2059166 – SELinux is preventing rngd from using the 'setgid' capabilities.

Bug 2059166 - SELinux is preventing rngd from using the 'setgid' capabilities.

Summary: SELinux is preventing rngd from using the 'setgid' capabilities.

Keywords:
Status:	CLOSED DUPLICATE of bug 2058914
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	35
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:f98b1f95d3fcc4ba24814d5ddbc...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-02-28 11:24 UTC by Fabio Valentini
Modified:	2022-03-01 16:34 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2022-03-01 07:50:53 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Fabio Valentini 2022-02-28 11:24:52 UTC

Description of problem:
SELinux is preventing rngd from using the 'setgid' capabilities.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that rngd should have the setgid capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rngd' --raw | audit2allow -M my-rngd
# semodule -X 300 -i my-rngd.pp

Additional Information:
Source Context                system_u:system_r:rngd_t:s0
Target Context                system_u:system_r:rngd_t:s0
Target Objects                Unknown [ capability ]
Source                        rngd
Source Path                   rngd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-35.15-1.fc35.noarch
Local Policy RPM              selinux-policy-targeted-35.15-1.fc35.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.16.11-200.fc35.x86_64 #1 SMP
                              PREEMPT Wed Feb 23 17:08:49 UTC 2022 x86_64 x86_64
Alert Count                   10
First Seen                    2022-02-28 12:19:34 CET
Last Seen                     2022-02-28 12:20:14 CET
Local ID                      517876c9-1106-49b8-96f8-cbd27c072506

Raw Audit Messages
type=AVC msg=audit(1646047214.689:206): avc:  denied  { setgid } for  pid=941 comm="rngd" capability=6  scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=0


Hash: rngd,rngd_t,rngd_t,capability,setgid

Version-Release number of selected component:
selinux-policy-targeted-35.15-1.fc35.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.15.2
hashmarkername: setroubleshoot
kernel:         5.16.11-200.fc35.x86_64
type:           libreport

Potential duplicate: bug 2058914

Comment 1 Zdenek Pytela 2022-03-01 07:50:53 UTC


*** This bug has been marked as a duplicate of bug 2058914 ***

Comment 2 Vladis Dronov 2022-03-01 16:34:01 UTC

thanks a lot for your report, Fabio! indeed, rngd was updated with a code that drops privileges so rngd process
runs as non-root user. uid/gid/cap-changing syscalls are used for that. the selinux part indeed has issues with
that. we'll handle the fix in bz2058914. for now i can think of the following workarounds:

1) a workaround with audit2allow/semodule described in bz2058914.
2) remove "-D daemon:daemon" from /etc/sysconfig/rngd. this will make rngd to run as root as before.
3) downgrade to the previous v6.14 rng-tools. the update was unpushed so fedora repos should have the previous v6.14 version.

Note You need to log in before you can comment on or make changes to this bug.