2058914 – SELinux is preventing rngd from using the 'setgid' capabilities.

Bug 2058914 - SELinux is preventing rngd from using the 'setgid' capabilities.

Summary: SELinux is preventing rngd from using the 'setgid' capabilities.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	36
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:f98b1f95d3fcc4ba24814d5ddbc...
Duplicates (1):	2059166 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-02-26 21:40 UTC by Matt Fagnani
Modified:	2022-04-28 13:00 UTC (History)
CC List:	11 users (show)
Fixed In Version:	selinux-policy-36.5-1.fc36
Clone Of:
Environment:
Last Closed:	2022-03-24 19:34:02 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1104	0	None	open	Allow rngd drop privileges via setuid/setgid/setcap	2022-03-03 16:11:20 UTC

Description Matt Fagnani 2022-02-26 21:40:49 UTC

Description of problem:
I ran sudo dnf upgrade --refresh with updates-testing enabled in a Fedora 36 KDE Plasma installation. The update included rng-tools-6.15-1.fc36.x86_64. rngd.service was restarted as part of the update. rngd was denied the setgid capability five times which made rngd.service fail to start. The same denials happened when I ran sudo systemctl restart rngd and on the next boot.

Feb 26 16:24:43 systemd[1]: Stopping rngd.service - Hardware RNG Entropy Gatherer Daemon...
Feb 26 16:24:43 systemd[1]: rngd.service: Deactivated successfully.
Feb 26 16:24:43 systemd[1]: Stopped rngd.service - Hardware RNG Entropy Gatherer Daemon.
Feb 26 16:24:43 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rngd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb 26 16:24:43 systemd[1]: rngd.service: Consumed 49.068s CPU time.
Feb 26 16:24:43 systemd[1]: Started rngd.service - Hardware RNG Entropy Gatherer Daemon.
Feb 26 16:24:43 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rngd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb 26 16:24:43 rngd[6456]: Disabling 7: PKCS11 Entropy generator (pkcs11)
Feb 26 16:24:43 rngd[6456]: Disabling 5: NIST Network Entropy Beacon (nist)
Feb 26 16:24:43 rngd[6456]: Initializing available sources
Feb 26 16:24:43 rngd[6456]: [hwrng ]: Initialization Failed
Feb 26 16:24:43 rngd[6456]: [rdrand]: Initialization Failed
Feb 26 16:24:43 rngd[6456]: [jitter]: Initializing AES buffer
Feb 26 16:24:43 systemd[1]: Started run-r4ee5f639bad24e2198909180c131303b.service - /usr/bin/systemctl start man-db-cache-update.
Feb 26 16:24:43 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=run-r4ee5f639bad24e2198909180c131303b comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb 26 16:24:47 audit[6272]: USER_END pid=6272 uid=1000 auid=1000 ses=6 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 26 16:24:47 audit[6272]: CRED_DISP pid=6272 uid=1000 auid=1000 ses=6 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_localuser,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 26 16:24:47 sudo[6272]: pam_unix(sudo:session): session closed for user root
Feb 26 16:24:47 rngd[6456]: [jitter]: Enabling JITTER rng support
Feb 26 16:24:47 rngd[6456]: [jitter]: Initialized
Feb 26 16:24:47 rngd[6456]: [rtlsdr]: Initialization Failed
Feb 26 16:24:47 audit[6456]: AVC avc:  denied  { setgid } for  pid=6456 comm="rngd" capability=6  scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=0
Feb 26 16:24:47 audit[6456]: AVC avc:  denied  { setgid } for  pid=6456 comm="rngd" capability=6  scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=0
Feb 26 16:24:47 audit[6456]: AVC avc:  denied  { setgid } for  pid=6456 comm="rngd" capability=6  scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=0
Feb 26 16:24:47 audit[6456]: AVC avc:  denied  { setgid } for  pid=6456 comm="rngd" capability=6  scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=0
Feb 26 16:24:47 audit[6456]: AVC avc:  denied  { setgid } for  pid=6456 comm="rngd" capability=6  scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=0
Feb 26 16:24:47 rngd[6456]: setgroups() failed: Operation not permitted
Feb 26 16:24:47 systemd[1]: rngd.service: Main process exited, code=exited, status=1/FAILURE
Feb 26 16:24:47 systemd[1]: rngd.service: Failed with result 'exit-code'.
Feb 26 16:24:47 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rngd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Feb 26 16:24:47 systemd[1]: rngd.service: Consumed 15.289s CPU time.

