[Bug 1036280] New: selinux alerts about rabbitmq server ("access on the tcp_socket")
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1036280
Bug ID: 1036280
Summary: selinux alerts about rabbitmq server ("access on the
tcp_socket")
Product: Fedora
Version: 20
Component: rabbitmq-server
Assignee: hubert.plociniczak(a)gmail.com
Reporter: pavel.nedr(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org,
hubert.plociniczak(a)gmail.com, lemenkov(a)gmail.com
Description of problem:
I've seen flood in journalctl from SEalert about that error.
It begins from startup of the system (rabbitmq is enabled in systemctl)
There is a lot of error messages. They causes "audispd[643]: queue is full -
dropping event" error :)
rabbitmq-server
noarch
3.1.5
1.fc20
$ sudo sealert -l 82db9030-74db-4e60-97ab-6aef447e582d
SELinux is preventing /usr/lib64/erlang/erts-5.10.3/bin/beam.smp from name_bind
access on the tcp_socket .
***** Plugin bind_ports (92.2 confidence) suggests ************************
If you want to allow /usr/lib64/erlang/erts-5.10.3/bin/beam.smp to bind to
network port 10097
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 10097
где PORT_TYPE может принимать значения: amqp_port_t, couchdb_port_t,
jabber_client_port_t, jabber_interserver_port_t.
***** Plugin catchall_boolean (7.83 confidence) suggests ******************
If вы хотите выполнить следующее: разрешить NIS
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
Дополнительная документация на 'None' ман странице.
Do
setsebool -P nis_enabled 1
***** Plugin catchall (1.41 confidence) suggests **************************
If вы считаете, что beam.smp следует разрешить доступ name_bind к tcp_socket
по умолчанию.
Then рекомендуется создать отчет об ошибке.
Чтобы разрешить доступ, можно создать локальный модуль политики.
Do
чтобы разрешить доступ, выполните:
# grep beam.smp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:rabbitmq_beam_t:s0
Target Context system_u:object_r:unreserved_port_t:s0
Target Objects [ tcp_socket ]
Source beam.smp
Source Path /usr/lib64/erlang/erts-5.10.3/bin/beam.smp
Port 10097
Host bb.lan
Source RPM Packages erlang-erts-R16B-02.7.fc20.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-105.fc20.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name bb.lan
Platform Linux bb.lan 3.11.9-300.fc20.x86_64 #1 SMP Wed
Nov
20 22:23:25 UTC 2013 x86_64 x86_64
Alert Count 85
First Seen 2013-11-29 23:40:14 MSK
Last Seen 2013-11-30 15:01:23 MSK
Local ID 82db9030-74db-4e60-97ab-6aef447e582d
Raw Audit Messages
type=AVC msg=audit(1385809283.320:612): avc: denied { name_bind } for
pid=1897 comm="beam.smp" src=10097
scontext=system_u:system_r:rabbitmq_beam_t:s0
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1385809283.320:612): arch=x86_64 syscall=bind success=no
exit=EACCES a0=12 a1=7fac88cfb900 a2=1c a3=a items=0 ppid=1 pid=1897
auid=4294967295 uid=989 gid=984 euid=989 suid=989 fsuid=989 egid=984 sgid=984
fsgid=984 ses=4294967295 tty=(none) comm=beam.smp
exe=/usr/lib64/erlang/erts-5.10.3/bin/beam.smp
subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
Hash: beam.smp,rabbitmq_beam_t,unreserved_port_t,tcp_socket,name_bind
--
You are receiving this mail because:
You are on the CC list for the bug.
9 years, 5 months
[rabbitmq-server] New upstream release - 3.4.1
by John Eckersberg
commit 7fd5ce1a66623dc8136161cd10431bdc827461c9
Author: John Eckersberg <jeckersb(a)redhat.com>
Date: Wed Oct 29 10:45:45 2014 -0400
New upstream release - 3.4.1
.gitignore | 1 +
rabbitmq-server.spec | 5 ++++-
sources | 2 +-
3 files changed, 6 insertions(+), 2 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 3beb6d4..e9a0b32 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,3 +14,4 @@ rabbitmq-server-1.8.0.tar.gz
/rabbitmq-server-3.1.5.tar.gz
/rabbitmq-server-3.3.5.tar.gz
/rabbitmq-server-3.4.0.tar.gz
+/rabbitmq-server-3.4.1.tar.gz
diff --git a/rabbitmq-server.spec b/rabbitmq-server.spec
index 7c5c8b7..340dfc1 100644
--- a/rabbitmq-server.spec
+++ b/rabbitmq-server.spec
@@ -2,7 +2,7 @@
Name: rabbitmq-server
-Version: 3.4.0
+Version: 3.4.1
Release: 1%{?dist}
License: MPLv1.1
Group: Development/Libraries
@@ -207,6 +207,9 @@ done
rm -rf %{buildroot}
%changelog
+* Wed Oct 29 2014 John Eckersberg <eck(a)redhat.com> - 3.4.1-1
+- New upstream release - 3.4.1
+
* Wed Oct 22 2014 John Eckersberg <eck(a)redhat.com> - 3.4.0-1
- New upstream release - 3.4.0
diff --git a/sources b/sources
index f9760af..12aec60 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-eb095bf222a3a2361b92e36894795b42 rabbitmq-server-3.4.0.tar.gz
+c8209152c9dacec5eee5d1f05e322d7a rabbitmq-server-3.4.1.tar.gz
9 years, 5 months