Description of problem: Using rsyslog with the gnutls modules and selinux enabled in enforcing mode will fail with the following error: Starting system logger: Fatal: no entropy gathering module detected And the following error is logged by auditd: node=mohontariol.abaqis.com type=AVC msg=audit(1274135318.555:14563): avc: denied { read } for pid=428 comm="rsyslogd" name="random" dev=tmpfs ino=2429 scontext=user_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file I believe the info about gnutls in this bug is pertinent to the same issue: https://bugzilla.redhat.com/show_bug.cgi?id=552763 Version-Release number of selected component (if applicable): rsyslog-gnutls-3.22.1-3.el5 rsyslog-3.22.1-3.el5 How reproducible: Install rsyslog-gnutls Enable selinux in enforcing mode Add the following line to /etc/rsyslog.conf: $DefaultNetstreamDriver gtls Restart rsyslog, watch the fireworks Additional info:
TE file in case anyone is too lazy to run audit2allow themselves against the denial: module myrsyslog 1.0; require { type syslogd_t; type random_device_t; class chr_file read; } #============= syslogd_t ============== allow syslogd_t random_device_t:chr_file read;
I would prefer that the tool used /dev/urand, but Miroslav, I think we need to add this.
Created Service Request: 2039454
Fixed in selinux-policy-2.4.6-281.el5.noarch
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: With SELinux running in the enforcing mode, an attempt to run the rsyslogd service with GnuTLS modules enabled could fail with the following error message: Starting system logger: Fatal: no entropy gathering module detected With this update, relevant rules have been modified to resolve this issue, and rsyslogd no longer fails to run.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0026.html