https://bugzilla.redhat.com/show_bug.cgi?id=1357510
Bug ID: 1357510 Summary: Erlang Port Mapper Daemon Activation Socket fails to start Product: Fedora Version: 24 Component: erlang Assignee: lemenkov@gmail.com Reporter: zboszor@pr.hu QA Contact: extras-qa@fedoraproject.org CC: erlang@lists.fedoraproject.org, jeckersb@redhat.com, lemenkov@gmail.com, rhbugs@n-dimensional.de, s@shk.io External Bug ID: Red Hat Bugzilla 1293128
Description of problem:
I was trying to enable SSL in rabbitmq-server but it requires epmd to run. SELinux prevents epmd to start.
Version-Release number of selected component (if applicable):
erlang-18.3.4-1.fc24.x86_64 erlang-erts-18.3.4-1.fc24.x86_64 selinux-policy-targeted-3.13.1-191.fc24.3.noarch
How reproducible:
Always.
Steps to Reproduce: 1. dnf install rabbitmq-server 2. systemctl enable epmd.socket epmd.service rabbitmq-server 3. configure SSL options in /etc/rabbitmq/rabbitmq.config 4. reboot
Actual results:
epmd.service has a dependency on epmd.socket but it cannot be activated:
audit[1]: AVC avc: denied { create } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=0
There is no setsebool toggle to allow systemd to open TCP sockets.
Expected results:
EPMD daemon should be able to start without socket activation.
Additional info:
After changing the epmd.service to not require systemd socket activation with this patch below, but #1293128 occurs:
audit[7686]: AVC avc: denied { name_connect } for pid=7686 comm="epmd" dest=4369 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:epmd_port_t:s0 tclass=tcp_socket permissive=0
The patch is:
--- epmd.service.orig 2016-07-18 13:55:26.584086294 +0200 +++ epmd.service 2016-07-18 13:57:40.336416375 +0200 @@ -1,11 +1,11 @@ [Unit] Description=Erlang Port Mapper Daemon After=network.target -Requires=epmd.socket +#Requires=epmd.socket
[Service] -ExecStart=/usr/bin/epmd -systemd -#ExecStop=/usr/bin/epmd -kill +ExecStart=/usr/bin/epmd -daemon +ExecStop=/usr/bin/epmd -kill Type=notify StandardOutput=journal StandardError=journal