Bug 509275 - SELinux preventing mcelog from reading /dev/urandom
Summary: SELinux preventing mcelog from reading /dev/urandom
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 11
Hardware: x86_64
OS: Linux
low
low
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-07-02 00:37 UTC by Jeffrey Bonggren
Modified: 2010-03-04 08:29 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-04 08:29:10 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
Output From setroubleshoot (2.12 KB, text/plain)
2009-07-02 00:37 UTC, Jeffrey Bonggren 		no flags Details
View All

Description Jeffrey Bonggren 2009-07-02 00:37:06 UTC 
Created attachment 350227 [details]
Output From setroubleshoot

Ever since I upgraded from Fedora 10 to Fedora 11 (via preupgrade), I have been getting setroubleshoot alerts stating that "SELinux prevented mcelog from reading the urandom device".

This hasn't really been a big problem, but it is annoying.  I figure something is going wrong here, either in mcelog or in the SELinux configuration.

I don't understand why the mcelog would even need /dev/urandom.  Why does a logging program need randomness?

I am attaching the output from setroubleshoot.
Comment 1 Daniel Walsh 2009-07-06 17:49:16 UTC 
Miroslav, upstream rejected the current policy for mcelog saying it is different from dmesg and asked for policy written specifically for it as a cron job.  Could you do that to fix this bug?

Jeffrey, 

for now you can add this allow rule using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Comment 2 Miroslav Grepl 2010-03-04 08:29:10 UTC 
The mcelog policy was added to the F12 selinux-policy.
Note You need to log in before you can comment on or make changes to this bug.