10:57 a.m.
https://bugzilla.redhat.com/show_bug.cgi?id=1424823
Bug ID: 1424823
Summary: ejabberd won't start with SELinux enforcing on Rawhide
Product: Fedora
Version: rawhide
Component: ejabberd
Severity: high
Assignee: lemenkov(a)gmail.com
Reporter: randy(a)electronsweatshop.com
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org, jeremy(a)jcline.org,
lemenkov(a)gmail.com, martin(a)laptop.org,
randy(a)electronsweatshop.com
Description of problem:
ejabberd won't start with SELinux enforcing on Rawhide.
Version-Release number of selected component (if applicable):
ejabberd-17.01-1.fc26.x86_64
How reproducible:
Every time.
Steps to Reproduce:
1. sudo systemctl start ejabberd
2. ps aux | grep ejabberd
Actual results:
$ ps aux | grep ejab
ejabberd 10600 0.0 0.0 37184 260 ? S 11:52 0:00
/usr/lib64/erlang/erts-8.2.2/bin/epmd -daemon
rbarlow 10790 0.0 0.0 119424 968 pts/3 S+ 11:52 0:00 grep
--color=auto ejab
Expected results:
$ ps aux | grep ejab
ejabberd 11110 0.0 0.0 37184 264 ? S 11:53 0:00
/usr/lib64/erlang/erts-8.2.2/bin/epmd -daemon
ejabberd 11112 156 1.1 3189700 56260 ? Sl 11:53 0:03
/usr/lib64/erlang/erts-8.2.2/bin/beam.smp -K true -P250000 -- -root
/usr/lib64/erlang -progname erl -- -home /var/lib/ejabberd -- -sname
ejabberd@localhost -noshell -noinput -noshell -noinput -mnesia dir
"/var/lib/ejabberd" -ejabberd log_rate_limit 100 log_rotate_size 10485760
log_rotate_count 1 log_rotate_date "" -s ejabberd -smp auto start
ejabberd 11130 0.0 0.0 4392 716 ? Ss 11:53 0:00
erl_child_setup 16000
ejabberd 11176 0.0 0.0 11700 1060 ? Ss 11:53 0:00 inet_gethost 4
ejabberd 11177 0.0 0.0 18040 1764 ? S 11:53 0:00 inet_gethost 4
rbarlow 11179 0.0 0.0 119424 980 pts/3 S+ 11:53 0:00 grep
--color=auto ejab
Additional info:
This is a good opportunity to write an SELinux policy for ejabberd. If we do
this, we can stop running it with /usr/bin/bash in the systemd unit.
--
You are receiving this mail because:
You are on the CC list for the bug.
12:20 p.m.
New subject: [Bug 1424823] ejabberd won't start with SELinux enforcing on Rawhide
https://bugzilla.redhat.com/show_bug.cgi?id=1424823
Randy Barlow <randy(a)electronsweatshop.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
Assignee|lemenkov(a)gmail.com |randy(a)electronsweatshop.com
--
You are receiving this mail because:
You are on the CC list for the bug.
1:14 p.m.
New subject: [Bug 1424823] ejabberd won't start with SELinux enforcing on Rawhide
https://bugzilla.redhat.com/show_bug.cgi?id=1424823
--- Comment #2 from Randy Barlow <randy(a)electronsweatshop.com> ---
# audit2allow -b
#============= init_t ==============
allow init_t epmd_port_t:tcp_socket name_connect;
#!!!! WARNING: 'etc_t' is a base type.
allow init_t etc_t:file write;
allow init_t jabber_interserver_port_t:tcp_socket name_connect;
allow init_t mtrr_device_t:file mounton;
allow init_t rabbitmq_exec_t:file ioctl;
allow init_t rabbitmq_var_lib_t:dir { add_name read remove_name write };
allow init_t rabbitmq_var_lib_t:file { create getattr open read rename unlink
write };
allow init_t rabbitmq_var_log_t:dir { add_name read write };
allow init_t rabbitmq_var_log_t:file { append create getattr open read write };
--
You are receiving this mail because:
You are on the CC list for the bug.
