Bug 593139 - Rsyslog-gnutls with selinux enabled fails
Summary: Rsyslog-gnutls with selinux enabled fails
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy   
(Show other bugs)
Version: 5.5
Hardware: All Linux
low
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-17 22:46 UTC by Erinn Looney-Triggs
Modified: 2012-10-19 10:05 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
With SELinux running in the enforcing mode, an attempt to run the rsyslogd service with GnuTLS modules enabled could fail with the following error message: Starting system logger: Fatal: no entropy gathering module detected With this update, relevant rules have been modified to resolve this issue, and rsyslogd no longer fails to run.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-01-13 21:49:45 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0026 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-01-12 16:11:15 UTC

Description Erinn Looney-Triggs 2010-05-17 22:46:36 UTC
Description of problem:
Using rsyslog with the gnutls modules and selinux enabled in enforcing mode will fail with the following error: Starting system logger: Fatal: no entropy gathering module detected

And the following error is logged by auditd:
node=mohontariol.abaqis.com type=AVC msg=audit(1274135318.555:14563): avc:  denied  { read } for  pid=428 comm="rsyslogd" name="random" dev=tmpfs ino=2429 scontext=user_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file

I believe the info about gnutls in this bug is pertinent to the same issue: https://bugzilla.redhat.com/show_bug.cgi?id=552763

Version-Release number of selected component (if applicable):
rsyslog-gnutls-3.22.1-3.el5
rsyslog-3.22.1-3.el5

How reproducible:
Install rsyslog-gnutls
Enable selinux in enforcing mode

Add the following line to /etc/rsyslog.conf:
$DefaultNetstreamDriver gtls

Restart rsyslog, watch the fireworks

Additional info:

Comment 1 Erinn Looney-Triggs 2010-05-19 15:57:15 UTC
TE file in case anyone is too lazy to run audit2allow themselves against the denial:

module myrsyslog 1.0;

require {
        type syslogd_t;
        type random_device_t;
        class chr_file read;
}

#============= syslogd_t ==============
allow syslogd_t random_device_t:chr_file read;

Comment 2 Daniel Walsh 2010-06-25 19:35:25 UTC
I would prefer that the tool used /dev/urand, but Miroslav, I think we need to add this.

Comment 4 Erinn Looney-Triggs 2010-07-12 17:57:39 UTC
Created Service Request: 2039454

Comment 5 Miroslav Grepl 2010-07-22 09:24:38 UTC
Fixed in selinux-policy-2.4.6-281.el5.noarch

Comment 8 Jaromir Hradilek 2011-01-05 16:16:01 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
With SELinux running in the enforcing mode, an attempt to run the rsyslogd service with GnuTLS modules enabled could fail with the following error message:

  Starting system logger: Fatal: no entropy gathering module detected

With this update, relevant rules have been modified to resolve this issue, and rsyslogd no longer fails to run.

Comment 10 errata-xmlrpc 2011-01-13 21:49:45 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html


Note You need to log in before you can comment on or make changes to this bug.