1699278 – SELinux is preventing rngd from write access on the file write_wakeup_threshold

Bug 1699278 - SELinux is preventing rngd from write access on the file write_wakeup_threshold

Summary: SELinux is preventing rngd from write access on the file write_wakeup_threshold

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	30
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-04-12 10:03 UTC by Lukas Slebodnik
Modified:	2019-04-27 21:27 UTC (History)
CC List:	6 users (show)
Fixed In Version:	selinux-policy-3.14.3-31.fc30
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1700222 (view as bug list)
Environment:
Last Closed:	2019-04-27 21:27:00 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Lukas Slebodnik 2019-04-12 10:03:41 UTC

SELinux is preventing rngd from write access on the file write_wakeup_threshold.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that rngd should be allowed write access on the write_wakeup_threshold file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rngd' --raw | audit2allow -M my-rngd
# semodule -X 300 -i my-rngd.pp


Additional Information:
Source Context                system_u:system_r:rngd_t:s0
Target Context                system_u:object_r:sysctl_kernel_t:s0
Target Objects                write_wakeup_threshold [ file ]
Source                        rngd
Source Path                   rngd
Port                          <Unknown>
Host                          ibm-x3650m4-02-vm-04.lab.eng.bos.redhat.com
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.3-28.fc30.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     ibm-x3650m4-02-vm-04.lab.eng.bos.redhat.com
Platform                      Linux ibm-x3650m4-02-vm-04.lab.eng.bos.redhat.com
                              5.0.7-300.fc30.x86_64 #1 SMP Mon Apr 8 18:28:09
                              UTC 2019 x86_64 x86_64
Alert Count                   2
First Seen                    2019-04-12 06:00:13 EDT
Last Seen                     2019-04-12 06:00:20 EDT
Local ID                      daff11fc-bd6e-4778-af0c-e900e583350e

Raw Audit Messages
type=AVC msg=audit(1555063220.388:325): avc:  denied  { write } for  pid=17376 comm="rngd" name="write_wakeup_threshold" dev="proc" ino=37714 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1


Hash: rngd,rngd_t,sysctl_kernel_t,file,write

Comment 1 Lukas Slebodnik 2019-04-12 10:07:19 UTC

sh# ausearch -m avc -i
----
type=AVC msg=audit(04/12/2019 05:58:15.032:303) : avc:  denied  { write } for  pid=16804 comm=rngd name=write_wakeup_threshold dev="proc" ino=37714 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(04/12/2019 06:00:13.302:318) : avc:  denied  { write } for  pid=17366 comm=rngd name=write_wakeup_threshold dev="proc" ino=37714 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(04/12/2019 06:00:20.388:325) : avc:  denied  { write } for  pid=17376 comm=rngd name=write_wakeup_threshold dev="proc" ino=37714 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(04/12/2019 06:04:09.176:332) : avc:  denied  { write } for  pid=17433 comm=rngd name=write_wakeup_threshold dev="proc" ino=37714 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1