1:22 p.m.
New subject: [Bug 1424823] ejabberd won't start with SELinux enforcing on Rawhide
https://bugzilla.redhat.com/show_bug.cgi?id=1424823
Randy Barlow <randy(a)electronsweatshop.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends On| |1429126
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1429126
[Bug 1429126] The SELinux policy is matching ejabberdctl as rabbitmq_t and
doesn't work
--
You are receiving this mail because:
You are on the CC list for the bug.
9:09 a.m.
New subject: [Bug 1424823] ejabberd won't start with SELinux enforcing on Rawhide
https://bugzilla.redhat.com/show_bug.cgi?id=1424823
--- Comment #3 from Randy Barlow <randy(a)electronsweatshop.com> ---
As noted in https://bugzilla.redhat.com/show_bug.cgi?id=1429126, I have written
a new SELinux policy and submitted it to the fedora selinux-policy-contrib
module:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/8
https://github.com/fedora-selinux/selinux-policy-contrib/pull/7
Once that is accepted, merged, and released into Fedora 26+, we will also need
to adjust a few things on the ejabberd side to be compliant.
For one, I wasn't able to get ejabberd working with policykit and SELinux
enforcing, so I may drop the policy kit patch. It would fail with this error
message:
ejabberdctl[22397]: Refusing to render service to dead parents.
Secondly, we no longer need to use /bin/bash to launch ejabberdctl in the unit
file, and we also cannot use PrivateDevices=true because that will prevent the
domain transition from being allowed.
Because we have to wait on the pull requests, I'm going to attach a git diff of
what I have in my checkout right now here. This git diff isn't quite what we'll
want, because it makes an ejabberd-selinux subpackage (which I used for testing
purposes while developing the policy), but it has some of the changes we'll
need.
--
You are receiving this mail because:
You are on the CC list for the bug.
9:11 a.m.
New subject: [Bug 1424823] ejabberd won't start with SELinux enforcing on Rawhide
https://bugzilla.redhat.com/show_bug.cgi?id=1424823
--- Comment #4 from Randy Barlow <randy(a)electronsweatshop.com> ---
Created attachment 1268991
--> https://bugzilla.redhat.com/attachment.cgi?id=1268991&action=edit
selinux.patch
--
You are receiving this mail because:
You are on the CC list for the bug.
9:25 a.m.
New subject: [Bug 1424823] ejabberd won't start with SELinux enforcing on Rawhide
https://bugzilla.redhat.com/show_bug.cgi?id=1424823
--- Comment #5 from Jonas Sell <redhat(a)johnassel.de> ---
Is this still a thing or is this fixed?
I'm still getting this in my audit.log when trying to start ejabberd:
type=AVC msg=audit(1505917132.313:368): avc: denied { read } for pid=2567
comm="async_2" name="ejabberd" dev="sda3" ino=3147866
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:ejabberd_var_lib_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1505917132.315:369): avc: denied { write } for pid=2567
comm="async_2" name="ejabberd" dev="sda3" ino=3147866
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:ejabberd_var_lib_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1505917132.417:370): avc: denied { read } for pid=2567
comm="async_7" name=".erlang.cookie" dev="sda3" ino=3146320
scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:admin_home_t:s0
tclass=file permissive=0
type=AVC msg=audit(1505917132.419:371): avc: denied { read } for pid=2567
comm="async_8" name=".erlang.cookie" dev="sda3" ino=3146320
scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:admin_home_t:s0
tclass=file permissive=0
type=AVC msg=audit(1505917132.935:372): avc: denied { write } for pid=2567
comm="1_scheduler" name="ejabberd" dev="sda3" ino=4982432
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:ejabberd_var_log_t:s0 tclass=dir permissive=0
Is this a problem of this bug or something else? Then I'll open another bug.