SELinux is preventing rngd from using the 'setgid' capabilities.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that rngd should have the setgid capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rngd' --raw | audit2allow -M my-rngd
# semodule -X 300 -i my-rngd.pp

Additional Information:
Source Context                system_u:system_r:rngd_t:s0
Target Context                system_u:system_r:rngd_t:s0
Target Objects                Unknown [ capability ]
Source                        rngd
Source Path                   rngd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-36.3-1.fc36.noarch
Local Policy RPM              selinux-policy-targeted-36.3-1.fc36.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.17.0-0.rc5.102.fc36.x86_64 #1
                              SMP PREEMPT Mon Feb 21 19:16:16 UTC 2022 x86_64
                              x86_64
Alert Count                   15
First Seen                    2022-02-26 16:24:47 EST
Last Seen                     2022-02-26 16:30:20 EST
Local ID                      7b7ec97c-e8a9-450d-8e08-f290c6dc8d95

Raw Audit Messages
type=AVC msg=audit(1645911020.648:326): avc:  denied  { setgid } for  pid=860 comm="rngd" capability=6  scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=0


Hash: rngd,rngd_t,rngd_t,capability,setgid

Version-Release number of selected component:
selinux-policy-targeted-36.3-1.fc36.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.17.0
hashmarkername: setroubleshoot
kernel:         5.17.0-0.rc5.102.fc36.x86_64
type:           libreport

Comment 1 Matt Fagnani 2022-02-26 22:29:11 UTC

I ran the following to allow the rngd setgid capability
sudo ausearch -c 'rngd' --raw | audit2allow -M my-rngd 
sudo semodule -X 300 -i my-rngd.pp

I restarted rngd.service with sudo systemctl restart rngd. rngd was denied using the setuid capability which made rngd.service fail to start.

Feb 26 16:59:34 systemd[1]: Started rngd.service - Hardware RNG Entropy Gatherer Daemon.
Feb 26 16:59:34 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rngd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb 26 16:59:34 sudo[4356]: pam_unix(sudo:session): session closed for user root
Feb 26 16:59:34 audit[4356]: USER_END pid=4356 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 26 16:59:34 audit[4356]: CRED_DISP pid=4356 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 26 16:59:34 rngd[4359]: Disabling 7: PKCS11 Entropy generator (pkcs11)
Feb 26 16:59:34 rngd[4359]: Disabling 5: NIST Network Entropy Beacon (nist)
Feb 26 16:59:34 rngd[4359]: Initializing available sources
Feb 26 16:59:34 rngd[4359]: [hwrng ]: Initialization Failed
Feb 26 16:59:34 rngd[4359]: [rdrand]: Initialization Failed
Feb 26 16:59:34 rngd[4359]: [jitter]: Initializing AES buffer
Feb 26 16:59:37 rngd[4359]: [jitter]: Enabling JITTER rng support
Feb 26 16:59:37 rngd[4359]: [jitter]: Initialized
Feb 26 16:59:37 rngd[4359]: [rtlsdr]: Initialization Failed
Feb 26 16:59:37 audit[4359]: AVC avc:  denied  { setuid } for  pid=4359 comm="rngd" capability=7  scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=0
Feb 26 16:59:37 audit[4359]: AVC avc:  denied  { setuid } for  pid=4359 comm="rngd" capability=7  scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=0
Feb 26 16:59:37 audit[4359]: AVC avc:  denied  { setuid } for  pid=4359 comm="rngd" capability=7  scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=0
Feb 26 16:59:37 audit[4359]: AVC avc:  denied  { setuid } for  pid=4359 comm="rngd" capability=7  scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=0
Feb 26 16:59:37 audit[4359]: AVC avc:  denied  { setuid } for  pid=4359 comm="rngd" capability=7  scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=0
Feb 26 16:59:37 rngd[4359]: setresuid() failed: Operation not permitted
Feb 26 16:59:37 systemd[1]: rngd.service: Main process exited, code=exited, status=1/FAILURE
Feb 26 16:59:37 systemd[1]: rngd.service: Failed with result 'exit-code'.
Feb 26 16:59:38 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rngd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Feb 26 16:59:38 systemd[1]: rngd.service: Consumed 15.588s CPU time.

