Created attachment 972063 [details] Output from 'ausearch -m avc' When using haproxy with ssl support, haproxy will attempt to read /dev/urandom. Failure is fatal for haproxy and generates the following error message: "OpenSSL random data generator initialization failed." Current SELinux policy is denying haproxy access to /dev/urandom. Below are steps to reproduce. # rpm -q haproxy haproxy-1.5.9-1.fc20.x86_64 # rpm -q selinux-policy selinux-policy-3.12.1-196.fc20.noarch # setenforce 0 # systemctl start haproxy # ausearch -m avc Output of 'ausearch -m avc' is attached.
499632967d0bf59858dd47a94756bbbdfb3b2ef8 allows this in git and F21. Please back port to F20 and RHEL7, if it is not in there.
Sorry, should have provided that information as well. This is already working fine in RHEL6, F21, and Rawhide. This was fixed in RHEL 7 with Bug 1131188 So, this request is purely for the back-port, that Dan mentioned, to land in F20.
commit 18d855954bbc0986bbdf5f00d7f4b9ca86690a15 Author: Miroslav Grepl <mgrepl> Date: Tue Aug 19 15:34:27 2014 +0200 Allow haproxy to read /dev/random and /dev/urandom.
selinux-policy-3.12.1-197.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-197.fc20
Package selinux-policy-3.12.1-197.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-197.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-1398/selinux-policy-3.12.1-197.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-197.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.