Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1496260 - Regression: SELinux policy forbids rngd to access /dev/ttyUSB0 (USB-based HW RNG)
Summary: Regression: SELinux policy forbids rngd to access /dev/ttyUSB0 (USB-based HW ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.4
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-09-26 20:07 UTC by Robert Scheck
Modified: 2021-06-10 13:08 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-3.13.1-175.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-10 12:43:43 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3224001 0 None None None 2017-10-25 07:37:49 UTC
Red Hat Product Errata RHBA-2018:0763 0 None None None 2018-04-10 12:44:27 UTC

Description Robert Scheck 2017-09-26 20:07:14 UTC
Description of problem:
With RHEL 7.3 rngd was able to access /dev/ttyUSB0 (USB-based HW RNG), since
updating to RHEL 7.4 this is unfortunately no longer allowed:

type=AVC msg=audit(1506455882.180:18313): avc:  denied  { read } for  pid=23836 comm="rngd" name="ttyUSB0" dev="devtmpfs" ino=6279 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:usbtty_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1506455882.180:18313): arch=c000003e syscall=2 success=no exit=-13 a0=7fff9db61f90 a1=0 a2=2275010 a3=9 items=0 ppid=1 pid=23836 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rngd" exe="/usr/sbin/rngd" subj=system_u:system_r:rngd_t:s0 key=(null)

type=AVC msg=audit(1506456313.694:18325): avc:  denied  { open } for  pid=24003 comm="rngd" path="/dev/ttyUSB0" dev="devtmpfs" ino=6279 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:usbtty_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1506456313.694:18325): arch=c000003e syscall=2 success=no exit=-13 a0=7ffef7c1ff90 a1=0 a2=1bf1010 a3=9 items=0 ppid=1 pid=24003 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rngd" exe="/usr/sbin/rngd" subj=system_u:system_r:rngd_t:s0 key=(null)

Version-Release number of selected component (if applicable):
rng-tools-5-11.el7.x86_64
selinux-policy-3.13.1-166.el7_4.4.noarch
selinux-policy-targeted-3.13.1-166.el7_4.4.noarch

How reproducible:
Everytime, see above.

Actual results:
SELinux policy forbids rngd to access /dev/ttyUSB0 (USB-based HW RNG).

Expected results:
SELinux policy allows rngd to access /dev/ttyUSB0 (USB-based HW RNG) again.

Comment 2 Robert Scheck 2017-09-26 20:16:51 UTC
Cross-filed ticket 01940127 on the Red Hat customer portal.

Note this regression is tricky, because rngd.service does (unfortunately)
not fail but is "running" even it is not able to access /dev/ttyUSB0, thus
this could be considered kind of a security relevant regression, because
an administrator may believe (without rngd.service output monitoring or
similar) that everything is working fine, given the service is running...

Comment 3 Milos Malik 2017-09-28 08:32:01 UTC
I wonder which package brought any rngd_t related allow rules to RHEL-7.3, because there are no allow rules for this particular scenario on clean RHEL-7.3 and RHEL-7.4 machines:

RHEL-7.3
========
# matchpathcon `which rngd`
/usr/sbin/rngd	system_u:object_r:rngd_exec_t:s0
# matchpathcon /dev/ttyUSB0
/dev/ttyUSB0	system_u:object_r:usbtty_device_t:s0
# sesearch -s rngd_t -t usbtty_device_t -c chr_file -A -D

#

RHEL-7.4
========
# matchpathcon `which rngd`
/usr/sbin/rngd	system_u:object_r:rngd_exec_t:s0
# matchpathcon /dev/ttyUSB0
/dev/ttyUSB0	system_u:object_r:usbtty_device_t:s0
# sesearch -s rngd_t -t usbtty_device_t -c chr_file -A -D

#

Comment 4 Robert Scheck 2017-09-28 09:27:15 UTC
Worked for sure around time of selinux-policy-targeted-3.13.1-102.el7_3.16,
as I set up rngd then and verified that it is working, reboot-safe etc. The
RHEL 7.4 update also contained rng-tools-5-11.el7.x86_64, while at the time
of setup this was rng-tools-5-8.el7.x86_64 (I digged into that detail given
your comment #3). Maybe rng-tools changed, however bug #1454731 is private.

Comment 5 Milos Malik 2017-09-28 09:59:41 UTC
Could you run following commands on the machine where rngd access to /dev/ttyUSB0 is not blocked?

# ls -Z /dev/ttyUSB0
# ps -eZ | grep rngd
# sesearch -s rngd_t -t usbtty_device_t -c chr_file -A -C

I hope that output from these commands helps me understand where the problem is. Either the USB device has a different label than expected, or the RNG daemon has a different context than expected, or there is a rule which allows that access.

Thank you

Comment 6 Robert Scheck 2017-09-28 10:22:45 UTC
I don't have a bare metal RHEL 7.3 around ad-hoc with HW RNG (all updated),
RHEL 7.4 bare metal it looks like this:

# ls -Z /dev/ttyUSB0
crw-rw----. root dialout system_u:object_r:usbtty_device_t:s0 /dev/ttyUSB0
#

# ps -eZ | grep rngd
system_u:system_r:rngd_t:s0      7146 ?        00:00:00 rngd
#

# sesearch -s rngd_t -t usbtty_device_t -c chr_file -A -C

#

# systemctl status rngd
[…]
Sep 28 12:13:36 tux rngd[7257]: Unable to open file: /dev/ttyUSB0
#

When downgrading from rng-tools-5-11.el7.x86_64 to rng-tools-5-8.el7.x86_64,
(RHEL 7.3 rngd) the output of above commands is still the same, *except* for 
"systemctl status rngd" (no "Unable to open file: /dev/ttyUSB0").

When granting the missing permissions while using rng-tools-5-11.el7.x86_64
from RHEL 7.4 via

  allow rngd_t usbtty_device_t:chr_file { read open };

the output of "ps -eZ | grep rngd" changes slightly:

# ps -eZ | grep rngd
system_u:system_r:rngd_t:s0     24045 ttyUSB0  00:00:33 rngd
#

Based on that, I think it's the mixture out of rngd change(s) between -8
and -11 vs. a non-adapted SELinux policy to cover these rngd change(s).

Comment 7 Robert Scheck 2017-10-03 23:51:40 UTC
When checking the diff, https://git.centos.org/commitdiff/rpms!rng-tools.git
/f947d47a7d6fb027418d6a8af65fd2568b8547ab leads me to newly introduced sysfs-
related code, specifically rng-tools-init-entsource.patch line 49.

Comment 9 Robert Scheck 2017-10-11 21:08:31 UTC
May I ask which package version should contain a fix (given POST)?

Comment 11 Milos Malik 2017-10-31 14:02:42 UTC
(In reply to Robert Scheck from comment #9)
> May I ask which package version should contain a fix (given POST)?

selinux-policy-3.13.1-175.el7

Comment 15 errata-xmlrpc 2018-04-10 12:43:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763


Note You need to log in before you can comment on or make changes to this bug.