Description of problem: It occurs when I boot or stop and start rngd. I just upgraded from Fedora 32 to Fedora 33 using the online method not by booting from removable media SELinux is preventing rngd from 'getattr' accesses on the filesystem /sys. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that rngd should be allowed getattr access on the sys filesystem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'rngd' --raw | audit2allow -M my-rngd # semodule -X 300 -i my-rngd.pp Additional Information: Source Context system_u:system_r:rngd_t:s0 Target Context system_u:object_r:sysfs_t:s0 Target Objects /sys [ filesystem ] Source rngd Source Path rngd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages filesystem-3.14-3.fc33.x86_64 SELinux Policy RPM selinux-policy-targeted-3.14.6-34.fc33.noarch Local Policy RPM selinux-policy-targeted-3.14.6-34.fc33.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.10.15-200.fc33.x86_64 #1 SMP Wed Feb 10 17:46:55 UTC 2021 x86_64 x86_64 Alert Count 2 First Seen 2021-02-14 17:10:47 EST Last Seen 2021-02-14 17:11:19 EST Local ID c89047c5-1c86-46f7-ada3-92a6d7b19ee5 Raw Audit Messages type=AVC msg=audit(1613340679.885:559): avc: denied { getattr } for pid=3132 comm="rngd" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem permissive=0 Hash: rngd,rngd_t,sysfs_t,filesystem,getattr Version-Release number of selected component: selinux-policy-targeted-3.14.6-34.fc33.noarch Additional info: component: selinux-policy reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.10.15-200.fc33.x86_64 type: libreport
Similar problem has been detected: Logged into Xfce from the greeter. hashmarkername: setroubleshoot kernel: 5.10.16-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing rngd from 'getattr' accesses on the filesystem /sys. type: libreport
*** Bug 1929360 has been marked as a duplicate of this bug. ***
*** Bug 1929366 has been marked as a duplicate of this bug. ***
Similar problem has been detected: I was merely cold booting into my device, then straight into Cinnamon, when it threw this error message up. hashmarkername: setroubleshoot kernel: 5.10.15-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing rngd from 'getattr' accesses on the filesystem /sys. type: libreport
@x-m
Similar problem has been detected: Normal reboot hashmarkername: setroubleshoot kernel: 5.10.15-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing rngd from 'getattr' accesses on the filesystem /sys. type: libreport
Similar problem has been detected: This alert appeared after updating and rebooting my system. hashmarkername: setroubleshoot kernel: 5.10.15-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing rngd from 'getattr' accesses on the filesystem /sys. type: libreport
Also happens on my Fedora 33 VM during reboot: ---- type=PROCTITLE msg=audit(02/17/2021 16:03:09.043:211) : proctitle=/sbin/rngd -f type=PATH msg=audit(02/17/2021 16:03:09.043:211) : item=0 name=/sys inode=1 dev=00:15 mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(02/17/2021 16:03:09.043:211) : cwd=/ type=SYSCALL msg=audit(02/17/2021 16:03:09.043:211) : arch=x86_64 syscall=statfs success=no exit=EACCES(Permission denied) a0=0x7fa91c60875c a1=0x7ffc9a2a7cc0 a2=0x7fa91c60bfa8 a3=0x80 items=1 ppid=1 pid=701 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rngd exe=/usr/sbin/rngd subj=system_u:system_r:rngd_t:s0 key=(null) type=AVC msg=audit(02/17/2021 16:03:09.043:211) : avc: denied { getattr } for pid=701 comm=rngd name=/ dev="sysfs" ino=1 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem permissive=0 ----
After switching the rngd_t domain to permissive and rebooting the machine, there are no additional SELinux denials. Only this one: ---- type=PROCTITLE msg=audit(02/17/2021 20:12:21.526:183) : proctitle=/sbin/rngd -f type=PATH msg=audit(02/17/2021 20:12:21.526:183) : item=0 name=/sys inode=1 dev=00:15 mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(02/17/2021 20:12:21.526:183) : cwd=/ type=SYSCALL msg=audit(02/17/2021 20:12:21.526:183) : arch=x86_64 syscall=statfs success=yes exit=0 a0=0x7f4483afb75c a1=0x7ffcde29e880 a2=0x7f4483afefa8 a3=0x80 items=1 ppid=1 pid=703 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rngd exe=/usr/sbin/rngd subj=system_u:system_r:rngd_t:s0 key=(null) type=AVC msg=audit(02/17/2021 20:12:21.526:183) : avc: denied { getattr } for pid=703 comm=rngd name=/ dev="sysfs" ino=1 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem permissive=1 ----
