Bug 593139
| Summary: | Rsyslog-gnutls with selinux enabled fails | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Erinn Looney-Triggs <erinn.looneytriggs> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 5.5 | CC: | dwalsh, mmalik, theinric |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
With SELinux running in the enforcing mode, an attempt to run the rsyslogd service with GnuTLS modules enabled could fail with the following error message:
Starting system logger: Fatal: no entropy gathering module detected
With this update, relevant rules have been modified to resolve this issue, and rsyslogd no longer fails to run.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-01-13 21:49:45 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
TE file in case anyone is too lazy to run audit2allow themselves against the denial:
module myrsyslog 1.0;
require {
type syslogd_t;
type random_device_t;
class chr_file read;
}
#============= syslogd_t ==============
allow syslogd_t random_device_t:chr_file read;
I would prefer that the tool used /dev/urand, but Miroslav, I think we need to add this. Created Service Request: 2039454 Fixed in selinux-policy-2.4.6-281.el5.noarch
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
With SELinux running in the enforcing mode, an attempt to run the rsyslogd service with GnuTLS modules enabled could fail with the following error message:
Starting system logger: Fatal: no entropy gathering module detected
With this update, relevant rules have been modified to resolve this issue, and rsyslogd no longer fails to run.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0026.html |
Description of problem: Using rsyslog with the gnutls modules and selinux enabled in enforcing mode will fail with the following error: Starting system logger: Fatal: no entropy gathering module detected And the following error is logged by auditd: node=mohontariol.abaqis.com type=AVC msg=audit(1274135318.555:14563): avc: denied { read } for pid=428 comm="rsyslogd" name="random" dev=tmpfs ino=2429 scontext=user_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file I believe the info about gnutls in this bug is pertinent to the same issue: https://bugzilla.redhat.com/show_bug.cgi?id=552763 Version-Release number of selected component (if applicable): rsyslog-gnutls-3.22.1-3.el5 rsyslog-3.22.1-3.el5 How reproducible: Install rsyslog-gnutls Enable selinux in enforcing mode Add the following line to /etc/rsyslog.conf: $DefaultNetstreamDriver gtls Restart rsyslog, watch the fireworks Additional info: