From ef6857944dd0dcdf7eccc27ff2708e907e5dbd75 Mon Sep 17 00:00:00 2001 From: Dave Sugar Date: Wed, 23 Nov 2022 08:17:41 -0500 Subject: [PATCH] rng-tools updated to 6.15 (on RHEL9) seeing the following denials: node=localhost type=AVC msg=audit(1669206851.792:438): avc: denied { getattr } for pid=1008 comm="rngd" path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-0" ino=401368 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1669206851.792:439): avc: denied { read } for pid=1008 comm="rngd" name="opensslcnf.config" dev="dm-0" ino=401368 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1669206851.792:439): avc: denied { open } for pid=1008 comm="rngd" path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-0" ino=401368 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 rngd now drops privlidges rather than having user/group set in .service file: node=localhost type=AVC msg=audit(1669206851.856:440): avc: denied { setgid } for pid=1008 comm="rngd" capability=6 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=1 node=localhost type=AVC msg=audit(1669206851.881:441): avc: denied { setuid } for pid=1008 comm="rngd" capability=7 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=1 node=localhost type=AVC msg=audit(1669206851.910:442): avc: denied { setcap } for pid=1008 comm="rngd" scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=process permissive=1 Signed-off-by: Dave Sugar --- policy/modules/services/rngd.te | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/policy/modules/services/rngd.te b/policy/modules/services/rngd.te index f33d6a401..d317520ee 100644 --- a/policy/modules/services/rngd.te +++ b/policy/modules/services/rngd.te @@ -20,8 +20,8 @@ files_runtime_file(rngd_runtime_t) # Local policy # -allow rngd_t self:capability { ipc_lock sys_admin }; -allow rngd_t self:process { setsched getsched signal }; +allow rngd_t self:capability { ipc_lock setgid setuid sys_admin }; +allow rngd_t self:process { getsched setcap setsched signal }; allow rngd_t self:fifo_file rw_fifo_file_perms; allow rngd_t self:unix_stream_socket { accept listen }; @@ -37,6 +37,7 @@ dev_rw_tpm(rngd_t) dev_write_rand(rngd_t) files_read_etc_files(rngd_t) +files_read_usr_files(rngd_t) logging_send_syslog_msg(rngd_t)