Bug 1205217

Summary: Do not access /dev/random in the selftest and use /dev/urandom instead of /dev/random if unavailable
Product: Red Hat Enterprise Linux 7 Reporter: Tomas Mraz <tmraz>
Component: libgcryptAssignee: Tomas Mraz <tmraz>
Status: CLOSED CURRENTRELEASE QA Contact: Stanislav Zidek <szidek>
Severity: medium Docs Contact:
Priority: high    
Version: 7.1CC: arubin, jherrman, mmalik, szidek, tmraz
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libgcrypt-1.5.3-13.el7 Doc Type: Bug Fix
Doc Text:
Previously, when the dracut-fips package was installed, the libgcrypt library accessed the /dev/random device unnecessarily. This caused SELinux to produce audit events for confined applications that link to the libgcrypt library, and the random number generator did not initialize properly. With this update, libgcrypt no longer accesses /dev/random during the startup self-test, and if /dev/random is not accessible, libgcrypt uses /dev/urandom instead. As a result, SELinux no longer inappropriately creates libgcrypt-linked audit events, and the random number generator is initialized properly.
 Story Points: ---
Clone Of:
: 1210636 1285779 (view as bug list) Environment:
Last Closed: 2015-11-20 10:22:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 717789, 1210636    

Description Tomas Mraz 2015-03-24 13:07:43 UTC 
SELinux blocks many confined domains from accessing /dev/random which is correct as pulling from it drains system entropy. libgcrypt should not try to access it and it should also gracefully fallback to /dev/urandom instead of abort.
Comment 1 Tomas Mraz 2015-04-09 15:50:46 UTC 
*** Bug 1189448 has been marked as a duplicate of this bug. ***
Comment 5 Jan Kurik 2015-11-20 10:22:59 UTC 
This bug has been closed as CURRENTRELEASE due to delivery of the fix in a z-stream. As the component is not on ACL, the fix is currently included in y-stream as well.

For more information please see the zstream process documentation:
* https://engineering.redhat.com/trac/ZStream/attachment/wiki/WikiStart/Z-Stream_process_update_4.odp .