I ran the following to allow the rngd setuid capability
sudo ausearch -c 'rngd' --raw | audit2allow -M my-rngd 
sudo semodule -X 300 -i my-rngd.pp

I restarted rngd.service with sudo systemctl restart rngd. rngd was denied using setcap to set the CAP_SYS_ADMIN capability which made rngd.service fail to start.

Feb 26 17:03:15 systemd[1]: Started rngd.service - Hardware RNG Entropy Gatherer Daemon.
Feb 26 17:03:15 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rngd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb 26 17:03:15 sudo[4494]: pam_unix(sudo:session): session closed for user root
Feb 26 17:03:15 audit[4494]: USER_END pid=4494 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 26 17:03:15 audit[4494]: CRED_DISP pid=4494 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Feb 26 17:03:15 rngd[4497]: Disabling 7: PKCS11 Entropy generator (pkcs11)
Feb 26 17:03:15 rngd[4497]: Disabling 5: NIST Network Entropy Beacon (nist)
Feb 26 17:03:15 rngd[4497]: Initializing available sources
Feb 26 17:03:15 rngd[4497]: [hwrng ]: Initialization Failed
Feb 26 17:03:15 rngd[4497]: [rdrand]: Initialization Failed
Feb 26 17:03:15 rngd[4497]: [jitter]: Initializing AES buffer
Feb 26 17:03:19 rngd[4497]: [jitter]: Enabling JITTER rng support
Feb 26 17:03:19 rngd[4497]: [jitter]: Initialized
Feb 26 17:03:19 rngd[4497]: [rtlsdr]: Initialization Failed
Feb 26 17:03:19 rngd[4497]: Cannot set CAP_SYS_ADMIN capability: Permission denied
Feb 26 17:03:19 audit[4497]: AVC avc:  denied  { setcap } for  pid=4497 comm="rngd" scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=process permissive=0
Feb 26 17:03:19 systemd[1]: rngd.service: Main process exited, code=exited, status=1/FAILURE
Feb 26 17:03:19 systemd[1]: rngd.service: Failed with result 'exit-code'.
Feb 26 17:03:19 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rngd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Feb 26 17:03:19 systemd[1]: rngd.service: Consumed 15.595s CPU time.

I ran the following to allow rngd to use setcap
sudo ausearch -c 'rngd' --raw | audit2allow -M my-rngd 
sudo semodule -X 300 -i my-rngd.pp

rngd.service started with the uid:gid daemon:daemon after that as changed in rngd.sysconfig at https://src.fedoraproject.org/rpms/rng-tools/c/51036602f71a3a117389aa5acb92adc1c29d1487?branch=f36

Comment 2 Vladis Dronov 2022-02-28 17:35:35 UTC

hi Matt,
thanks a ton for your report, it helps a lot. indeed, rngd was updated with a code that drops privileges so rngd process
runs as non-root user. uid/gid/cap-changing syscalls are used for that. the selinux part indeed has the above issues. this
will be fixed, for now i can thing of the following workarounds:

1) your workaround with audit2allow/semodule
2) remove "-D daemon:daemon" from /etc/sysconfig/rngd. this will make rngd to run as root as before.
3) downgrade to the previous v6.14 rng-tools. the update was unpushed so fedora repos should have the previous v6.14 version.

thanks again, your help and report are much appreciated!

