* Tue Feb 22 2022 Vladis Dronov <vdronov@redhat.com> - 6.15-1 - Update to the upstream v6.15 + tip of origin/master @ 3009fdd5 - Allow rngd process to drop privileges
This update has been submitted for testing by vladis.
This update's test gating status has been changed to 'ignored'.
This update has been pushed to testing.
Works great! LGTM! =)
require { type rngd_t; class capability setgid; }
And the service failed.
Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.
Sorry about that formatting, here is the raw message instead:
type=AVC msg=audit(1645958659.545:1156): avc: denied { setgid } for pid=21282 comm="rngd" capability=6 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=0
Yeah, I'm getting SELinux denials for rngd after upgrading to this version too.
bojan, decathorpe, thanks for the info, the update was unpushed. indeed, the selinux part has issues. a note: https://bugzilla.redhat.com/show_bug.cgi?id=2058914
This update has been unpushed.
Please log in to add feedback.
Confirm request to re-trigger tests.
This update has been submitted for testing by vladis.
This update's test gating status has been changed to 'ignored'.
This update has been pushed to testing.
Works great! LGTM! =)
Had a new SELinux denial after upgrade, which boils down to:
require { type rngd_t; class capability setgid; }
============= rngd_t ==============
allow rngd_t self:capability setgid;
And the service failed.
Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.
Sorry about that formatting, here is the raw message instead:
type=AVC msg=audit(1645958659.545:1156): avc: denied { setgid } for pid=21282 comm="rngd" capability=6 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=0
Yeah, I'm getting SELinux denials for rngd after upgrading to this version too.
bojan, decathorpe, thanks for the info, the update was unpushed. indeed, the selinux part has issues. a note: https://bugzilla.redhat.com/show_bug.cgi?id=2058914
This update has been unpushed.