Similar problem has been detected: I just turned my machine on and this got flagged up by SELinux. I had just updated Fedora. Couldn't find anything regarding this online. so tried to research it myself. RRGD = Check and feed random data from hardware device to kernel. This daemon feeds data from a random number generator to the kernel's random number entropy pool, after first checking the data to ensure that it is properly random. GetAttr = Returns an integer that represents the attributes of a file or folder So from what I understand (which is very little) some hardware wants to check/feed random data to the kernel using GetAttr to get a file/folders attribute on the /sys filesystem. Sorry if this is nothing and not work reporting. hashmarkername: setroubleshoot kernel: 5.10.15-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing rngd from 'getattr' accesses on the filesystem /sys. type: libreport
Similar problem has been detected: [root@wkgames-home wkgames] # ausearch -c 'rngd'--raw | audit2allow -M my-rngd <no matches> Nothing to do [root@wkgames-home wkgames] # semodule -X 300 -i my-rngd.pp libsemanage.map_file: Unable to open my-rngd.pp (No such file or directory). libsemanage.semanage_direct_install_file: Unable to read file my-rngd.pp (No such file or directory). semodule: Failed on my-rngd.pp! [root@wkgames-home wkgames] # hashmarkername: setroubleshoot kernel: 5.10.15-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing rngd from 'getattr' accesses on the sistema de arquivos /sys. type: libreport
Similar problem has been detected: (re)booted system into (cinnamon) desktop, and encountered this SELinux alert. hashmarkername: setroubleshoot kernel: 5.10.15-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing rngd from 'getattr' accesses on the filesystem /sys. type: libreport
Similar problem has been detected: Restart after running dfndragora update hashmarkername: setroubleshoot kernel: 5.10.15-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing rngd from 'getattr' accesses on the filesystem /sys. type: libreport
Similar problem has been detected: Installed Fedora Workstation 33, then decided to install KDE desktop environment. After installing, I rebooted and after changing from GNOME and logging on KDE, everything started to crash, specially on KDE wayland. hashmarkername: setroubleshoot kernel: 5.10.15-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing rngd from 'getattr' accesses on the filesystem /sys. type: libreport
Similar problem has been detected: 升级内核到 5.10.15 时发生。 Occurs when the kernel is upgraded to 5.10.15. hashmarkername: setroubleshoot kernel: 5.10.15-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing rngd from 'getattr' accesses on the 文件系统 /sys. type: libreport
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/605
Similar problem has been detected: Apperared at system startup (rngd initialization) hashmarkername: setroubleshoot kernel: 5.10.15-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing rngd from 'getattr' accesses on the filesystem /sys. type: libreport
Similar problem has been detected: The alert appeared after machine reboot. hashmarkername: setroubleshoot kernel: 5.10.16-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing rngd from 'getattr' accesses on the filesystem /sys. type: libreport
Similar problem has been detected: Booting up after installing multiple updates and shutting down for the night. Among all the upgraded packages, these might be related to this problem: kernel-5.10.16-200.fc33.x86_64 kernel-core-5.10.16-200.fc33.x86_64 kernel-devel-5.10.16-200.fc33.x86_64 kernel-modules-5.10.16-200.fc33.x86_64 kernel-modules-extra-5.10.16-200.fc33.x86_64 audit-3.0.1-1.fc33.x86_64 audit-libs-3.0.1-1.fc33.x86_64 audit-libs-3.0.1-1.fc33.i686 hashmarkername: setroubleshoot kernel: 5.10.16-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing rngd from 'getattr' accesses on the filesystem /sys. type: libreport
Similar problem has been detected: This happens at boot, even afrer a "fixfiles onboot". hashmarkername: setroubleshoot kernel: 5.10.16-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing rngd from 'getattr' accesses on the filesystem /sys. type: libreport
The problem occured after the boot.
