Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1186072

Summary: SELinux is preventing /usr/sbin/upsmon from 'read' accesses on the chr_file random.
Product: [Fedora] Fedora Reporter: Alexander Ploumistos <alex.ploumistos>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: dominick.grift, dwalsh, lvrabec, mgrepl, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:1c734abcfeb625afd25bf8234580db4f33a3b6a6a20a4b41adc4c7165d67915b
Fixed In Version: selinux-policy-3.13.1-105.3.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-15 03:29:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
/var/log/audit/audit.log none

Description Alexander Ploumistos 2015-01-27 00:20:21 UTC 
Description of problem:
SELinux is preventing /usr/sbin/upsmon from 'read' accesses on the chr_file random.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server
Then you must tell SELinux about this by enabling the 'authlogin_nsswitch_use_ldap' boolean.
You can read 'None' man page for more details.
Do
setsebool -P authlogin_nsswitch_use_ldap 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that upsmon should be allowed read access on the random chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep upsmon /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:nut_upsmon_t:s0
Target Context                system_u:object_r:random_device_t:s0
Target Objects                random [ chr_file ]
Source                        upsmon
Source Path                   /usr/sbin/upsmon
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.18.3-201.fc21.x86_64 #1 SMP Mon
                              Jan 19 15:59:31 UTC 2015 x86_64 x86_64
Alert Count                   541
First Seen                    2014-06-18 20:20:20 EEST
Last Seen                     2015-01-26 23:16:33 EET
Local ID                      1dc293db-5080-4a78-a46c-9de6706f79c0

Raw Audit Messages
type=AVC msg=audit(1422306993.669:124): avc:  denied  { read } for  pid=1717 comm="upsmon" name="random" dev="devtmpfs" ino=1032 scontext=system_u:system_r:nut_upsmon_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=0


type=SYSCALL msg=audit(1422306993.669:124): arch=x86_64 syscall=open success=no exit=EACCES a0=7fb6eca72299 a1=900 a2=6b5 a3=11f items=0 ppid=1715 pid=1717 auid=4294967295 uid=57 gid=57 euid=57 suid=57 fsuid=57 egid=57 sgid=57 fsgid=57 tty=(none) ses=4294967295 comm=upsmon exe=/usr/sbin/upsmon subj=system_u:system_r:nut_upsmon_t:s0 key=(null)

Hash: upsmon,nut_upsmon_t,random_device_t,chr_file,read

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.18.3-201.fc21.x86_64
type:           libreport
Comment 1 Lukas Vrabec 2015-02-02 12:20:40 UTC 
commit ca4fb28741fdf9b47418bef9953f73e19fa064f3
Author: Lukas Vrabec <lvrabec>
Date:   Wed Jan 28 16:01:15 2015 +0100

    Allow nut_upsmon_t to read random_device_t. BZ(1186072)
Comment 2 Alexander Ploumistos 2015-02-02 12:47:20 UTC 
Is it in

http://pkgs.fedoraproject.org/cgit/selinux-policy.git/

or someplace else? Because I cannot find that commit.
Comment 3 Lukas Vrabec 2015-02-02 13:16:30 UTC 
It's here:
https://github.com/selinux-policy/selinux-policy/commit/ca4fb28741fdf9b47418bef9953f73e19fa064f3

Package will be available soon.
Comment 4 Alexander Ploumistos 2015-02-02 13:18:32 UTC 
Thank you very much!
Comment 5 Alexander Ploumistos 2015-02-02 20:36:08 UTC 
I installed the packages (3.13.1-105.2) from koji, rebooted the machine, but I'm still seeing these:

