Description of problem: Several SELinux Faults occur douring bootup Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Boot System 2. journalctl | grep SELinux | grep prevent 3. receive output Actual results: Mar 09 17:10:04 localhost setroubleshoot[1018]: SELinux is preventing rngd from execmod access on the file /usr/sbin/rngd. For complete SELinux messages. run sealert -l 7d47cd2a-14eb-4582-940c-9ba4c905b65f Mar 09 17:10:04 localhost python[1018]: SELinux is preventing rngd from execmod access on the file /usr/sbin/rngd. Mar 09 17:10:04 localhost setroubleshoot[1018]: SELinux is preventing abrt-dump-journ from read access on the file passwd. For complete SELinux messages. run sealert -l cf61bd03-da4e-4e09-85e9-7f72c634bdd6 Mar 09 17:10:04 localhost python[1018]: SELinux is preventing abrt-dump-journ from read access on the file passwd. Mar 09 17:10:05 localhost setroubleshoot[1018]: SELinux is preventing abrt-dump-journ from read access on the file passwd. For complete SELinux messages. run sealert -l cf61bd03-da4e-4e09-85e9-7f72c634bdd6 Mar 09 17:10:05 localhost python[1018]: SELinux is preventing abrt-dump-journ from read access on the file passwd. Expected results: No SeLinux Issues Additional info:
Hi, Please attach raw AVCs and "$rpm -q selinux-policy". Thank you.
Not sure what raw avc means but here is the output of sealert and grep /var/log/audit/audit.log sealert -l for the rgnd instance ----- SELinux is preventing rngd from execmod access on the file /usr/sbin/rngd. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that rngd should be allowed execmod access on the rngd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep rngd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:rngd_t:s0 Target Context system_u:object_r:rngd_exec_t:s0 Target Objects /usr/sbin/rngd [ file ] Source rngd Source Path rngd Port <Unknown> Host localhost Source RPM Packages Target RPM Packages rng-tools-5-4.fc22.i686 Policy RPM selinux-policy-3.13.1-113.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost Platform Linux localhost 4.0.0-0.rc1.git0.1.fc22.i686 #1 SMP Mon Feb 23 21:54:33 UTC 2015 i686 i686 Alert Count 1 First Seen 2015-03-10 16:08:17 EDT Last Seen 2015-03-10 16:08:17 EDT Local ID 402eaa0e-7b75-4192-8f2e-915da69e044b Raw Audit Messages type=AVC msg=audit(1426018097.959:103): avc: denied { execmod } for pid=978 comm="rngd" path="/usr/sbin/rngd" dev="dm-0" ino=324418 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:rngd_exec_t:s0 tclass=file permissive=0 Hash: rngd,rngd_t,rngd_exec_t,file,execmod sealert -l for the abrt-dump-journ instance ----- SELinux is preventing abrt-dump-journ from read access on the file passwd. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that abrt-dump-journ should be allowed read access on the passwd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep abrt-dump-journ /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:abrt_dump_oops_t:s0 Target Context system_u:object_r:passwd_file_t:s0 Target Objects passwd [ file ] Source abrt-dump-journ Source Path abrt-dump-journ Port <Unknown> Host localhost Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-113.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost Platform Linux localhost 4.0.0-0.rc1.git0.1.fc22.i686 #1 SMP Mon Feb 23 21:54:33 UTC 2015 i686 i686 Alert Count 2 First Seen 2015-03-10 16:08:29 EDT Last Seen 2015-03-10 16:08:29 EDT Local ID 58fb67f7-b0c7-4202-ab16-73661c00cb94 Raw Audit Messages type=AVC msg=audit(1426018109.537:148): avc: denied { read } for pid=1124 comm="abrt-dump-journ" name="passwd" dev="dm-0" ino=324839 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 Hash: abrt-dump-journ,abrt_dump_oops_t,passwd_file_t,file,read grep rgnd stuff type=SERVICE_START msg=audit(1426018097.809:102): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rngd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1426018097.959:103): avc: denied { execmod } for pid=978 comm="rngd" path="/usr/sbin/rngd" dev="dm-0" ino=324418 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:rngd_exec_t:s0 tclass=file permissive=0 type=SERVICE_STOP msg=audit(1426018099.281:106): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rngd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' grep abrt-dump-journ stuff type=AVC msg=audit(1426018109.528:147): avc: denied { read } for pid=1124 comm="abrt-dump-journ" name="passwd" dev="dm-0" ino=324839 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 type=AVC msg=audit(1426018109.537:148): avc: denied { read } for pid=1124 comm="abrt-dump-journ" name="passwd" dev="dm-0" ino=324839 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 rpm -q selinux-poicy selinux-policy-3.13.1-113.fc22.noarch
Second issue is fixed: #============= abrt_dump_oops_t ============== #!!!! This avc is allowed in the current policy allow abrt_dump_oops_t passwd_file_t:file read;
Hi guys from rng-tools, Could you check first AVC? Thank you.
Discussed at Fedora Blocker Review Meeting 2015-03-16[0]: AcceptedBlocker Final- This bug is a clear violation of the Final criterion[1]: "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop." [0]: http://meetbot.fedoraproject.org/fedora-blocker-review/2015-03-16/f22-blocker-review.2015-03-16-16.01.log.txt [1]: https://fedoraproject.org/wiki/Fedora_22_Final_Release_Criteria#SELinux_and_crash_notifications
Robert, are you still getting this issue on 22 Beta or Final TC1?
I think the remaining part of this is a dupe of 1181308 . I haven't seen it in my 22 testing, so it may be system/hardware specific (depends if you actually have a hardware RNG, perhaps)? I think we could stand to re-discuss it, so I'm gonna close this as a dupe of that, and mark that as a proposed blocker. *** This bug has been marked as a duplicate of bug 1181308 ***
THanks adam - I was busy and had not yet downloaded a beta or final version. Your input much appreciated.