https://bugzilla.redhat.com/show_bug.cgi?id=1036280
Bug ID: 1036280
Summary: selinux alerts about rabbitmq server ("access on the
tcp_socket")
Product: Fedora
Version: 20
Component: rabbitmq-server
Assignee: hubert.plociniczak(a)gmail.com
Reporter: pavel.nedr(a)gmail.com
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org,
hubert.plociniczak(a)gmail.com, lemenkov(a)gmail.com
Description of problem:
I've seen flood in journalctl from SEalert about that error.
It begins from startup of the system (rabbitmq is enabled in systemctl)
There is a lot of error messages. They causes "audispd[643]: queue is full -
dropping event" error :)
rabbitmq-server
noarch
3.1.5
1.fc20
$ sudo sealert -l 82db9030-74db-4e60-97ab-6aef447e582d
SELinux is preventing /usr/lib64/erlang/erts-5.10.3/bin/beam.smp from name_bind
access on the tcp_socket .
***** Plugin bind_ports (92.2 confidence) suggests ************************
If you want to allow /usr/lib64/erlang/erts-5.10.3/bin/beam.smp to bind to
network port 10097
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 10097
где PORT_TYPE может принимать значения: amqp_port_t, couchdb_port_t,
jabber_client_port_t, jabber_interserver_port_t.
***** Plugin catchall_boolean (7.83 confidence) suggests ******************
If вы хотите выполнить следующее: разрешить NIS
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
Дополнительная документация на 'None' ман странице.
Do
setsebool -P nis_enabled 1
***** Plugin catchall (1.41 confidence) suggests **************************
If вы считаете, что beam.smp следует разрешить доступ name_bind к tcp_socket
по умолчанию.
Then рекомендуется создать отчет об ошибке.
Чтобы разрешить доступ, можно создать локальный модуль политики.
Do
чтобы разрешить доступ, выполните:
# grep beam.smp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:rabbitmq_beam_t:s0
Target Context system_u:object_r:unreserved_port_t:s0
Target Objects [ tcp_socket ]
Source beam.smp
Source Path /usr/lib64/erlang/erts-5.10.3/bin/beam.smp
Port 10097
Host bb.lan
Source RPM Packages erlang-erts-R16B-02.7.fc20.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-105.fc20.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name bb.lan
Platform Linux bb.lan 3.11.9-300.fc20.x86_64 #1 SMP Wed
Nov
20 22:23:25 UTC 2013 x86_64 x86_64
Alert Count 85
First Seen 2013-11-29 23:40:14 MSK
Last Seen 2013-11-30 15:01:23 MSK
Local ID 82db9030-74db-4e60-97ab-6aef447e582d
Raw Audit Messages
type=AVC msg=audit(1385809283.320:612): avc: denied { name_bind } for
pid=1897 comm="beam.smp" src=10097
scontext=system_u:system_r:rabbitmq_beam_t:s0
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1385809283.320:612): arch=x86_64 syscall=bind success=no
exit=EACCES a0=12 a1=7fac88cfb900 a2=1c a3=a items=0 ppid=1 pid=1897
auid=4294967295 uid=989 gid=984 euid=989 suid=989 fsuid=989 egid=984 sgid=984
fsgid=984 ses=4294967295 tty=(none) comm=beam.smp
exe=/usr/lib64/erlang/erts-5.10.3/bin/beam.smp
subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
Hash: beam.smp,rabbitmq_beam_t,unreserved_port_t,tcp_socket,name_bind
--
You are receiving this mail because:
You are on the CC list for the bug.