14:31:38 UTC 
This bug was initially created as a copy of Fedora's Bug #2058914.

Changes from Fedora PR are needed in RHEL-9.1 to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/1104

selinux-policy-36.5-1 was published for F37 and F36:
https://bodhi.fedoraproject.org/updates/FEDORA-2022-7d08b012c3
https://bodhi.fedoraproject.org/updates/FEDORA-2022-b0805acc47
Comment 1 Zdenek Pytela 2022-04-22 15:18:05 UTC 
Vladis,

Which RHEL 8/9 rng-tools version has the code updated to trigger these denials? Seems not to be available yet.
Comment 2 Zdenek Pytela 2022-04-25 08:50:35 UTC 
The commit to backport:

commit 62d5fd70550ba0f6564c5240c369c421b1415eb9
Author: Zdenek Pytela <zpytela>
Date:   Thu Mar 3 16:57:41 2022 +0100

    Allow rngd drop privileges via setuid/setgid/setcap
Comment 3 Vladis Dronov 2022-04-25 09:56:43 UTC 
https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=1088502(In reply to Zdenek Pytela from comment #1)
> Which RHEL 8/9 rng-tools version has the code updated to trigger these
> denials? Seems not to be available yet.

hi, Zdenek,

indeed, i've just completed the scratch builds:

rhel8: see my update in bz2076642, there are more issues, unfortunately

c9s: https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=1088509

notes:

1) you would need jansson{,-devel}-2.14-1.el8 from the latest 8.7 compose, the earlier one has a conflict

2) add "-x jitter" to /etc/sysconfig/rngd so long-running init section of jitter is skipped and errors are returned immediately

3) the rngd binary should be run as a systemd unit, not from a root shell because of selinux domains:

root shell: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 (everything is allowed, no errors)
systemd unit: system_u:system_r:rngd_t:s0 (selinux rules apply)

4) test with just:

systemctl start rngd && systemctl status rngd

the error looks like:

Apr 23 20:35:26 rhel9.vsd.localdomain rngd[1038]: [rdrand]: Initialized
Apr 23 20:35:26 rhel9.vsd.localdomain rngd[1038]: setgroups() failed: Operation not permitted
Apr 23 20:35:26 rhel9.vsd.localdomain systemd[1]: rngd.service: Main process exited, code=exited, status=1/FAILURE
Apr 23 20:35:26 rhel9.vsd.localdomain systemd[1]: rngd.service: Failed with result 'exit-code'.
Comment 5 Zdenek Pytela 2022-04-27 14:26:36 UTC 
Vladis,

the Required field in rng-tools specfile needs to be adjusted, for each RHEL differently. For RHEL 9 it will probably be selinux-policy-34.1.31-1, but you can wait until we have the build with added permissions.

rhel9# dnf update rng-tools-6.15-1.el9.x86_64.rpm
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered with an entitlement server. You can use subscription-manager to register.

Last metadata expiration check: 3:05:36 ago on Wed 27 Apr 2022 01:04:50 PM CEST.
Error:
 Problem: cannot install the best update candidate for package rng-tools-6.14-2.git.b2b7934e.el9.x86_64
  - nothing provides selinux-policy >= 36.5 needed by rng-tools-6.15-1.el9.x86_64
(try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)
rhel9# rpm -q selinux-policy
selinux-policy-34.1.29-1.el9_0.noarch

I haven't seen any other denial in RHEL 9, so only 1 commit is needed to backport.
Comment 6 Vladis Dronov 2022-04-27 15:21:41 UTC 
(In reply to Zdenek Pytela from comment #5)
> the Required field in rng-tools specfile needs to be adjusted, for each RHEL
> differently. For RHEL 9 it will probably be selinux-policy-34.1.31-1, but
> you can wait until we have the build with added permissions.

hi, Zdenek,

exactly, this is why "Requires: selinux-policy >= 36.5" is commented out in the rng-tools.spec of
the scratch-build package which i've mentioned in #c3. i'm going to wait until i know the exact
version of selinux-policy package with a change.

i'm not sure where you've taken this package from, could you please use one from #c3?
i've just verified that it installs on RHEL9 with older selinux-policy-34.1.29-1.el9_0.
Comment 19 errata-xmlrpc 2022-11-15 11:13:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8283