Bug 1176611

Summary: HAProxy fails to read /dev/urandom
Product: [Fedora] Fedora Reporter: Brandon Perkins <bperkins>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 20CC: dominick.grift, dwalsh, lvrabec, mgrepl, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-197.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1131188 Environment:
Last Closed: 2015-03-10 00:55:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Output from 'ausearch -m avc' none

Description Brandon Perkins 2014-12-22 15:12:46 UTC 
Created attachment 972063 [details]
Output from 'ausearch -m avc'

When using haproxy with ssl support, haproxy will attempt to read /dev/urandom. Failure is fatal for haproxy and generates the following error message:

"OpenSSL random data generator initialization failed."

Current SELinux policy is denying haproxy access to /dev/urandom. Below are steps to reproduce.

# rpm -q haproxy
haproxy-1.5.9-1.fc20.x86_64

# rpm -q selinux-policy
selinux-policy-3.12.1-196.fc20.noarch

# setenforce 0
# systemctl start haproxy
# ausearch -m avc

Output of 'ausearch -m avc' is attached.
Comment 1 Daniel Walsh 2014-12-23 16:17:30 UTC 
499632967d0bf59858dd47a94756bbbdfb3b2ef8 allows this in git and F21.

Please back port to F20 and RHEL7, if it is not in there.
Comment 2 Brandon Perkins 2014-12-23 16:30:57 UTC 
Sorry, should have provided that information as well.  This is already working fine in RHEL6, F21, and Rawhide.  This was fixed in RHEL 7 with Bug 1131188

So, this request is purely for the back-port, that Dan mentioned, to land in F20.
Comment 3 Lukas Vrabec 2015-01-15 14:17:23 UTC 
commit 18d855954bbc0986bbdf5f00d7f4b9ca86690a15
Author: Miroslav Grepl <mgrepl>
Date:   Tue Aug 19 15:34:27 2014 +0200

    Allow haproxy to read /dev/random and /dev/urandom.
Comment 4 Fedora Update System 2015-01-27 16:56:51 UTC 
selinux-policy-3.12.1-197.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-197.fc20
Comment 5 Fedora Update System 2015-01-30 04:41:46 UTC 
Package selinux-policy-3.12.1-197.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-197.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-1398/selinux-policy-3.12.1-197.fc20
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2015-03-10 00:55:59 UTC 
selinux-policy-3.12.1-197.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.