Mailing List Archive: Problems emerging apache

Problems emerging apache

Sep 17, 2004, 9:09 AM

Post #1 of 3 (1426 views)

I get an error when trying to emerge apache:
.
.
.
checking for entropy source... configure: error: /dev/urandom not found
or
unreadable.

when looking at the avc messages I see:
.
.
.
audit(1095437044.773:0): avc: denied { read } for pid=11091
exe=/bin/cat
name=urandom dev=hda2 ino=164173 scontext=frja:sysadm_r:portage_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_file
audit(1095437044.784:0): avc: denied { read } for pid=11097
exe=/bin/grep
name=urandom dev=hda2 ino=164173 scontext=frja:sysadm_r:portage_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_file
audit(1095437044.794:0): avc: denied { read } for pid=11098
exe=/bin/sed
name=urandom dev=hda2 ino=164173 scontext=frja:sysadm_r:portage_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_file
audit(1095437044.805:0): avc: denied { read } for pid=11099
exe=/bin/cat
name=urandom dev=hda2 ino=164173 scontext=frja:sysadm_r:portage_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_file
audit(1095437044.813:0): avc: denied { read } for pid=11103
exe=/bin/sort
name=urandom dev=hda2 ino=164173 scontext=frja:sysadm_r:portage_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_file
audit(1095437045.069:0): avc: denied { read } for pid=11279
exe=/bin/rm
name=urandom dev=hda2 ino=164173 scontext=frja:sysadm_r:portage_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_file
audit(1095437045.076:0): avc: denied { read } for pid=11280
exe=/bin/rm
name=urandom dev=hda2 ino=164173 scontext=frja:sysadm_r:portage_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_file

It seems like "emerge launched" apps can't read /dev/urandom. Do I have
to relabel emerge, sandbox, /dev/urandom... ?

Have a nice weekend!

Best regards
Fredrik Jansson

--
gentoo-hardened@gentoo.org mailing list

Re: Problems emerging apache [ In reply to ]

NoMiS at gekkekoeien

Sep 18, 2004, 5:13 AM

Post #2 of 3 (1401 views)

Permalink

To fix this I did the following, first install apache 2.50 witch worked
perfectly after that upgrade to the latest version. sounds weird but it
worked for me ( saw it upgrading with the world and was quiete supprised
it worked thsi time)

Greetings

NoMiS

On Fri, 2004-09-17 at 16:09, Jansson Fredrik wrote:
> I get an error when trying to emerge apache:
> .
> .
> .
> checking for entropy source... configure: error: /dev/urandom not found
> or
> unreadable.
>
> when looking at the avc messages I see:
> .
> .
> .
> audit(1095437044.773:0): avc: denied { read } for pid=11091
> exe=/bin/cat
> name=urandom dev=hda2 ino=164173 scontext=frja:sysadm_r:portage_t
> tcontext=system_u:object_r:urandom_device_t tclass=chr_file
> audit(1095437044.784:0): avc: denied { read } for pid=11097
> exe=/bin/grep
> name=urandom dev=hda2 ino=164173 scontext=frja:sysadm_r:portage_t
> tcontext=system_u:object_r:urandom_device_t tclass=chr_file
> audit(1095437044.794:0): avc: denied { read } for pid=11098
> exe=/bin/sed
> name=urandom dev=hda2 ino=164173 scontext=frja:sysadm_r:portage_t
> tcontext=system_u:object_r:urandom_device_t tclass=chr_file
> audit(1095437044.805:0): avc: denied { read } for pid=11099
> exe=/bin/cat
> name=urandom dev=hda2 ino=164173 scontext=frja:sysadm_r:portage_t
> tcontext=system_u:object_r:urandom_device_t tclass=chr_file
> audit(1095437044.813:0): avc: denied { read } for pid=11103
> exe=/bin/sort
> name=urandom dev=hda2 ino=164173 scontext=frja:sysadm_r:portage_t
> tcontext=system_u:object_r:urandom_device_t tclass=chr_file
> audit(1095437045.069:0): avc: denied { read } for pid=11279
> exe=/bin/rm
> name=urandom dev=hda2 ino=164173 scontext=frja:sysadm_r:portage_t
> tcontext=system_u:object_r:urandom_device_t tclass=chr_file
> audit(1095437045.076:0): avc: denied { read } for pid=11280
> exe=/bin/rm
> name=urandom dev=hda2 ino=164173 scontext=frja:sysadm_r:portage_t
> tcontext=system_u:object_r:urandom_device_t tclass=chr_file
>
> It seems like "emerge launched" apps can't read /dev/urandom. Do I have
> to relabel emerge, sandbox, /dev/urandom... ?
>
> Have a nice weekend!
>
> Best regards
> Fredrik Jansson
>
>
> --
> gentoo-hardened@gentoo.org mailing list
>
>
>

--
gentoo-hardened@gentoo.org mailing list

Re: Problems emerging apache [ In reply to ]

petre.rodan at avira

Sep 20, 2004, 1:34 AM

Post #3 of 3 (1400 views)

Permalink

Hi Jansson,

Jansson Fredrik wrote:
> I get an error when trying to emerge apache:
> .
> .
> .
> checking for entropy source... configure: error: /dev/urandom not found
> or
> unreadable.
>
> when looking at the avc messages I see:
> .
> .
> .
> audit(1095437044.773:0): avc: denied { read } for pid=11091
> exe=/bin/cat
> name=urandom dev=hda2 ino=164173 scontext=frja:sysadm_r:portage_t
> tcontext=system_u:object_r:urandom_device_t tclass=chr_file
[..]

you can create a temporary rule until this issue will be fixed in the selinux-base-policy

echo 'allow portage_t urandom_device_t:chr_file r_file_perms;' >> /etc/security/selinux/src/policy/domains/program/my.te
touch /etc/security/selinux/src/policy/file_contexts/program/my.fc
make -C /etc/security/selinux/src/policy reload

you will be able to emerge apache after this.

bye,
peter

Mailing List Archive

Mailing List Archive

Attached Files: