https://bugzilla.redhat.com/show_bug.cgi?id=1036280

Bug ID: 1036280 Summary: selinux alerts about rabbitmq server ("access on the tcp_socket") Product: Fedora Version: 20 Component: rabbitmq-server Assignee: hubert.plociniczak@gmail.com Reporter: pavel.nedr@gmail.com QA Contact: extras-qa@fedoraproject.org CC: erlang@lists.fedoraproject.org, hubert.plociniczak@gmail.com, lemenkov@gmail.com

Description of problem: I've seen flood in journalctl from SEalert about that error.

It begins from startup of the system (rabbitmq is enabled in systemctl)

There is a lot of error messages. They causes "audispd[643]: queue is full - dropping event" error :)

rabbitmq-server noarch 3.1.5 1.fc20

$ sudo sealert -l 82db9030-74db-4e60-97ab-6aef447e582d

SELinux is preventing /usr/lib64/erlang/erts-5.10.3/bin/beam.smp from name_bind access on the tcp_socket .

***** Plugin bind_ports (92.2 confidence) suggests ************************

If you want to allow /usr/lib64/erlang/erts-5.10.3/bin/beam.smp to bind to network port 10097 Then you need to modify the port type. Do # semanage port -a -t PORT_TYPE -p tcp 10097 где PORT_TYPE может принимать значения: amqp_port_t, couchdb_port_t, jabber_client_port_t, jabber_interserver_port_t.

***** Plugin catchall_boolean (7.83 confidence) suggests ******************

If вы хотите выполнить следующее: разрешить NIS Then you must tell SELinux about this by enabling the 'nis_enabled' boolean. Дополнительная документация на 'None' ман странице. Do setsebool -P nis_enabled 1

***** Plugin catchall (1.41 confidence) suggests **************************

If вы считаете, что beam.smp следует разрешить доступ name_bind к tcp_socket по умолчанию. Then рекомендуется создать отчет об ошибке. Чтобы разрешить доступ, можно создать локальный модуль политики. Do чтобы разрешить доступ, выполните: # grep beam.smp /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp

Additional Information: Source Context system_u:system_r:rabbitmq_beam_t:s0 Target Context system_u:object_r:unreserved_port_t:s0 Target Objects [ tcp_socket ] Source beam.smp Source Path /usr/lib64/erlang/erts-5.10.3/bin/beam.smp Port 10097 Host bb.lan Source RPM Packages erlang-erts-R16B-02.7.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-105.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name bb.lan Platform Linux bb.lan 3.11.9-300.fc20.x86_64 #1 SMP Wed Nov 20 22:23:25 UTC 2013 x86_64 x86_64 Alert Count 85 First Seen 2013-11-29 23:40:14 MSK Last Seen 2013-11-30 15:01:23 MSK Local ID 82db9030-74db-4e60-97ab-6aef447e582d

Raw Audit Messages type=AVC msg=audit(1385809283.320:612): avc: denied { name_bind } for pid=1897 comm="beam.smp" src=10097 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1385809283.320:612): arch=x86_64 syscall=bind success=no exit=EACCES a0=12 a1=7fac88cfb900 a2=1c a3=a items=0 ppid=1 pid=1897 auid=4294967295 uid=989 gid=984 euid=989 suid=989 fsuid=989 egid=984 sgid=984 fsgid=984 ses=4294967295 tty=(none) comm=beam.smp exe=/usr/lib64/erlang/erts-5.10.3/bin/beam.smp subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)

Hash: beam.smp,rabbitmq_beam_t,unreserved_port_t,tcp_socket,name_bind