Feb  2 22:21:38 localhost sedispatch: AVC Message for setroubleshoot, dropping message
Feb  2 22:21:38 localhost sedispatch: AVC Message for setroubleshoot, dropping message
Feb  2 22:21:38 localhost sedispatch: AVC Message for setroubleshoot, dropping message
Feb  2 22:21:38 localhost sedispatch: AVC Message for setroubleshoot, dropping message
Feb  2 22:21:38 localhost sedispatch: AVC Message for setroubleshoot, dropping message
Feb  2 22:21:38 localhost sedispatch: AVC Message for setroubleshoot, dropping message
Feb  2 22:21:38 localhost sedispatch: AVC Message for setroubleshoot, dropping message
Feb  2 22:21:38 localhost sedispatch: AVC Message for setroubleshoot, dropping message
Feb  2 22:21:38 localhost setroubleshoot: Plugin Exception restorecon_source
Feb  2 22:21:38 localhost setroubleshoot: SELinux is preventing /usr/sbin/upsmon from read access on the chr_file urandom. For complete SELinux messages. run sealert -l 9c298592-7379-45e4-855e-a73dda984104
Feb  2 22:21:38 localhost python: SELinux is preventing /usr/sbin/upsmon from read access on the chr_file urandom.

*****  Plugin catchall_boolean (47.5 confidence) suggests   ******************

If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server
Then you must tell SELinux about this by enabling the 'authlogin_nsswitch_use_ldap' boolean.
You can read 'None' man page for more details.
Do
setsebool -P authlogin_nsswitch_use_ldap 1

*****  Plugin catchall_boolean (47.5 confidence) suggests   ******************

If you want to enable reading of urandom for all domains.
Then you must tell SELinux about this by enabling the 'global_ssp' boolean.
You can read 'None' man page for more details.
Do
setsebool -P global_ssp 1

*****  Plugin catchall (6.38 confidence) suggests   **************************

If you believe that upsmon should be allowed read access on the urandom chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep upsmon /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Do I need to relabel the system or something?
One interesting side-effect, after installing the update, my dropbox tray icon is visible again. It used to be a horizontal, black line, see
https://alexpl.fedorapeople.org/screenshots/gnome_message_tray.png
Comment 6 Lukas Vrabec 2015-02-03 09:53:56 UTC 
HI, 

I need to see AVC related to this issue. 
Could you attach /var/log/audit.log file? 

Thank you!
Comment 7 Alexander Ploumistos 2015-02-03 12:19:35 UTC 
Created attachment 987537 [details]
/var/log/audit/audit.log

While "SELinux is preventing /usr/sbin/upsmon from read access on the chr_file urandom" happens every time the system starts, SELinux Troubleshooter pops up only at nights. Is there a setting for this behavior, or is it a bug as well?
Comment 8 Lukas Vrabec 2015-02-03 13:39:39 UTC 
OK, upsmon also needs read urandom device. I'll add fix ASAP.
Comment 9 Lukas Vrabec 2015-02-03 14:38:20 UTC 
commit 6ed17a9861381497615030b03dfe15f18e9afa02
Author: Lukas Vrabec <lvrabec>
Date:   Tue Feb 3 15:37:25 2015 +0100

    Allow upsmon_t to read urandom device.
Comment 10 Fedora Update System 2015-02-05 13:15:26 UTC 
selinux-policy-3.13.1-105.3.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.3.fc21
Comment 11 Alexander Ploumistos 2015-02-05 14:34:31 UTC 
All is well now, thanks again!


P.S.: Do I need to file another report for this, or is it WIP upstream?

Feb  5 16:18:50 localhost kernel: SELinux:  Permission audit_read in class capability2 not defined in policy.
Feb  5 16:18:50 localhost kernel: SELinux: the above unknown classes and permissions will be allowed
Comment 12 Fedora Update System 2015-02-06 04:04:01 UTC 
Package selinux-policy-3.13.1-105.3.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.3.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-1768/selinux-policy-3.13.1-105.3.fc21
then log in and leave karma (feedback).
Comment 13 Fedora Update System 2015-02-15 03:29:27 UTC 
selinux-policy-3.13.1-105.3.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.