Bug 1788229 - rngd crashes on startup after SELinux denials
Summary: rngd crashes on startup after SELinux denials
Keywords:
Status: CLOSED DUPLICATE of bug 1787686
Alias: None
Product: Fedora
Classification: Fedora
Component: rng-tools
Version: rawhide
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Neil Horman
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: openqa
Depends On:
Blocks: F32FinalBlocker
TreeView+ depends on / blocked
 
Reported: 2020-01-06 18:52 UTC by Adam Williamson
Modified: 2020-01-07 11:36 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-01-07 11:36:51 UTC
Type: Bug


Attachments (Terms of Use)

Description Adam Williamson 2020-01-06 18:52:39 UTC
On current Fedora Rawhide, rngd is crashing on startup, after we see some SELinux denials. This is affecting Server and KDE installs, not Workstation for some reason (haven't looked into why it doesn't happen on Workstation).

This is a violation of the Final release criteria - https://fedoraproject.org/wiki/Fedora_32_Final_Release_Criteria#System_services - "All system services present after installation with one of the release-blocking package sets must start properly, unless they require hardware which is not present."

The SELinux denials are these:

Jan 06 03:58:36 localhost.localdomain audit[733]: AVC avc:  denied  { search } for  pid=733 comm="rngd" name="sss" dev="dm-0" ino=4404863 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
Jan 06 03:58:36 localhost.localdomain audit[733]: AVC avc:  denied  { search } for  pid=733 comm="rngd" name="sss" dev="dm-0" ino=4404863 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
Jan 06 03:58:36 localhost.localdomain audit[733]: AVC avc:  denied  { search } for  pid=733 comm="rngd" name="sss" dev="dm-0" ino=4404863 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
Jan 06 03:58:36 localhost.localdomain audit[733]: AVC avc:  denied  { read } for  pid=733 comm="rngd" name="passwd" dev="dm-0" ino=4635692 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0

the backtrace looks like this (most symbols installed):

#0  0x00007fadf6bcdd23 in g_get_user_database_entry () at ../glib/gutils.c:692
        gecos_fields = 0x559f59f2e290
        name_parts = 0x559f59f2e2d0
        buffer = 0x559f59f1d160
        pwd = 
          {pw_name = 0x7fadf61ca3e0 "root", pw_passwd = 0x7fadf61ccce1 "x", pw_uid = 0, pw_gid = 0, pw_gecos = 0x7fadf61d3cdf "Super User", pw_dir = 0x7fadf61ca3df "/root", pw_shell = 0x7fadf61d3cea "/bin/sh"}
        pw = 0x7ffe43bc6870
        error = <optimized out>
        bufsize = <optimized out>
        e = {user_name = 0x559f59f2e250 "root", real_name = 0x0, home_dir = 0x0}
        entry = 0x0
#1  0x00007fadf6bcde97 in g_build_home_dir () at ../glib/gutils.c:828
        entry = <optimized out>
        home_dir = <optimized out>
#2  0x00007fadf6bce242 in g_build_user_cache_dir () at ../glib/gutils.c:1827
        home_dir = <optimized out>
        cache_dir = <optimized out>
        cache_dir_env = <optimized out>
#3  0x00007fadf6bcf44b in g_build_user_runtime_dir () at ../glib/gutils.c:1882
        runtime_dir = 0x0
        runtime_dir_env = <optimized out>
        user_runtime_dir = <optimized out>
#4  g_get_user_runtime_dir () at ../glib/gutils.c:1927
        user_runtime_dir = <optimized out>
#5  0x00007fadf6dce13d in get_session_address_xdg () at ../gio/gdbusaddress.c:1334
        ret = 0x0
        tmp = <optimized out>
        buf = 
            {st_dev = 210453397508, st_ino = 0, st_nlink = 0, st_mode = 0, st_uid = 0, st_gid = 124, __pad0 = 119, st_rdev = 390842024046, st_size = 370876147696, st_blksize = 2, st_blocks = 56, st_atim = {tv_sec = 140385177885152, tv_nsec = 2}, st_mtim = {tv_sec = 0, tv_nsec = 0}, st_ctim = {tv_sec = 0, tv_nsec = 94142897226896}, __glibc_reserved = {140385146688064, 2, 0}}
        bus = <optimized out>
        ret = <optimized out>
        ret = 0x0
        s = <optimized out>
        starter_bus = <optimized out>
        local_error = 0x0
        __func__ = "g_dbus_address_get_for_bus_sync"
#6  get_session_address_platform_specific (error=0x7ffe43bc6948) at ../gio/gdbusaddress.c:1240
        ret = <optimized out>
        ret = 0x0
        s = <optimized out>
        starter_bus = <optimized out>
        local_error = 0x0
        __func__ = "g_dbus_address_get_for_bus_sync"
#7  g_dbus_address_get_for_bus_sync (bus_type=bus_type@entry=G_BUS_TYPE_SESSION, cancellable=cancellable@entry=0x0, error=error@entry=0x0) at ../gio/gdbusaddress.c:1334
        ret = 0x0
        s = <optimized out>
        starter_bus = <optimized out>
        local_error = 0x0
        __func__ = "g_dbus_address_get_for_bus_sync"
#8  0x00007fadf6dda506 in get_uninitialized_connection (bus_type=bus_type@entry=G_BUS_TYPE_SESSION, cancellable=cancellable@entry=0x0, error=error@entry=0x0) at ../gio/gdbusconnection.c:7225
        address = <optimized out>
        singleton = 0x7fadf6ea9e38 <the_session_bus>
        ret = 0x0
        __func__ = "get_uninitialized_connection"
#9  0x00007fadf6de00ae in g_bus_get_sync (bus_type=bus_type@entry=G_BUS_TYPE_SESSION, cancellable=cancellable@entry=0x0, error=error@entry=0x0) at ../gio/gdbusconnection.c:7320
        connection = <optimized out>
        __func__ = "g_bus_get_sync"
#10 0x00007fadf6db265e in g_application_impl_register (application=application@entry=0x559f59f21890 [GApplication], appid=0x559f59f21770 "org.opensc.notify", flags=G_APPLICATION_NON_UNIQUE, exported_actions=0x559f59f1bcd0, remote_actions=remote_actions@entry=0x559f59f21838, cancellable=cancellable@entry=0x0, error=0x0) at ../gio/gapplicationimpl-dbus.c:601
        actions = <optimized out>
        impl = <optimized out>
        __func__ = "g_application_impl_register"
#11 0x00007fadf6daf54c in g_application_register (error=0x0, cancellable=0x0, application=0x559f59f21890 [GApplication]) at ../gio/gapplication.c:2187
        __func__ = "g_application_register"
        __func__ = "g_application_register"
#12 g_application_register (application=0x559f59f21890 [GApplication], cancellable=0x0, error=0x0) at ../gio/gapplication.c:2176
        __func__ = "g_application_register"
#13 0x00007fadf70aa6fd in  () at /usr/lib64/opensc-pkcs11.so
#14 0x0000000000000002 in  ()
#15 0x00007fadf90f626a in call_init.part () at /lib64/ld-linux-x86-64.so.2
#16 0x00007fadf90f6371 in _dl_init () at /lib64/ld-linux-x86-64.so.2
#17 0x00007fadf8a073e5 in _dl_vdso_vsym () at /lib64/libc.so.6
#18 0x0000000000000000 in  ()

Filing against rng-tools, but CCing SELinux policy maintainers too.

Comment 1 Neil Horman 2020-01-07 11:36:51 UTC

*** This bug has been marked as a duplicate of bug 1787686 ***


Note You need to log in before you can comment on or make changes to this bug.