Bug 593139 - Rsyslog-gnutls with selinux enabled fails
Rsyslog-gnutls with selinux enabled fails
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.5
All Linux
low Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-17 18:46 EDT by Erinn Looney-Triggs
Modified: 2012-10-19 06:05 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
With SELinux running in the enforcing mode, an attempt to run the rsyslogd service with GnuTLS modules enabled could fail with the following error message: Starting system logger: Fatal: no entropy gathering module detected With this update, relevant rules have been modified to resolve this issue, and rsyslogd no longer fails to run.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-01-13 16:49:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Erinn Looney-Triggs 2010-05-17 18:46:36 EDT
Description of problem:
Using rsyslog with the gnutls modules and selinux enabled in enforcing mode will fail with the following error: Starting system logger: Fatal: no entropy gathering module detected

And the following error is logged by auditd:
node=mohontariol.abaqis.com type=AVC msg=audit(1274135318.555:14563): avc:  denied  { read } for  pid=428 comm="rsyslogd" name="random" dev=tmpfs ino=2429 scontext=user_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file

I believe the info about gnutls in this bug is pertinent to the same issue: https://bugzilla.redhat.com/show_bug.cgi?id=552763

Version-Release number of selected component (if applicable):
rsyslog-gnutls-3.22.1-3.el5
rsyslog-3.22.1-3.el5

How reproducible:
Install rsyslog-gnutls
Enable selinux in enforcing mode

Add the following line to /etc/rsyslog.conf:
$DefaultNetstreamDriver gtls

Restart rsyslog, watch the fireworks

Additional info:
Comment 1 Erinn Looney-Triggs 2010-05-19 11:57:15 EDT
TE file in case anyone is too lazy to run audit2allow themselves against the denial:

module myrsyslog 1.0;

require {
        type syslogd_t;
        type random_device_t;
        class chr_file read;
}

#============= syslogd_t ==============
allow syslogd_t random_device_t:chr_file read;
Comment 2 Daniel Walsh 2010-06-25 15:35:25 EDT
I would prefer that the tool used /dev/urand, but Miroslav, I think we need to add this.
Comment 4 Erinn Looney-Triggs 2010-07-12 13:57:39 EDT
Created Service Request: 2039454
Comment 5 Miroslav Grepl 2010-07-22 05:24:38 EDT
Fixed in selinux-policy-2.4.6-281.el5.noarch
Comment 8 Jaromir Hradilek 2011-01-05 11:16:01 EST
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
With SELinux running in the enforcing mode, an attempt to run the rsyslogd service with GnuTLS modules enabled could fail with the following error message:

  Starting system logger: Fatal: no entropy gathering module detected

With this update, relevant rules have been modified to resolve this issue, and rsyslogd no longer fails to run.
Comment 10 errata-xmlrpc 2011-01-13 16:49:45 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html

Note You need to log in before you can comment on or make changes to this bug.