This bug was initially created as a copy of Bug #1955522. Description of problem: 1) rpminspect fails on the "pathmigration" test for rng-tools-6.12-2.el9 due to hardcoded incorrect %_sbindir: > path-migration: > --------------- > 1) File /sbin/rngd found should be in /usr/sbin on x86_64 https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/36241461?focus=tc:osci.brew-build.rpminspect.static-analysis http://artifacts.osci.redhat.com/testing-farm/9d1ed40c-05f1-46f0-9382-22392984986e/work-rpminspect3FlYCZ/rpminspect/execute/data/pathmigration/output.txt 2) there is a request from ProdSec to make rngd to run as non-root (see bz1692435) 3) if we make rngd to run as non-root, it fails with an error due to permissions on /dev/hwrng: May 04 17:13:29 rhel9 rngd[523]: [hwrng ]: Initialization Failed 527 17:00:07 openat(AT_FDCWD, "/dev/hwrng", O_RDONLY|O_NOCTTY) = -1 EACCES (Permission denied)
suggestions on how to test: 1) just check the path for rngd binary, it should be in /usr/sbin. current (wrong) path is: # rpm -q rng-tools rng-tools-6.12-1.el9.x86_64 # rpm -ql rng-tools | grep sbin /sbin/rngd 2) just check that /sbin/rngd is run as rngd user: # ps -ef |grep rngd rngd 824 1 99 15:24 ? 00:00:07 /sbin/rngd -f 3) just check there there are no failing messages for hwrng in a log: # journalctl -b | grep rngd
test build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=37032590 # rpm -q rng-tools rng-tools-6.12-4.el9.x86_64 # rpm -ql rng-tools | grep sbin /usr/sbin/rngd # ps -ef |grep rngd rngd 539 1 13 19:56 ? 00:00:13 /usr/sbin/rngd -f --fill-watermark=0 [root@rhel9 ~]# journalctl -b | grep rngd May 27 19:56:39 rhel9.vsd.localdomain rngd[539]: Initializing available sources May 27 19:56:39 rhel9.vsd.localdomain rngd[539]: [hwrng ]: Initialized <<< THIS LINE IS WHERE IT WAS FAILING BEFORE May 27 19:56:39 rhel9.vsd.localdomain rngd[539]: [rdrand]: Enabling RDRAND rng support May 27 19:56:39 rhel9.vsd.localdomain rngd[539]: [rdrand]: Initialized
Hello, Vilem, Could you please also grant qa_ack+ for this bz? It is fixing the same issues for rng-tools as previous bzs, but for the RHEL-9. I need the release+ to do the push to the c9s repo. The testing steps are simple and I've mentioned them in the #c1.
Acking. Also confirming the problem 3 in rng-tools-6.8-4.el8.x86_64 (the others are already fixed): # journalctl -b | grep hwrng Jun 01 12:10:17 intel-denlow-r-02.lab.eng.rdu2.redhat.com rngd[40142]: Failed to init entropy source hwrng # ls -l /dev/hwrng crw-------. 1 root root 10, 183 May 31 23:57 /dev/hwrng # rpm -ql rng-tools | grep sbin /usr/sbin/rngd # ps auxwf| grep rngd root 41107 0.0 0.0 12136 1156 pts/0 S+ 12:32 0:00 \_ grep --color=auto rngd rngd 40570 1.0 0.0 381340 4620 ? Ssl 12:12 0:12 /usr/sbin/rngd -f --fill-watermark=0
a gitlab's mr has been merged: https://gitlab.com/redhat/centos-stream/rpms/rng-tools/-/merge_requests/1
Verified, thanks for detailed testing instructions. # wget http://download.devel.redhat.com/brewroot/work/tasks/2274/38422274/jitterentropy-3.0.2-2.git.409828cf.el9.x86_64.rpm http://download.devel.redhat.com/brewroot/work/tasks/6815/38436815/rng-tools-6.13-5.git.d207e0b6.el9.x86_64.rpm (...) Downloaded: 2 files, 93K in 0.002s (43.4 MB/s) # dnf -y install jitterentropy*rpm rng-tools*rpm && systemctl stop rngd && systemctl disable rngd (...) Installed: jitterentropy-3.0.2-2.git.409828cf.el9.x86_64 rng-tools-6.13-5.git.d207e0b6.el9.x86_64 Complete! Removed /etc/systemd/system/multi-user.target.wants/rngd.service. # /usr/sbin/rngd -f -o /dev/stdout > /tmp/rngfile Initializing available sources [hwrng ]: Initialization Failed [rdrand]: Enabling RDRAND rng support [rdrand]: Initialized [jitter]: Initializing AES buffer [jitter]: Enabling JITTER rng support [jitter]: Initialized ^C[rdrand]: Shutting down [jitter]: Shutting down # ls -lh /tmp/rngfile -rw-r--r--. 1 root root 49M Aug 5 20:01 /tmp/rngfile # cat /tmp/rngfile | /usr/bin/rngtest -c 1000 rngtest 6.13 Copyright (c) 2004 by Henrique de Moraes Holschuh This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. rngtest: starting FIPS tests... rngtest: bits received from input: 20000032 rngtest: FIPS 140-2 successes: 999 rngtest: FIPS 140-2 failures: 1 rngtest: FIPS 140-2(2001-10-10) Monobit: 0 rngtest: FIPS 140-2(2001-10-10) Poker: 1 rngtest: FIPS 140-2(2001-10-10) Runs: 0 rngtest: FIPS 140-2(2001-10-10) Long run: 0 rngtest: FIPS 140-2(2001-10-10) Continuous run: 0 rngtest: input channel speed: (min=1.863; avg=16.796; max=18.626)Gibits/s rngtest: FIPS tests speed: (min=165.856; avg=210.580; max=214.309)Mibits/s rngtest: Program run time: 92143 microseconds # rm -f /tmp/rngfile # dnf -y erase jitterentropy rng-tools (...) Complete!
(In reply to Vilém Maršík from comment #24) > Verified, thanks for detailed testing instructions. thanks a ton, Vilem, much appreciated!