SELinux is preventing rngd from write access on the file write_wakeup_threshold. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that rngd should be allowed write access on the write_wakeup_threshold file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'rngd' --raw | audit2allow -M my-rngd # semodule -X 300 -i my-rngd.pp Additional Information: Source Context system_u:system_r:rngd_t:s0 Target Context system_u:object_r:sysctl_kernel_t:s0 Target Objects write_wakeup_threshold [ file ] Source rngd Source Path rngd Port <Unknown> Host ibm-x3650m4-02-vm-04.lab.eng.bos.redhat.com Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.3-28.fc30.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name ibm-x3650m4-02-vm-04.lab.eng.bos.redhat.com Platform Linux ibm-x3650m4-02-vm-04.lab.eng.bos.redhat.com 5.0.7-300.fc30.x86_64 #1 SMP Mon Apr 8 18:28:09 UTC 2019 x86_64 x86_64 Alert Count 2 First Seen 2019-04-12 06:00:13 EDT Last Seen 2019-04-12 06:00:20 EDT Local ID daff11fc-bd6e-4778-af0c-e900e583350e Raw Audit Messages type=AVC msg=audit(1555063220.388:325): avc: denied { write } for pid=17376 comm="rngd" name="write_wakeup_threshold" dev="proc" ino=37714 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1 Hash: rngd,rngd_t,sysctl_kernel_t,file,write
sh# ausearch -m avc -i ---- type=AVC msg=audit(04/12/2019 05:58:15.032:303) : avc: denied { write } for pid=16804 comm=rngd name=write_wakeup_threshold dev="proc" ino=37714 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(04/12/2019 06:00:13.302:318) : avc: denied { write } for pid=17366 comm=rngd name=write_wakeup_threshold dev="proc" ino=37714 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(04/12/2019 06:00:20.388:325) : avc: denied { write } for pid=17376 comm=rngd name=write_wakeup_threshold dev="proc" ino=37714 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1 ---- type=AVC msg=audit(04/12/2019 06:04:09.176:332) : avc: denied { write } for pid=17433 comm=rngd name=write_wakeup_threshold dev="proc" ino=37714 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1 sh# find /proc/ -inum 37714 /proc/sys/kernel/random/write_wakeup_threshold And output from journald in enforcing and permissive mode Apr 12 06:00:13 ibm-x3650m4.example.com rngd[17366]: Initalizing AES buffer Apr 12 06:00:13 ibm-x3650m4.example.com rngd[17366]: Enabling JITTER rng support Apr 12 06:00:13 ibm-x3650m4.example.com rngd[17366]: Initalizing entropy source jitter Apr 12 06:00:13 ibm-x3650m4.example.com rngd[17366]: PKCS11 Engine /usr/lib64/opensc-pkcs11.so Error: No such file or directory Apr 12 06:00:13 ibm-x3650m4.example.com rngd[17366]: Failed to init entropy source pkcs11 Apr 12 06:00:13 ibm-x3650m4.example.com rngd[17366]: unable to adjust write_wakeup_threshold: Permission denied Apr 12 06:00:16 ibm-x3650m4.example.com systemd[1]: Stopping Hardware RNG Entropy Gatherer Daemon... Apr 12 06:00:17 ibm-x3650m4.example.com systemd[1]: rngd.service: Succeeded. Apr 12 06:00:17 ibm-x3650m4.example.com systemd[1]: Stopped Hardware RNG Entropy Gatherer Daemon. Apr 12 06:00:17 ibm-x3650m4.example.com systemd[1]: Started Hardware RNG Entropy Gatherer Daemon. Apr 12 06:00:17 ibm-x3650m4.example.com rngd[17376]: Initalizing available sources Apr 12 06:00:17 ibm-x3650m4.example.com rngd[17376]: Initalizing entropy source hwrng Apr 12 06:00:17 ibm-x3650m4.example.com rngd[17376]: Failed to init entropy source rdrand Apr 12 06:00:20 ibm-x3650m4.example.com rngd[17376]: Initalizing AES buffer Apr 12 06:00:20 ibm-x3650m4.example.com rngd[17376]: Enabling JITTER rng support Apr 12 06:00:20 ibm-x3650m4.example.com rngd[17376]: Initalizing entropy source jitter Apr 12 06:00:20 ibm-x3650m4.example.com rngd[17376]: PKCS11 Engine /usr/lib64/opensc-pkcs11.so Error: No such file or directory Apr 12 06:00:20 ibm-x3650m4.example.com rngd[17376]: Failed to init entropy source pkcs11
BTW in out put you can see that it tried to load /usr/lib64/opensc-pkcs11.so which was not installed So it might be a reason why I could see different AVC with rngd (which is already allowed IIRC) type=PROCTITLE msg=audit(04/10/2019 10:37:30.734:11464) : proctitle=/sbin/rngd -f type=PATH msg=audit(04/10/2019 10:37:30.734:11464) : item=0 name=/var/run/pcscd/pcscd.comm inode=23357770 dev=00:17 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:pcscd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(04/10/2019 10:37:30.734:11464) : cwd=/ type=SOCKADDR msg=audit(04/10/2019 10:37:30.734:11464) : saddr={ fam=local path=/var/run/pcscd/pcscd.comm } type=SYSCALL msg=audit(04/10/2019 10:37:30.734:11464) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x6 a1=0x7ffc5ffeb9e0 a2=0x1c a3=0x55574c2f28a0 items=1 ppid=1 pid=27942 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rngd exe=/usr/sbin/rngd subj=system_u:system_r:rngd_t:s0 key=(null) type=AVC msg=audit(04/10/2019 10:37:30.734:11464) : avc: denied { connectto } for pid=27942 comm=rngd path=/run/pcscd/pcscd.comm scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=unix_stream_socket permissive=1
Can't reproduce "write_wakeup_threshold" anymore with selinux-policy-targeted-3.14.3-29.fc30.noarch - fixed and released?
Both the missing permissions reported in this bz: type=AVC msg=audit(04/12/2019 06:04:09.176:332) : avc: denied { write } for pid=17433 comm=rngd name=write_wakeup_threshold dev="proc" ino=37714 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1 type=AVC msg=audit(04/10/2019 10:37:30.734:11464) : avc: denied { connectto } for pid=27942 comm=rngd path=/run/pcscd/pcscd.comm scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=unix_stream_socket permissive=1 seem to be present in the current policy: # sesearch -A -s rngd_t -t pcscd_t -c unix_stream_socket -p connectto allow daemon daemon:unix_stream_socket connectto; [ daemons_enable_cluster_mode ]:True allow rngd_t pcscd_t:unix_stream_socket connectto; # sesearch -A -s rngd_t -t sysctl_kernel_t -c file -p write allow rngd_t sysctl_kernel_t:file { append getattr ioctl lock open read write };
selinux-policy-3.14.3-31.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-3055c546d6
selinux-policy-3.14.3-31.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-3055c546d6
selinux-policy-3.14.3-31.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.