Comment 3 Zdenek Pytela 2022-03-01 07:50:53 UTC

*** Bug 2059166 has been marked as a duplicate of this bug. ***

Comment 4 Zdenek Pytela 2022-03-01 11:37:02 UTC

Instead of adding the permission I updated the service unit the following:

# cat /etc/sysconfig/rngd
# Optional arguments passed to rngd. See rngd(8) and
# https://bugzilla.redhat.com/show_bug.cgi?id=1252175#c21
#RNGD_ARGS="-x pkcs11 -x nist -D daemon:daemon"
RNGD_ARGS="-x pkcs11 -x nist"

# systemctl cat rngd
# /etc/systemd/system/rngd.service
[Unit]
Description=Hardware RNG Entropy Gatherer Daemon
ConditionVirtualization=!container

# The "-f" option is required for the systemd service rngd to work with Type=simple
[Service]
Type=simple
EnvironmentFile=/etc/sysconfig/rngd
ExecStart=/usr/sbin/rngd -f $RNGD_ARGS
User=daemon
Group=daemon

[Install]
WantedBy=multi-user.target

# systemctl restart rngd; systemctl status rngd; ps -eo pid,ppid,euid,egid,command,context | grep -e COMMAND -e rngd
● rngd.service - Hardware RNG Entropy Gatherer Daemon
     Loaded: loaded (/etc/systemd/system/rngd.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2022-03-01 06:34:45 EST; 79ms ago
   Main PID: 706 (rngd)
      Tasks: 2 (limit: 2297)
     Memory: 1.2M
        CPU: 33ms
     CGroup: /system.slice/rngd.service
             └─706 /usr/sbin/rngd -f -x pkcs11 -x nist

Mar 01 06:34:45 fedora systemd[1]: Started rngd.service - Hardware RNG Entropy Gatherer Daemon.
Mar 01 06:34:45 fedora rngd[706]: Disabling 7: PKCS11 Entropy generator (pkcs11)
Mar 01 06:34:45 fedora rngd[706]: Disabling 5: NIST Network Entropy Beacon (nist)
Mar 01 06:34:45 fedora rngd[706]: Initializing available sources
Mar 01 06:34:45 fedora rngd[706]: [hwrng ]: Initialization Failed
Mar 01 06:34:45 fedora rngd[706]: [rdrand]: Enabling RDSEED rng support
Mar 01 06:34:45 fedora rngd[706]: [rdrand]: Initialized
    PID    PPID  EUID  EGID COMMAND                     CONTEXT
    706       1     2     2 /usr/sbin/rngd -f -x pkcs11 system_u:system_r:rngd_t:s0

# ausearch -i -m avc,user_avc -ts boot
<no matches>


Does this solve your problem?

Comment 5 Vladis Dronov 2022-03-01 13:18:27 UTC

(In reply to Zdenek Pytela from comment #4)
> Does this solve your problem?

unfortunately, not:

Mar 01 06:34:45 fedora rngd[706]: [hwrng ]: Initialization Failed

rngd should start as root and then drop privileges via setuid/setgid/setcap.

