Description of problem: I ran sudo dnf upgrade --refresh in the rawhide KDE Plasma spin on 2020-1-3. The update included kernel-5.5.0-0.rc4.git1.1.fc32.x86_64, glibc-2.30.9000-28.fc32.x86_64, opensc-0.20.0-1.fc32.x86_64, and other rpms. Three denials of rngd searching /var/lib/sss happened on the next boot https://bugzilla.redhat.com/show_bug.cgi?id=1787661 followed by a denial of rngd reading /etc/passwd https://bugzilla.redhat.com/show_bug.cgi?id=1787663 rngd segmentation faulted right after that. I attached the journal showing the rngd denials and segmentation fault to #1787661. The trace of the rngd segmentation fault indicated errors in frames #17-25 while loading /usr/lib64/opensc-pkcs11.so which is provided by opensc-0.20.0-1.fc32.x86_64. (gdb) bt #0 0x00007f1c44a46d23 in g_get_user_database_entry () at ../glib/gutils.c:692 #1 0x00007f1c44a46e97 in g_build_home_dir () at ../glib/gutils.c:828 #2 0x00007f1c44a47242 in g_build_user_cache_dir () at ../glib/gutils.c:1827 #3 0x00007f1c44a4844b in g_build_user_runtime_dir () at ../glib/gutils.c:1882 #4 g_get_user_runtime_dir () at ../glib/gutils.c:1927 #5 0x00007f1c44c4f13d in get_session_address_xdg () at ../gio/gdbusaddress.c:1334 #6 get_session_address_platform_specific (error=0x7ffeeec43048) at ../gio/gdbusaddress.c:1240 #7 g_dbus_address_get_for_bus_sync (bus_type=bus_type@entry=G_BUS_TYPE_SESSION, cancellable=cancellable@entry=0x0, error=error@entry=0x0) at ../gio/gdbusaddress.c:1334 #8 0x00007f1c44c5b506 in get_uninitialized_connection (bus_type=bus_type@entry=G_BUS_TYPE_SESSION, cancellable=cancellable@entry=0x0, error=error@entry=0x0) at ../gio/gdbusconnection.c:7225 #9 0x00007f1c44c610ae in g_bus_get_sync (bus_type=bus_type@entry=G_BUS_TYPE_SESSION, cancellable=cancellable@entry=0x0, error=error@entry=0x0) at ../gio/gdbusconnection.c:7320 #10 0x00007f1c44c3365e in g_application_impl_register (application=application@entry=0x559e3055c090 [GApplication], appid=0x559e3055ce10 "org.opensc.notify", flags=G_APPLICATION_NON_UNIQUE, exported_actions=0x559e305568d0, remote_actions=remote_actions@entry=0x559e3055c038, cancellable=cancellable@entry=0x0, error=0x0) at ../gio/gapplicationimpl-dbus.c:601 #11 0x00007f1c44c3054c in g_application_register (error=0x0, cancellable=0x0, application=0x559e3055c090 [GApplication]) at ../gio/gapplication.c:2187 #12 g_application_register (application=0x559e3055c090 [GApplication], cancellable=0x0, error=0x0) at ../gio/gapplication.c:2176 --Type <RET> for more, q to quit, c to continue without paging--c #13 0x00007f1c44f5a6fd in module_init () at /usr/lib64/opensc-pkcs11.so #14 0x00007f1c4805826a in call_init (l=<optimized out>, argc=argc@entry=2, argv=argv@entry=0x7ffeeec43ac8, env=env@entry=0x7ffeeec43ae0) at dl-init.c:72 #15 0x00007f1c48058371 in call_init (env=0x7ffeeec43ae0, argv=0x7ffeeec43ac8, argc=2, l=<optimized out>) at dl-init.c:30 #16 _dl_init (main_map=0x559e30544360, argc=2, argv=0x7ffeeec43ac8, env=0x7ffeeec43ae0) at dl-init.c:119 #17 0x00007f1c479233e5 in __GI__dl_catch_exception (exception=exception@entry=0x0, operate=operate@entry=0x7f1c4805b930 <call_dl_init>, args=args@entry=0x7ffeeec43470) at dl-error-skeleton.c:182 #18 0x00007f1c4805c440 in dl_open_worker (a=a@entry=0x7ffeeec43610) at dl-open.c:758 #19 0x00007f1c47923388 in __GI__dl_catch_exception (exception=exception@entry=0x7ffeeec435f0, operate=operate@entry=0x7f1c4805c010 <dl_open_worker>, args=args@entry=0x7ffeeec43610) at dl-error-skeleton.c:208 #20 0x00007f1c4805bc5e in _dl_open (file=0x559e2f33825f "/usr/lib64/opensc-pkcs11.so", mode=-2147483647, caller_dlopen=0x7f1c47ed42c0 <C_LoadModule+80>, nsid=-2, argc=2, argv=<optimized out>, env=0x7ffeeec43ae0) at dl-open.c:837 #21 0x00007f1c477b939c in dlopen_doit (a=a@entry=0x7ffeeec43830) at dlopen.c:66 #22 0x00007f1c47923388 in __GI__dl_catch_exception (exception=exception@entry=0x7ffeeec437d0, operate=operate@entry=0x7f1c477b9340 <dlopen_doit>, args=args@entry=0x7ffeeec43830) at dl-error-skeleton.c:208 #23 0x00007f1c47923453 in __GI__dl_catch_error (objname=objname@entry=0x559e30544340, errstring=errstring@entry=0x559e30544348, mallocedp=mallocedp@entry=0x559e30544338, operate=operate@entry=0x7f1c477b9340 <dlopen_doit>, args=args@entry=0x7ffeeec43830) at dl-error-skeleton.c:227 #24 0x00007f1c477b9b09 in _dlerror_run (operate=operate@entry=0x7f1c477b9340 <dlopen_doit>, args=args@entry=0x7ffeeec43830) at dlerror.c:170 #25 0x00007f1c477b942a in __dlopen (file=file@entry=0x559e2f33825f "/usr/lib64/opensc-pkcs11.so", mode=mode@entry=1) at dlopen.c:87 #26 0x00007f1c47ed42c0 in C_LoadModule (mspec=0x559e2f33825f "/usr/lib64/opensc-pkcs11.so", funcs=funcs@entry=0x559e3052b0d0) at libpkcs11.c:67 #27 0x00007f1c47ed6f16 in pkcs11_CTX_load (ctx=0x559e305442b0, name=<optimized out>) at p11_load.c:77 #28 0x00007f1c47eda63c in PKCS11_CTX_load (ctx=<optimized out>, ident=<optimized out>) at p11_front.c:46 #29 0x0000559e2f336c38 in init_pkcs11_entropy_source (ent_src=0x559e2f33d860 <entropy_sources+576>) at rngd_pkcs11.c:106 #30 0x0000559e2f32e99c in main (argc=<optimized out>, argv=<optimized out>) at rngd.c:794 I downgraded to opensc-0.19.0-8.fc32.x86_64 from koji. No rngs denials or segmentation fault happened on the next boot with opensc-0.19.0-8.fc32.x86_64. A change in opensc-0.20.0-1.fc32.x86_64 might be related to the rngd denials and segmentation fault. The rngd denials and segmentation faults happened on 7/7 boots with opensc-0.20.0-1.fc32.x86_64. Version-Release number of selected component: rng-tools-6.9-1.fc32 Additional info: reporter: libreport-2.11.3 backtrace_rating: 4 cgroup: 0::/system.slice/rngd.service cmdline: /sbin/rngd -f crash_function: g_get_user_database_entry executable: /usr/sbin/rngd journald_cursor: s=29bfca92eb7642a18f0e109100134cc2;i=21b157;b=7b6c863a18104dc58b4867fd37d813a0;m=6c7eaa1c;t=59b43a1c7c24d;x=8091bc20104e86f7 kernel: 5.5.0-0.rc4.git1.1.fc32.x86_64 rootdir: / runlevel: N 5 type: CCpp uid: 0 Truncated backtrace: Thread no. 1 (10 frames) #0 g_get_user_database_entry at ../glib/gutils.c:692 #1 g_build_home_dir at ../glib/gutils.c:828 #2 g_build_user_cache_dir at ../glib/gutils.c:1827 #3 g_build_user_runtime_dir at ../glib/gutils.c:1882 #4 g_get_user_runtime_dir at ../glib/gutils.c:1927 #5 get_session_address_xdg at ../gio/gdbusaddress.c:1334 #6 get_session_address_platform_specific at ../gio/gdbusaddress.c:1240 #7 g_dbus_address_get_for_bus_sync at ../gio/gdbusaddress.c:1334 #8 get_uninitialized_connection at ../gio/gdbusconnection.c:7225 #9 g_bus_get_sync at ../gio/gdbusconnection.c:7320
Created attachment 1649571 [details] File: backtrace
Created attachment 1649572 [details] File: core_backtrace
Created attachment 1649573 [details] File: cpuinfo
Created attachment 1649574 [details] File: dso_list
Created attachment 1649575 [details] File: environ
Created attachment 1649576 [details] File: exploitable
Created attachment 1649577 [details] File: limits
Created attachment 1649578 [details] File: maps
Created attachment 1649579 [details] File: mountinfo
Created attachment 1649580 [details] File: open_fds
Created attachment 1649581 [details] File: proc_pid_status
Created attachment 1649582 [details] File: var_log_messages
I think this is something of a duplicate error to the other two bugs you've filed regarding the selinux deinals. To address the dlopen issue, that appears to be something of a red herring. Starting at Frame 27, the rngd pcks11 entropy source attempts to init the pkcs11 library, which in frame 26 and 25 calls dlopen on /usr/lib64/opensc-pkcs11.so. frames 24 and 23 encounter an error in that operation, which we can dig into if you like, but I think thats moot, because it appears to be non-fatal, noting that in frames 22-17 the operation is retried, ending at frame 15, in which the constructor for the opensc library is called (module_init), meaning that the dlopen operation succeded, found the library and initialized it (or started trying to). The discrepancy appears to be that, opensc has had a major overhaul between version 19.06 and version 20 in rawhide. Whereas previously opensc only use internal infrastructure to initalize, in version 20 it appears to have adopted use of the glib library to alot of its work, which does alot of extra things under the cover, including opening /var/lib/sss and /etc/passwd. It would appear that those operations are denied by the rawhide selinux policy for the rngd application tag. That shouldn't cause an crash in g_get_user_database_entry, but I'm guessing that glib has a bug in which g_get_user_database_entry's call to get_pwnamr (or one of its cousins), doesn't expect a certain return from the call, and attempts to deference memory that