Description of problem: Three dnssec-trigger AVC's triggered during boot/login (nothing else launched, I see the notification as login to GNOME completes). Version-Release number of selected component (if applicable): selinux-policy-3.14.2-34.fc29.noarch System has had restorecon -rv applied 1. SELinux is preventing dnssec-trigger- from read access on the chr_file random. type=AVC msg=audit(1536703714.624:219): avc: denied { read } for pid=1323 comm="dnssec-trigger-" name="random" dev="devtmpfs" ino=1037 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=1 2. SELinux is preventing dnssec-trigger- from open access on the chr_file /dev/random. type=AVC msg=audit(1536703714.624:220): avc: denied { open } for pid=1323 comm="dnssec-trigger-" path="/dev/random" dev="devtmpfs" ino=1037 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=1 3. SELinux is preventing dnssec-trigger- from getattr access on the chr_file /dev/random. type=AVC msg=audit(1536703714.624:221): avc: denied { getattr } for pid=1323 comm="dnssec-trigger-" path="/dev/random" dev="devtmpfs" ino=1037 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=1 Additional info: Note that the first one is on the file "random" whereas second and third are on /dev/random - not sure what the distinction is.
OK and rebooting with enforcing I get only these: Sep 11 18:31:33 f28h.local audit[915]: AVC avc: denied { read } for pid=915 comm="dnssec-trigger-" name="random" dev="devtmpfs" ino=3083 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=0 Sep 11 18:31:33 f28h.local audit[950]: AVC avc: denied { read } for pid=950 comm="dnssec-trigger-" name="random" dev="devtmpfs" ino=3083 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=0 Sep 11 18:31:40 f28h.local audit[1327]: AVC avc: denied { read } for pid=1327 comm="dnssec-trigger-" name="random" dev="devtmpfs" ino=3083 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=0 Sep 11 18:31:40 f28h.local audit[1343]: AVC avc: denied { read } for pid=1343 comm="dnssec-trigger-" name="random" dev="devtmpfs" ino=3083 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=0
Missed one: Sep 11 18:32:36 f29h.local audit[2396]: AVC avc: denied { read } for pid=2396 comm="dnssec-trigger-" name="random" dev="devtmpfs" ino=3083 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=0
*** This bug has been marked as a duplicate of bug 1624554 ***