*** Bug 1931524 has been marked as a duplicate of this bug. ***
Similar problem has been detected: Rebooted PC hashmarkername: setroubleshoot kernel: 5.10.16-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing rngd from 'getattr' accesses on the filesystem /sys. type: libreport
*** Bug 1928394 has been marked as a duplicate of this bug. ***
Similar problem has been detected: Upon login (KDE Plasma X11), this SELinux alert will always appear. This has only been occuring for approximately ~1 week. No noticeable side effects. In truth, I have no idea whether or not rngd should be allowed this permission, though I believe that it should either be changed to allow it or should probably never try to access it in the first place so that the user doesn't suspect something wrong with their system. If I can provide any more info, please let me know. hashmarkername: setroubleshoot kernel: 5.10.16-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing rngd from 'getattr' accesses on the filesystem /sys. type: libreport
Similar problem has been detected: I see this error when I open a browser that I have installed on my computer. I use Firefox, Chromium and Google Chrome to work on various projects. hashmarkername: setroubleshoot kernel: 5.10.16-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing rngd from 'getattr' accesses on the filesystem /sys. type: libreport
Similar problem has been detected: After upgrade FC32 >> FC33, with dnf. hashmarkername: setroubleshoot kernel: 5.10.16-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing rngd from 'getattr' accesses on the Dateisystem /sys. type: libreport
Similar problem has been detected: I'm not sure. Could this be related to charon-nm, strongswan VPN? Just guessing here. hashmarkername: setroubleshoot kernel: 5.10.16-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing rngd from 'getattr' accesses on the filesystem /sys. type: libreport
Similar problem has been detected: Every time you turn on your pc and login hashmarkername: setroubleshoot kernel: 5.10.16-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing rngd from 'getattr' accesses on the filesystem /sys. type: libreport
Similar problem has been detected: Simply rebooted. A number of batches of updates have been applied since last reboot, so I can't narrow this down much. reboot system boot 5.8.11-200.fc32. Thu Feb 25 14:54 still running [ problem *probably* appeared somewhere in here, but no guarantees] reboot system boot 5.8.11-200.fc32. Tue Feb 16 01:50 - 14:52 (9+13:01) hashmarkername: setroubleshoot kernel: 5.8.11-200.fc32.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing rngd from 'getattr' accesses on the filesystem /sys. type: libreport
Similar problem has been detected: At startup of system during initialisation of login session. hashmarkername: setroubleshoot kernel: 5.10.17-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing rngd from 'getattr' accesses on the système de fichiers /sys. type: libreport
Similar problem has been detected: Happens every time I log into Fedora 33. hashmarkername: setroubleshoot kernel: 5.10.17-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing rngd from 'getattr' accesses on the filesystem /sys. type: libreport
Similar problem has been detected: Login into KDE Plasma, seaplet reports this issue hashmarkername: setroubleshoot kernel: 5.10.18-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing rngd from 'getattr' accesses on the filesystem /sys. type: libreport
Similar problem has been detected: no tengo detalles, prendi mi computador y aparecio ese aviso hashmarkername: setroubleshoot kernel: 5.10.15-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing rngd from 'getattr' accesses on the sistema de archivos /sys. type: libreport
Similar problem has been detected: After starting the session, typing the user's password, and the desktop appears, this error occurred. My distribution is Fedora Mate 33. hashmarkername: setroubleshoot kernel: 5.10.17-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing rngd from 'getattr' accesses on the sistema de arquivos /sys. type: libreport
Similar problem has been detected: I have SELinux in permissive mode. hashmarkername: setroubleshoot kernel: 5.10.18-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing rngd from 'getattr' accesses on the filesystem /sys. type: libreport
Similar problem has been detected: After update of OS - newly installed today - this began. hashmarkername: setroubleshoot kernel: 5.10.19-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing rngd from 'getattr' accesses on the filesystem /sys. type: libreport
Similar problem has been detected: On reboot hashmarkername: setroubleshoot kernel: 5.10.19-200.fc33.x86_64 package: selinux-policy-targeted-3.14.6-34.fc33.noarch reason: SELinux is preventing rngd from 'getattr' accesses on the filesystem /sys. type: libreport
FEDORA-2021-e9050fdd5c has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-e9050fdd5c
FEDORA-2021-e9050fdd5c has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-e9050fdd5c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-e9050fdd5c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-e9050fdd5c has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.