isn't there. I think that the solution here is twofold: 1) The selinux policy should probably be updated to allow context system_u:system_r:rngd_t:s0 to access files of type sss_var_t and system_u:object_r:passwd_file_t so that the avc deinals are not produced (which will avoid the crash) 2) glib needs to be updated to be able to handle those AVC deinals, and whatever information they return from get_pwnam and friends If you can upload the core file from rngd here, I can take a closer look and pass this over to the glib maintainer for further correction. In the interim, I think you probably have three workarounds at your disposal: a) you can downgrade the opensc library as you've done, to avoid the implicit use of glibc in that library, avoiding the issue. Irritating, but possible b) you can disable selinux, which will avoid the AVC denial, and prevent whatever error glib is encountering. Less secure, but also possible c) you can copy /usr/lib/systemd/system/rngd.service to /etc/systemd/system/rngd.service and edit the file in etc such that the ExecStart line to include this option: -x pkcs11 doing so will disable the pkcs11 entropy source, and prevent the opensc module from getting loaded, in turn preventing the crash above. This is likely your best interim solution, as it allows you to keep selinux active and your system more secure. This also however, assumes that you don't have a pcks11 entropy source available, but most people dont (they're smart card readers that produce a small amount of entropy that can be collected). Please upload the core file, and I can route this to the appropriate maintainer for rectification.
Created attachment 1649821 [details] rngd segmentation fault core dump file lz4 compressed Neil, I'm attaching the rngd core dump file lz4 compressed from the segmentation fault I reported. I found the core dump file using coredumpctl info. I agree that the rngd denials are the reason for the segmentation faults. I have seen and reported about 12 additional rngd denials at https://bugzilla.redhat.com/show_bug.cgi?id=1787661#c3 rngd hasn't crashed since the first 5 of the 14 unique denials were allowed using a local policy module I described there. The rngd segmentation fault trace frames involving /usr/lib64/opensc-pkcs11.so allowed me to identify opensc-0.20.0-1.fc32.x86_64 as being involved in the denials and crashes at least. I can provide more information as needed. Thanks.
*** Bug 1787766 has been marked as a duplicate of this bug. ***
option c worked for me (disable pkcs11) as per #c13
Same issue on F31 with opensc-0.20.0-1.1.fc31, reverting the update helped with rngd's AVC denials and this segmentation fault.
In the new update of OpenSC with rebase, I re-enabled the desktop notification support. It seems that either OpenSC or glib does not handle the restricted environments very well. I will try to investigate what is going on there and disable the notification support (at least in Fedora 31 for now).
Checking the trace and the source code, this is really an issue of glib2 package in Fedora. The frame 2 points here in the source code: https://gitlab.gnome.org/GNOME/glib/blob/master/glib/gutils.c#L692 And this expression miss any null check when trying to access first element in the pw_name of the pw structure in the expression pw->pw_name[0] = g_ascii_toupper (pw->pw_name[0]); I will change this bug to glib2 and try to write some patch or at least issue there.
Here is a fix for glib including reproducer for those interested in learning more: https://gitlab.gnome.org/GNOME/glib/merge_requests/1309
*** Bug 1788229 has been marked as a duplicate of this bug. ***
See https://bugzilla.redhat.com/show_bug.cgi?id=1788229 for blocker rationale - essentially, this prevents rngd starting up on boot, and we require default services to start successfully.
Filed https://bugzilla.redhat.com/show_bug.cgi?id=1789902 for the selinux-policy part of this.
*** Bug 1789157 has been marked as a duplicate of this bug. ***
for the record, I reverted the OpenSC change and dependency on gio (as the notification support is still quite premature) so this should not happen anymore with rawhide. But it does not change that this bug in gio2 should be fixed. Not sure about the selinux ones though.
This fix should have reached rawhide already (GLib 2.63.4). Thanks Jakub!