Comment 6 Milos Malik 2022-03-02 20:48:10 UTC

Caught in enforcing mode:
----
type=PROCTITLE msg=audit(03/02/2022 15:45:22.382:572) : proctitle=/usr/sbin/rngd -f -x pkcs11 -x nist -D daemon:daemon 
type=SYSCALL msg=audit(03/02/2022 15:45:22.382:572) : arch=x86_64 syscall=setgroups success=no exit=EPERM(Operation not permitted) a0=0x1 a1=0x7ffd37ac9300 a2=0x7f5c649e8c91 a3=0x7ffd37ba7080 items=0 ppid=1 pid=1551 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rngd exe=/usr/sbin/rngd subj=system_u:system_r:rngd_t:s0 key=(null) 
type=AVC msg=audit(03/02/2022 15:45:22.382:572) : avc:  denied  { setgid } for  pid=1551 comm=rngd capability=setgid  scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=0 
----

# rpm -qa selinux\* rng\* | sort
rng-tools-6.15-1.fc37.x86_64
selinux-policy-36.4-1.fc37.noarch
selinux-policy-targeted-36.4-1.fc37.noarch
#

Comment 7 Milos Malik 2022-03-02 20:49:19 UTC

Caught in permissive mode:
----
type=PROCTITLE msg=audit(03/02/2022 15:48:29.403:578) : proctitle=/usr/sbin/rngd -f -x pkcs11 -x nist -D daemon:daemon 
type=SYSCALL msg=audit(03/02/2022 15:48:29.403:578) : arch=x86_64 syscall=setgroups success=yes exit=0 a0=0x1 a1=0x7ffe67d8ad70 a2=0x7f4b3aedac91 a3=0x7ffe67db2080 items=0 ppid=1 pid=1581 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rngd exe=/usr/sbin/rngd subj=system_u:system_r:rngd_t:s0 key=(null) 
type=AVC msg=audit(03/02/2022 15:48:29.403:578) : avc:  denied  { setgid } for  pid=1581 comm=rngd capability=setgid  scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=1 
----
type=PROCTITLE msg=audit(03/02/2022 15:48:29.404:579) : proctitle=/usr/sbin/rngd -f -x pkcs11 -x nist -D daemon:daemon 
type=SYSCALL msg=audit(03/02/2022 15:48:29.404:579) : arch=x86_64 syscall=setresuid success=yes exit=0 a0=daemon a1=daemon a2=daemon a3=0x7ffe67db2080 items=0 ppid=1 pid=1581 auid=unset uid=daemon gid=daemon euid=daemon suid=daemon fsuid=daemon egid=daemon sgid=daemon fsgid=daemon tty=(none) ses=unset comm=rngd exe=/usr/sbin/rngd subj=system_u:system_r:rngd_t:s0 key=(null) 
type=AVC msg=audit(03/02/2022 15:48:29.404:579) : avc:  denied  { setuid } for  pid=1581 comm=rngd capability=setuid  scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=1 
----
type=PROCTITLE msg=audit(03/02/2022 15:48:29.404:580) : proctitle=/usr/sbin/rngd -f -x pkcs11 -x nist -D daemon:daemon 
type=CAPSET msg=audit(03/02/2022 15:48:29.404:580) : pid=1581 cap_pi=sys_admin cap_pp=sys_admin cap_pe=sys_admin cap_pa=none 
type=SYSCALL msg=audit(03/02/2022 15:48:29.404:580) : arch=x86_64 syscall=capset success=yes exit=0 a0=0x55da4a18cd04 a1=0x55da4a18cd0c a2=0x55da4a18cd0c a3=0x7ffe67d8ad94 items=0 ppid=1 pid=1581 auid=unset uid=daemon gid=daemon euid=daemon suid=daemon fsuid=daemon egid=daemon sgid=daemon fsgid=daemon tty=(none) ses=unset comm=rngd exe=/usr/sbin/rngd subj=system_u:system_r:rngd_t:s0 key=(null) 
type=AVC msg=audit(03/02/2022 15:48:29.404:580) : avc:  denied  { setcap } for  pid=1581 comm=rngd scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=process permissive=1 
----

Comment 8 Vladis Dronov 2022-03-03 13:31:53 UTC

thanks, Milos,
indeed, selinux should allow rngd process to perform: setuid , setgid and setcap.
there is a work being done for that and selinux policy will be updated.
thank you for your report!

