Description of problem: I ran sudo dnf upgrade --refresh in the rawhide KDE Plasma spin on 2020-1-3. The update included kernel-5.5.0-0.rc4.git1.1.fc32.x86_64, glibc-2.30.9000-28.fc32.x86_64 and other rpms. Three denials of rngd searching /var/lib/sss happened on the next boot, followed by a denial of rngd reading /etc/passwd. rngd segmentation faulted right after that. I'll attach the journal showing the rngd denials and segmentation fault. The denials have occurred on 4 of 4 boots since the update. SELinux is preventing rngd from 'search' accesses on the directory /var/lib/sss. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that rngd should be allowed search access on the sss directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'rngd' --raw | audit2allow -M my-rngd # semodule -X 300 -i my-rngd.pp Additional Information: Source Context system_u:system_r:rngd_t:s0 Target Context system_u:object_r:sssd_var_lib_t:s0 Target Objects /var/lib/sss [ dir ] Source rngd Source Path rngd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages sssd-common-2.2.2-3.fc32.x86_64 Policy RPM selinux-policy-3.14.5-19.fc32.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.5.0-0.rc4.git1.1.fc32.x86_64 #1 SMP Thu Jan 2 14:27:07 UTC 2020 x86_64 x86_64 Alert Count 12 First Seen 2020-01-03 15:59:01 EST Last Seen 2020-01-03 16:44:37 EST Local ID 75a0b128-0ada-4f10-8942-f83089fb9049 Raw Audit Messages type=AVC msg=audit(1578087877.519:194): avc: denied { search } for pid=906 comm="rngd" name="sss" dev="dm-0" ino=394736 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 Hash: rngd,rngd_t,sssd_var_lib_t,dir,search Version-Release number of selected component: selinux-policy-3.14.5-19.fc32.noarch Additional info: component: selinux-policy reporter: libreport-2.11.3 hashmarkername: setroubleshoot kernel: 5.5.0-0.rc4.git1.1.fc32.x86_64 type: libreport
Created attachment 1649538 [details] File: journalctl-rngd-denials-1.txt
The trace of the rngd segmentation fault indicated errors in frames #17-25 while loading /usr/lib64/opensc-pkcs11.so which is provided by opensc-0.20.0-1.fc32.x86_64. I reported the rngd segmentation fault at https://bugzilla.redhat.com/show_bug.cgi?id=1787686 opensc-0.20.0-1.fc32.x86_64 was included in the update during the boot before the rngd denials and segmentation faults started. I downgraded to opensc-0.19.0-8.fc32.x86_64 from koji. No rngd denials or segmentation fault happened on the next boot with opensc-0.19.0-8.fc32.x86_64. A change in opensc-0.20.0-1.fc32.x86_64 might be related to the rngd denials and segmentation faults. The rngd denials and segmentation faults happened on 7/7 boots with opensc-0.20.0-1.fc32.x86_64. I reported the rngd read denial of /etc/passwd at https://bugzilla.redhat.com/show_bug.cgi?id=1787663
The first denials as output by sudo ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today were time->Sat Jan 4 16:11:15 2020 type=AVC msg=audit(1578172275.681:199): avc: denied { search } for pid=907 comm="rngd" name="sss" dev="dm-0" ino=394736 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Sat Jan 4 16:11:15 2020 type=AVC msg=audit(1578172275.681:200): avc: denied { search } for pid=907 comm="rngd" name="sss" dev="dm-0" ino=394736 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Sat Jan 4 16:11:15 2020 type=AVC msg=audit(1578172275.681:201): avc: denied { search } for pid=907 comm="rngd" name="sss" dev="dm-0" ino=394736 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Sat Jan 4 16:11:15 2020 type=AVC msg=audit(1578172275.682:202): avc: denied { read } for pid=907 comm="rngd" name="passwd" dev="dm-0" ino=526474 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 I allowed those as suggested by the setroubleshoot GUI with sudo ausearch -c 'rngd' --raw | audit2allow -M my-rngd sudo semodule -X 300 -i my-rngd.pp When I ran sudo systemctl start rngd, the following additional rng denials occurred and rngd segmentation faulted. time->Sat Jan 4 16:28:50 2020 type=AVC msg=audit(1578173330.107:335): avc: denied { search } for pid=2336 comm="rngd" name="mc" dev="dm-0" ino=395777 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir permissive=0 ---- time->Sat Jan 4 16:28:50 2020 type=AVC msg=audit(1578173330.107:336): avc: denied { search } for pid=2336 comm="rngd" name="mc" dev="dm-0" ino=395777 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir permissive=0 ---- time->Sat Jan 4 16:28:50 2020 type=AVC msg=audit(1578173330.107:337): avc: denied { write } for pid=2336 comm="rngd" name="nss" dev="dm-0" ino=394384 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=0 ---- time->Sat Jan 4 16:28:50 2020 type=AVC msg=audit(1578173330.113:338): avc: denied { open } for pid=2336 comm="rngd" path="/etc/passwd" dev="dm-0" ino=526474 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 I ran the three commands above again, and the following denials happened. rngd didn't crash. time->Sat Jan 4 16:33:01 2020 type=AVC msg=audit(1578173581.840:370): avc: denied { read } for pid=2446 comm="rngd" name="passwd" dev="dm-0" ino=395166 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=0 ---- time->Sat Jan 4 16:33:01 2020 type=AVC msg=audit(1578173581.840:371): avc: denied { read } for pid=2446 comm="rngd" name="passwd" dev="dm-0" ino=395166 