Description of problem: Using NetworkManager VPN and Sonicwall NetExtender VPN SELinux is preventing ip from 'read' accesses on the chr_file /dev/random. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow authlogin to nsswitch use ldap Then you must tell SELinux about this by enabling the 'authlogin_nsswitch_use_ldap' boolean. Do setsebool -P authlogin_nsswitch_use_ldap 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that ip should be allowed read access on the random chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ip' --raw | audit2allow -M my-ip # semodule -X 300 -i my-ip.pp Additional Information: Source Context unconfined_u:system_r:ifconfig_t:s0 Target Context system_u:object_r:random_device_t:s0 Target Objects /dev/random [ chr_file ] Source ip Source Path ip Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-49.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.20.14-200.fc29.x86_64 #1 SMP Tue Mar 5 19:55:32 UTC 2019 x86_64 x86_64 Alert Count 27 First Seen 2019-03-04 10:48:01 EST Last Seen 2019-03-11 11:52:10 EDT Local ID d5742d80-6601-4a76-8761-e0d5c22c27ef Raw Audit Messages type=AVC msg=audit(1552319530.796:273): avc: denied { read } for pid=3371 comm="ip" path="/dev/random" dev="devtmpfs" ino=1032 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=0 Hash: ip,ifconfig_t,random_device_t,chr_file,read Version-Release number of selected component: selinux-policy-3.14.2-49.fc29.noarch Additional info: component: selinux-policy reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 4.20.14-200.fc29.x86_64 type: libreport
commit 231cb3b98d462aac3ad1366d0c71ab375408b642 (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Mon Mar 11 17:43:45 2019 +0100 Allow ifconfig_t domain to read /dev/random BZ(1687516)
selinux-policy-3.14.2-51.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-4cc36fafbb
selinux-policy-3.14.2-51.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-4cc36fafbb
selinux-policy-3.14.2-51.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.