sh# find /proc/ -inum 37714
/proc/sys/kernel/random/write_wakeup_threshold

And output from journald in enforcing and permissive mode

Apr 12 06:00:13 ibm-x3650m4.example.com rngd[17366]: Initalizing AES buffer
Apr 12 06:00:13 ibm-x3650m4.example.com rngd[17366]: Enabling JITTER rng support
Apr 12 06:00:13 ibm-x3650m4.example.com rngd[17366]: Initalizing entropy source jitter
Apr 12 06:00:13 ibm-x3650m4.example.com rngd[17366]: PKCS11 Engine /usr/lib64/opensc-pkcs11.so Error: No such file or directory
Apr 12 06:00:13 ibm-x3650m4.example.com rngd[17366]: Failed to init entropy source pkcs11
Apr 12 06:00:13 ibm-x3650m4.example.com rngd[17366]: unable to adjust write_wakeup_threshold: Permission denied
Apr 12 06:00:16 ibm-x3650m4.example.com systemd[1]: Stopping Hardware RNG Entropy Gatherer Daemon...
Apr 12 06:00:17 ibm-x3650m4.example.com systemd[1]: rngd.service: Succeeded.
Apr 12 06:00:17 ibm-x3650m4.example.com systemd[1]: Stopped Hardware RNG Entropy Gatherer Daemon.
Apr 12 06:00:17 ibm-x3650m4.example.com systemd[1]: Started Hardware RNG Entropy Gatherer Daemon.
Apr 12 06:00:17 ibm-x3650m4.example.com rngd[17376]: Initalizing available sources
Apr 12 06:00:17 ibm-x3650m4.example.com rngd[17376]: Initalizing entropy source hwrng
Apr 12 06:00:17 ibm-x3650m4.example.com rngd[17376]: Failed to init entropy source rdrand
Apr 12 06:00:20 ibm-x3650m4.example.com rngd[17376]: Initalizing AES buffer
Apr 12 06:00:20 ibm-x3650m4.example.com rngd[17376]: Enabling JITTER rng support
Apr 12 06:00:20 ibm-x3650m4.example.com rngd[17376]: Initalizing entropy source jitter
Apr 12 06:00:20 ibm-x3650m4.example.com rngd[17376]: PKCS11 Engine /usr/lib64/opensc-pkcs11.so Error: No such file or directory
Apr 12 06:00:20 ibm-x3650m4.example.com rngd[17376]: Failed to init entropy source pkcs11

Comment 2 Lukas Slebodnik 2019-04-12 10:41:19 UTC

BTW in out put you can see that it tried to load /usr/lib64/opensc-pkcs11.so which was not installed

So it might be a reason  why I could see different AVC with rngd (which is already allowed IIRC)

type=PROCTITLE msg=audit(04/10/2019 10:37:30.734:11464) : proctitle=/sbin/rngd -f 
type=PATH msg=audit(04/10/2019 10:37:30.734:11464) : item=0 name=/var/run/pcscd/pcscd.comm inode=23357770 dev=00:17 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:pcscd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(04/10/2019 10:37:30.734:11464) : cwd=/ 
type=SOCKADDR msg=audit(04/10/2019 10:37:30.734:11464) : saddr={ fam=local path=/var/run/pcscd/pcscd.comm } 
type=SYSCALL msg=audit(04/10/2019 10:37:30.734:11464) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x6 a1=0x7ffc5ffeb9e0 a2=0x1c a3=0x55574c2f28a0 items=1 ppid=1 pid=27942 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rngd exe=/usr/sbin/rngd subj=system_u:system_r:rngd_t:s0 key=(null) 
type=AVC msg=audit(04/10/2019 10:37:30.734:11464) : avc:  denied  { connectto } for  pid=27942 comm=rngd path=/run/pcscd/pcscd.comm scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=unix_stream_socket permissive=1

Comment 3 Kostya Vasilyev 2019-04-14 11:32:50 UTC

Can't reproduce "write_wakeup_threshold" anymore with selinux-policy-targeted-3.14.3-29.fc30.noarch - fixed and released?

Comment 4 Zdenek Pytela 2019-04-15 07:58:25 UTC

Both the missing permissions reported in this bz:

type=AVC msg=audit(04/12/2019 06:04:09.176:332) : avc:  denied  { write } for  pid=17433 comm=rngd name=write_wakeup_threshold dev="proc" ino=37714 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1
type=AVC msg=audit(04/10/2019 10:37:30.734:11464) : avc:  denied  { connectto } for  pid=27942 comm=rngd path=/run/pcscd/pcscd.comm scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=unix_stream_socket permissive=1

seem to be present in the current policy:

# sesearch -A -s rngd_t -t pcscd_t -c unix_stream_socket -p connectto
allow daemon daemon:unix_stream_socket connectto; [ daemons_enable_cluster_mode ]:True
allow rngd_t pcscd_t:unix_stream_socket connectto;

# sesearch -A -s rngd_t -t sysctl_kernel_t -c file -p write
allow rngd_t sysctl_kernel_t:file { append getattr ioctl lock open read write };

Comment 5 Fedora Update System 2019-04-19 21:58:32 UTC

selinux-policy-3.14.3-31.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-3055c546d6

Comment 6 Fedora Update System 2019-04-20 14:42:12 UTC

selinux-policy-3.14.3-31.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-3055c546d6

Comment 7 Fedora Update System 2019-04-27 21:27:00 UTC

selinux-policy-3.14.3-31.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.