Bugzilla – Bug 1215002
SELinux denial in haveged
Last modified: 2023-09-07 09:55:38 UTC
On a fresh Leap Micro 5.4 VM, the haveged daemon fails to start in SELinux enforcing mode. In the AVC I see the following errors > funny-cow:~ # ausearch -ts boot -m avc > ---- > time->Tue Sep 5 12:36:45 2023 > type=AVC msg=audit(1693917405.730:473): avc: denied { write } for pid=2800 comm="haveged" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:entropyd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1 > ---- > time->Tue Sep 5 12:36:45 2023 > type=AVC msg=audit(1693917405.730:474): avc: denied { add_name } for pid=2800 comm="haveged" name="Rjp9vV" scontext=system_u:system_r:entropyd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1 > ---- > time->Tue Sep 5 12:36:45 2023 > type=AVC msg=audit(1693917405.730:475): avc: denied { create } for pid=2800 comm="haveged" name="Rjp9vV" scontext=system_u:system_r:entropyd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 > ---- > time->Tue Sep 5 12:36:45 2023 > type=AVC msg=audit(1693917405.730:476): avc: denied { read write open } for pid=2800 comm="haveged" path="/dev/shm/Rjp9vV" dev="tmpfs" ino=4 scontext=system_u:system_r:entropyd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 > ---- > time->Tue Sep 5 12:36:45 2023 > type=AVC msg=audit(1693917405.730:477): avc: denied { link } for pid=2800 comm="haveged" name="Rjp9vV" dev="tmpfs" ino=4 scontext=system_u:system_r:entropyd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 > ---- > time->Tue Sep 5 12:36:45 2023 > type=AVC msg=audit(1693917405.730:478): avc: denied { getattr } for pid=2800 comm="haveged" path="/dev/shm/Rjp9vV" dev="tmpfs" ino=4 scontext=system_u:system_r:entropyd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 > ---- > time->Tue Sep 5 12:36:45 2023 > type=AVC msg=audit(1693917405.730:479): avc: denied { remove_name } for pid=2800 comm="haveged" name="Rjp9vV" dev="tmpfs" ino=4 scontext=system_u:system_r:entropyd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1 > ---- > time->Tue Sep 5 12:36:45 2023 > type=AVC msg=audit(1693917405.730:480): avc: denied { unlink } for pid=2800 comm="haveged" name="Rjp9vV" dev="tmpfs" ino=4 scontext=system_u:system_r:entropyd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 In Permissive mode, the daemon starts just fine. Weirdly I can not reproduce the issue in an older SLEM 5.4 VM, where the haveged daemon works fine even in enforcing mode. I took the most recent Leap Micro 5.4 SelfInstall from get.opensuse.org: openSUSE-Leap-Micro.x86_64-Default-SelfInstall.iso
We fixed this bug for SLEM 5.5 (bsc#1213594). We didn't apply the fix to SLEM 5.4 because this issue does not happen there (haveged works fine, with no AVCs). Leap Micro 5.4 should be based on SLEM 5.4, right?
Btw, if you open these bugs using the template (see https://en.opensuse.org/openSUSE:Bugreport_SELinux) they will get assigned to us and we will see them right away.
(In reply to Filippo Bonazzi from comment #1) > We fixed this bug for SLEM 5.5 (bsc#1213594). We didn't apply the fix to > SLEM 5.4 because this issue does not happen there (haveged works fine, with > no AVCs). > Leap Micro 5.4 should be based on SLEM 5.4, right? AFAIK yes. (In reply to Filippo Bonazzi from comment #2) > Btw, if you open these bugs using the template (see > https://en.opensuse.org/openSUSE:Bugreport_SELinux) they will get assigned > to us and we will see them right away. Thanks for the hint, will do that in the future!
This issue has already been fixed in SLEM 5.4 in bsc#1211045. It is still present in the Leap Micro 5.4 install image because the image most likely has not been rebuilt after the fix has been applied. For some reason the Leap Micro installer does not fetch updates during installation. The issue goes away as soon as Leap Micro is updated for the first time after installation.