Description of problem: I ran sudo dnf upgrade --refresh in the rawhide KDE Plasma spin on 2020-1-3. The update included kernel-5.5.0-0.rc4.git1.1.fc32.x86_64, glibc-2.30.9000-28.fc32.x86_64 and other rpms. Three denials of rngd searching /var/lib/sss happened on the next boot, followed by a denial of rngd reading /etc/passwd. rngd segmentation faulted right after that. I reported the denials of rngd searching /var/lib/sss along with the journal showing the rngd denials and segmentation fault at https://bugzilla.redhat.com/show_bug.cgi?id=1787661 The denials have occurred on 4 of 4 boots since the update. SELinux is preventing rngd from 'read' accesses on the file /etc/passwd. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that rngd should be allowed read access on the passwd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'rngd' --raw | audit2allow -M my-rngd # semodule -X 300 -i my-rngd.pp Additional Information: Source Context system_u:system_r:rngd_t:s0 Target Context system_u:object_r:passwd_file_t:s0 Target Objects /etc/passwd [ file ] Source rngd Source Path rngd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages setup-2.13.6-1.fc32.noarch Policy RPM selinux-policy-3.14.5-19.fc32.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.5.0-0.rc4.git1.1.fc32.x86_64 #1 SMP Thu Jan 2 14:27:07 UTC 2020 x86_64 x86_64 Alert Count 4 First Seen 2020-01-03 15:59:01 EST Last Seen 2020-01-03 16:44:37 EST Local ID 42f04cbf-a3bd-4235-b20a-dcbbeb212cc8 Raw Audit Messages type=AVC msg=audit(1578087877.520:195): avc: denied { read } for pid=906 comm="rngd" name="passwd" dev="dm-0" ino=526474 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 Hash: rngd,rngd_t,passwd_file_t,file,read Version-Release number of selected component: selinux-policy-3.14.5-19.fc32.noarch Additional info: component: selinux-policy reporter: libreport-2.11.3 hashmarkername: setroubleshoot kernel: 5.5.0-0.rc4.git1.1.fc32.x86_64 type: libreport
The trace of the rngd segmentation fault indicated errors in frames #17-25 while loading /usr/lib64/opensc-pkcs11.so which is provided by opensc-0.20.0-1.fc32.x86_64. I reported the rngd segmentation fault at https://bugzilla.redhat.com/show_bug.cgi?id=1787686 opensc-0.20.0-1.fc32.x86_64 was included in the update during the boot before the rngd denials and segmentation faults started. I downgraded to opensc-0.19.0-8.fc32.x86_64 from koji. No rngd denials or segmentation fault happened on the next boot with opensc-0.19.0-8.fc32.x86_64. A change in opensc-0.20.0-1.fc32.x86_64 might be related to the rngd denials and segmentation faults. The rngd denials and segmentation faults happened on 7/7 boots with opensc-0.20.0-1.fc32.x86_64.
Fix was solved already here: https://bugzilla.redhat.com/show_bug.cgi?id=1787661 *** This bug has been marked as a duplicate of bug 1787661 ***