Bug 1624554
Summary: | SELinux is preventing virtlogd from 'read' accesses on the chr_file random. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Mikhail <mikhail.v.gavrilov> |
Component: | openssl | Assignee: | Tomas Mraz <tmraz> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 29 | CC: | agedosier, awilliam, berrange, bugzilla, clalancette, dwalsh, fedora, itamar, jforbes, jorton, laine, libvirt-maint, lslebodn, lvrabec, mattdm, mboddu, mgrepl, plautrba, pmoore, pwhalen, sgallagh, tmraz, veillard |
Target Milestone: | --- | Keywords: | Regression, Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:e402258f52bc7d35dec3e86445b84fa9d5707a922008cb4f2fe3ed568e80ec22;VARIANT_ID=workstation; AcceptedFreezeException | ||
Fixed In Version: | openssl-1.1.1-0.pre9.3.fc30 openssl-1.1.1-0.pre9.3.fc29 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-09-12 03:00:49 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1517012 |
Description
Mikhail
2018-09-01 10:49:34 UTC
Hi Libvirt, Guys, do you have any idea why virtlogd is trying to read /dev/random device? THanks, Lukas. I don't believe we do it explicitly, so my guess is its caused from an ELF constructor from some 3rd party library we link to. eg gnutls Very trivial reproducer is to call "systemctl stop virtlogd" (assumption is that it is already running :-) And previous assumption was quite good. But it happens in destructor. (gdb) bt #0 __libc_open64 (file=file@entry=0x7fc77c3251dd "/dev/random", oflag=oflag@entry=0) at ../sysdeps/unix/sysv/linux/open64.c:37 #1 0x00007fc77c27d334 in open (__oflag=0, __path=0x7fc77c3251dd "/dev/random") at /usr/include/bits/fcntl2.h:53 #2 get_random_device (n=1) at crypto/rand/rand_unix.c:349 #3 0x00007fc77c27d3d7 in open_random_devices () at crypto/rand/rand_unix.c:383 #4 rand_pool_init () at crypto/rand/rand_unix.c:392 #5 0x00007fc77c27c4b2 in do_rand_init () at crypto/rand/rand_lib.c:331 #6 do_rand_init_ossl_ () at crypto/rand/rand_lib.c:315 #7 0x00007fc77c823057 in __pthread_once_slow (once_control=0x7fc77c3aa888 <rand_init>, init_routine=0x7fc77c27c470 <do_rand_init_ossl_>) at pthread_once.c:116 #8 0x00007fc77c823115 in __GI___pthread_once ( once_control=once_control@entry=0x7fc77c3aa888 <rand_init>, init_routine=init_routine@entry=0x7fc77c27c470 <do_rand_init_ossl_>) at pthread_once.c:143 #9 0x00007fc77c2baccd in CRYPTO_THREAD_run_once (once=once@entry=0x7fc77c3aa888 <rand_init>, init=init@entry=0x7fc77c27c470 <do_rand_init_ossl_>) at crypto/threads_pthread.c:113 #10 0x00007fc77c27cc9b in RAND_set_rand_method (meth=0x0) at crypto/rand/rand_lib.c:664 #11 0x00007fc77c27cd1b in rand_cleanup_int () at crypto/rand/rand_lib.c:356 #12 0x00007fc77c251975 in OPENSSL_cleanup () at crypto/init.c:555 #13 0x00007fc77c62b207 in __cxa_finalize (d=0x7fc77c37a820) at cxa_finalize.c:83 #14 0x00007fc77c14a177 in __do_global_dtors_aux () from /lib64/libcrypto.so.1.1 #15 0x00007fff86979b80 in ?? () #16 0x00007fc77ce2c0c6 in _dl_fini () at dl-fini.c:138 I assume bug is in openssl and not in libvirt. It does not happen with older pre-release of openssl sh$ rpm -q openssl openssl-libs openssl-devel openssl-1.1.1-0.pre8.4.fc29.x86_64 openssl-libs-1.1.1-0.pre8.4.fc29.x86_64 openssl-devel-1.1.1-0.pre8.4.fc29.x86_64 And was introduced in openssl-1:1.1.1-0.pre9.1.fc30.x86_64 Please try openssl-1.1.1-0.pre9.3.fc30. It should fix the issue. (In reply to Tomas Mraz from comment #5) > Please try openssl-1.1.1-0.pre9.3.fc30. It should fix the issue. Thank you for quick fix. AVCs are gone *** Bug 1624552 has been marked as a duplicate of this bug. *** *** Bug 1626012 has been marked as a duplicate of this bug. *** *** Bug 1626013 has been marked as a duplicate of this bug. *** pre9.1 is currently in F29 stable, so it's still hitting this, I guess. Can we please get pre9.3 for F29? Proposing as an FE issue - this bug causes AVCs which we would like not to see on the Beta lives. openssl-1.1.1-0.pre9.3.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-8023936aab Never mind, I did it myself. :) Karma on the update would be appreciated from anyone who can test. +1 FE for beta +1 FE +1 FE + FE That's +4, setting accepted. openssl-1.1.1-0.pre9.3.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. *** Bug 1627937 has been marked as a duplicate of this bug. *** |