https://bugzilla.redhat.com/show_bug.cgi?id=1036280 Bug ID: 1036280 Summary: selinux alerts about rabbitmq server ("access on the tcp_socket") Product: Fedora Version: 20 Component: rabbitmq-server Assignee: hubert.plociniczak(a)gmail.com Reporter: pavel.nedr(a)gmail.com QA Contact: extras-qa(a)fedoraproject.org CC: erlang(a)lists.fedoraproject.org, hubert.plociniczak(a)gmail.com, lemenkov(a)gmail.com Description of problem: I've seen flood in journalctl from SEalert about that error. It begins from startup of the system (rabbitmq is enabled in systemctl) There is a lot of error messages. They causes "audispd[643]: queue is full - dropping event" error :) rabbitmq-server noarch 3.1.5 1.fc20 $ sudo sealert -l 82db9030-74db-4e60-97ab-6aef447e582d SELinux is preventing /usr/lib64/erlang/erts-5.10.3/bin/beam.smp from name_bind access on the tcp_socket . ***** Plugin bind_ports (92.2 confidence) suggests ************************ If you want to allow /usr/lib64/erlang/erts-5.10.3/bin/beam.smp to bind to network port 10097 Then you need to modify the port type. Do # semanage port -a -t PORT_TYPE -p tcp 10097 где PORT_TYPE может принимать значения: amqp_port_t, couchdb_port_t, jabber_client_port_t, jabber_interserver_port_t. ***** Plugin catchall_boolean (7.83 confidence) suggests ****************** If вы хотите выполнить следующее: разрешить NIS Then you must tell SELinux about this by enabling the 'nis_enabled' boolean. Дополнительная документация на 'None' ман странице. Do setsebool -P nis_enabled 1 ***** Plugin catchall (1.41 confidence) suggests ************************** If вы считаете, что beam.smp следует разрешить доступ name_bind к tcp_socket по умолчанию. Then рекомендуется создать отчет об ошибке. Чтобы разрешить доступ, можно создать локальный модуль политики. Do чтобы разрешить доступ, выполните: # grep beam.smp /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:rabbitmq_beam_t:s0 Target Context system_u:object_r:unreserved_port_t:s0 Target Objects [ tcp_socket ] Source beam.smp Source Path /usr/lib64/erlang/erts-5.10.3/bin/beam.smp Port 10097 Host bb.lan Source RPM Packages erlang-erts-R16B-02.7.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-105.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name bb.lan Platform Linux bb.lan 3.11.9-300.fc20.x86_64 #1 SMP Wed Nov 20 22:23:25 UTC 2013 x86_64 x86_64 Alert Count 85 First Seen 2013-11-29 23:40:14 MSK Last Seen 2013-11-30 15:01:23 MSK Local ID 82db9030-74db-4e60-97ab-6aef447e582d Raw Audit Messages type=AVC msg=audit(1385809283.320:612): avc: denied { name_bind } for pid=1897 comm="beam.smp" src=10097 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1385809283.320:612): arch=x86_64 syscall=bind success=no exit=EACCES a0=12 a1=7fac88cfb900 a2=1c a3=a items=0 ppid=1 pid=1897 auid=4294967295 uid=989 gid=984 euid=989 suid=989 fsuid=989 egid=984 sgid=984 fsgid=984 ses=4294967295 tty=(none) comm=beam.smp exe=/usr/lib64/erlang/erts-5.10.3/bin/beam.smp subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null) Hash: beam.smp,rabbitmq_beam_t,unreserved_port_t,tcp_socket,name_bind -- You are receiving this mail because: You are on the CC list for the bug.