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=0 ---- time->Sat Jan 4 16:33:01 2020 type=AVC msg=audit(1578173581.840:372): avc: denied { connectto } for pid=2446 comm="rngd" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=0 ---- time->Sat Jan 4 16:33:01 2020 type=AVC msg=audit(1578173581.841:373): avc: denied { getattr } for pid=2446 comm="rngd" path="/etc/passwd" dev="dm-0" ino=526474 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 ---- time->Sat Jan 4 16:33:01 2020 type=AVC msg=audit(1578173581.841:374): avc: denied { search } for pid=2446 comm="rngd" name=".cache" dev="dm-0" ino=293264 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:cache_home_t:s0 tclass=dir permissive=0 ---- time->Sat Jan 4 16:33:01 2020 type=AVC msg=audit(1578173581.841:375): avc: denied { search } for pid=2446 comm="rngd" name="dbus" dev="dm-0" ino=137776 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=dir permissive=0 I ran the commands above again. During the next boot, I saw the following rngd denials while repeating the steps above twice except for restarting rngd with sudo systemctl restart rngd time->Sat Jan 4 18:01:43 2020 type=AVC msg=audit(1578178903.180:192): avc: denied { open } for pid=915 comm="rngd" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=395166 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=0 ---- time->Sat Jan 4 18:01:43 2020 type=AVC msg=audit(1578178903.180:193): avc: denied { open } for pid=915 comm="rngd" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=395166 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=0 ---- time->Sat Jan 4 18:01:43 2020 type=AVC msg=audit(1578178903.253:194): avc: denied { read } for pid=915 comm="rngd" name="machine-id" dev="dm-0" ino=137787 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=lnk_file permissive=0 ---- time->Sat Jan 4 18:06:27 2020 type=AVC msg=audit(1578179187.788:196): avc: denied { open } for pid=905 comm="rngd" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=395166 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=0 ---- time->Sat Jan 4 18:06:27 2020 type=AVC msg=audit(1578179187.789:197): avc: denied { open } for pid=905 comm="rngd" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=395166 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=0 ---- time->Sat Jan 4 18:06:27 2020 type=AVC msg=audit(1578179187.834:198): avc: denied { read } for pid=905 comm="rngd" name="machine-id" dev="dm-0" ino=137787 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=lnk_file permissive=0 time->Sat Jan 4 18:17:10 2020 type=AVC msg=audit(1578179830.742:335): avc: denied { getattr } for pid=2105 comm="rngd" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=395077 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=0 ---- time->Sat Jan 4 18:17:10 2020 type=AVC msg=audit(1578179830.742:336): avc: denied { getattr } for pid=2105 comm="rngd" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=395077 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=0 time->Sat Jan 4 18:19:02 2020 type=AVC msg=audit(1578179942.343:363): avc: denied { map } for pid=2166 comm="rngd" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=395077 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=0 ---- time->Sat Jan 4 18:19:02 2020 type=AVC msg=audit(1578179942.343:364): avc: denied { map } for pid=2166 comm="rngd" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=395077 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=0 I haven't seen more denials since then. The rules in my-rngd.te are the following. allow rngd_t cache_home_t:dir search; allow rngd_t passwd_file_t:file { getattr open read }; allow rngd_t sssd_public_t:dir search; allow rngd_t sssd_public_t:file map; allow rngd_t sssd_public_t:file { getattr open read }; allow rngd_t sssd_t:unix_stream_socket connectto; allow rngd_t sssd_var_lib_t:dir search; allow rngd_t sssd_var_lib_t:sock_file write; allow rngd_t system_dbusd_var_lib_t:dir search; allow rngd_t system_dbusd_var_lib_t:lnk_file read;
Similar problem has been detected: Logging on after an update to Fedora32 hashmarkername: setroubleshoot kernel: 5.5.0-0.rc4.git2.1.fc32.x86_64 package: selinux-policy-3.14.5-18.fc32.noarch reason: SELinux is preventing rngd from 'search' accesses on the directory sss. type: libreport
commit c8c0a3991634436928d25282eda22eac2efcd456 (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Fri Jan 10 13:20:52 2020 +0100 Allow rngd_t domain to use nsswitch BZ(1787661)
This package has changed maintainer in the Fedora. Reassigning to the new maintainer of this component.
*** Bug 1787663 has been marked as a duplicate of this bug. ***
This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle. Changing version to 32.
This message is a reminder that Fedora 32 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 32 on 2021-05-25. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '32'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 32 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
These denials were fixed in selinux-policy-3.14.5-28.fc32 according to the Fixed in Version field. The commit Allow rngd_t domain to use nsswitch in comment 5 was added in 3.14.5-20.fc32 according to the changelog at https://koji.fedoraproject.org/koji/buildinfo?buildID=1482968