Comment 9 Zdenek Pytela 2022-03-03 16:11:21 UTC

I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/1104

rpms for testing can be downloaded from the PR:
Checks -> Details -> Artifacts -> rpms

Comment 10 Vladis Dronov 2022-03-08 14:19:40 UTC

i can confirm rngd.service works now in fedora-rawhide with the test selinux packages:

WITHOUT:

Installed Packages
selinux-policy.noarch            36.4-1.fc37     @rawhide
selinux-policy-targeted.noarch   36.4-1.fc37     @rawhide

Mar 08 14:51:51 fe34.vsd.localdomain rngd[736]: Initializing available sources
Mar 08 14:51:51 fe34.vsd.localdomain rngd[736]: [hwrng ]: Initialized
Mar 08 14:51:51 fe34.vsd.localdomain rngd[736]: [rdrand]: Enabling RDRAND rng support
Mar 08 14:51:51 fe34.vsd.localdomain rngd[736]: [rdrand]: Initialized
Mar 08 14:51:51 fe34.vsd.localdomain rngd[736]: [rtlsdr]: Initialization Failed
Mar 08 14:51:51 fe34.vsd.localdomain rngd[736]: setgroups() failed: Operation not permitted
Mar 08 14:51:51 fe34.vsd.localdomain systemd[1]: rngd.service: Main process exited, code=exited, status=1/FAILURE
Mar 08 14:51:51 fe34.vsd.localdomain systemd[1]: rngd.service: Failed with result 'exit-code'.

type=SERVICE_START msg=audit(1646747554.685:254): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rngd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=AVC msg=audit(1646747554.705:255): avc:  denied  { setgid } for  pid=749 comm="rngd" capability=6  scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=0

WITH:

Installed Packages
selinux-policy.noarch            36.4-1.20220303_160230.eb1cb79.fc36     @@commandline
selinux-policy-targeted.noarch   36.4-1.20220303_160230.eb1cb79.fc36     @@commandline

Mar 08 15:05:18 fe34.vsd.localdomain rngd[1810]: Initializing available sources
Mar 08 15:05:18 fe34.vsd.localdomain rngd[1810]: [hwrng ]: Initialized
Mar 08 15:05:18 fe34.vsd.localdomain rngd[1810]: [rdrand]: Enabling RDRAND rng support
Mar 08 15:05:18 fe34.vsd.localdomain rngd[1810]: [rdrand]: Initialized
Mar 08 15:05:18 fe34.vsd.localdomain rngd[1810]: [rtlsdr]: Initialization Failed
Mar 08 15:05:18 fe34.vsd.localdomain rngd[1810]: Process privileges have been dropped to 2:2

# ps -ef | grep rngd
daemon      1810       1  0 15:05 ?        00:00:00 /usr/sbin/rngd -f -x pkcs11 -x nist -x jitter -D daemon:daemon

Zdenek, any idea when this PR could be merged and gets to Rawhide and F36?

Comment 11 Fedora Update System 2022-03-21 11:09:59 UTC

FEDORA-2022-b0805acc47 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-b0805acc47

Comment 12 Vladis Dronov 2022-03-21 12:16:51 UTC

selinux-policy-36.5-1 was published for F37 and F36:

https://bodhi.fedoraproject.org/updates/FEDORA-2022-7d08b012c3
https://bodhi.fedoraproject.org/updates/FEDORA-2022-b0805acc47

rng-tools package will be updated to require this release of selinux
rules after these updates get to a testing repo.

Comment 13 Fedora Update System 2022-03-21 15:49:59 UTC

FEDORA-2022-b0805acc47 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-b0805acc47`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-b0805acc47

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 14 Fedora Update System 2022-03-24 19:34:02 UTC

FEDORA-2022-b0805acc47 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.