Bug 1699426 - SELinux violation - haveged
Summary: SELinux violation - haveged
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 30
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-04-12 16:40 UTC by Kostya Vasilyev
Modified: 2019-04-27 21:27 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-04-27 21:27:02 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Kostya Vasilyev 2019-04-12 16:40:34 UTC
Version-Release number of selected component (if applicable):

haveged-1.9.1-11.fc30.x86_64
selinux-policy-targeted-3.14.3-28.fc30.noarch


How reproducible:

100%


Steps to Reproduce:

1. Install haveged
2. Boot up


Actual results:

3. SELinux violation alert


Additional info:

-------------------

SELinux is preventing haveged from write access on the file write_wakeup_threshold.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that haveged should be allowed write access on the write_wakeup_threshold file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'haveged' --raw | audit2allow -M my-haveged
# semodule -X 300 -i my-haveged.pp

Additional Information:
Source Context                system_u:system_r:entropyd_t:s0
Target Context                system_u:object_r:sysctl_kernel_t:s0
Target Objects                write_wakeup_threshold [ file ]
Source                        haveged
Source Path                   haveged
Port                          <Unknown>
Host                          frida
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.3-28.fc30.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     frida
Platform                      Linux frida 5.0.7-300.fc30.x86_64 #1 SMP Mon Apr 8
                              18:28:09 UTC 2019 x86_64 x86_64
Alert Count                   1
First Seen                    2019-04-12 19:33:59 MSK
Last Seen                     2019-04-12 19:33:59 MSK
Local ID                      c5046edb-0522-4d7d-a763-7ba11e2b96f6

Raw Audit Messages
type=AVC msg=audit(1555086839.652:88): avc:  denied  { write } for  pid=909 comm="haveged" name="write_wakeup_threshold" dev="proc" ino=29403 scontext=system_u:system_r:entropyd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0


Hash: haveged,entropyd_t,sysctl_kernel_t,file,write

Comment 1 Fedora Update System 2019-04-19 21:58:34 UTC
selinux-policy-3.14.3-31.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-3055c546d6

Comment 2 Fedora Update System 2019-04-20 14:42:14 UTC
selinux-policy-3.14.3-31.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-3055c546d6

Comment 3 Fedora Update System 2019-04-27 21:27:02 UTC
selinux-policy-3.14.3-31.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.