--
You are receiving this mail because:
You are on the CC list for the bug.
10:16 a.m.
New subject: [Bug 1424823] ejabberd won't start with SELinux enforcing on Rawhide
https://bugzilla.redhat.com/show_bug.cgi?id=1424823
--- Comment #6 from Randy Barlow <randy(a)electronsweatshop.com> ---
Hi Jonas!
I don't know a way to know if my pull requests have made it into Fedora 26 yet,
but I suppose we can try to do the remaining work that is needed now. A patch
for the ejabberd package is needed so that it runs as ejabberd_t instead of as
init_t. I assume you are on F26, F27, or F28? F25 didn't have any SELinux
issues I am aware of, since init_t was more permissive in that release (unless
that has changed - I run my ejabberd server on F26 so that is the one I'm most
familiar with).
--
You are receiving this mail because:
You are on the CC list for the bug.
10:19 a.m.
New subject: [Bug 1424823] ejabberd won't start with SELinux enforcing on Rawhide
https://bugzilla.redhat.com/show_bug.cgi?id=1424823
--- Comment #7 from Jonas Sell <redhat(a)johnassel.de> ---
Yes, it is F26. On F25 it worked here, too. How did you get it working on F26
without disabling SELinux?
--
You are receiving this mail because:
You are on the CC list for the bug.
10:33 a.m.
New subject: [Bug 1424823] ejabberd won't start with SELinux enforcing on Rawhide
https://bugzilla.redhat.com/show_bug.cgi?id=1424823
--- Comment #8 from Randy Barlow <randy(a)electronsweatshop.com> ---
I've got my server manually patched with parts of the patch I attached[0] on
this ticket, as well as a manually installed version of the selinux policies.
Assuming my selinux patches have been released to F26 (which again, I don't
know how to verify other than just trying it?), there are two things you can do
manually that I think will get you running:
0) Edit the service file (/usr/lib/systemd/system/ejabberd.service) to do what
I did in the patch[0]. This will get ejabberd to run as ejabberd_t instead of
init_t, since it won't launch as bash anymore.
1) Unapply the policykit patch to /usr/bin/ejabberdctl, which basically means
changing the shebang line back to /usr/bin/bash. I wasn't able to get ejabberd
working with polkit *and* SELinux. I am on the fence about the value of
policykit for ejabberd anyway, when you can use sudo to grant access to users.
Hopefully I will find some non-dayjob time soon to do the above to the real
package so we can be back in business. I also need to finish updating ejabberd
to the newer release in rawhide...
[0] https://bugzilla.redhat.com/attachment.cgi?id=1268991&action=diff
[1]
https://src.fedoraproject.org/rpms/ejabberd/blob/master/f/ejabberd-0002-E...
--
You are receiving this mail because:
You are on the CC list for the bug.
10:44 a.m.
New subject: [Bug 1424823] ejabberd won't start with SELinux enforcing on Rawhide
https://bugzilla.redhat.com/show_bug.cgi?id=1424823
--- Comment #9 from Jonas Sell <redhat(a)johnassel.de> ---
It doesn't seem as if the patches are included - I tried the two steps you
described and ejabberd still doesn't start here, messages in audit.log are the
same. When I've time I might try to manually install SELinux policies.
--
You are receiving this mail because:
You are on the CC list for the bug.
12:38 p.m.
New subject: [Bug 1424823] ejabberd won't start with SELinux enforcing on Rawhide
https://bugzilla.redhat.com/show_bug.cgi?id=1424823
--- Comment #10 from Randy Barlow <randy(a)electronsweatshop.com> ---
That's disappointing news. I actually did think of a good test you can try to
be sure. If you have the policy I wrote, you should see something like this:
$ sudo semodule -l | grep ejabberd
ejabberd
If you don't see any output, we need to see if we can get the selinux-policy
maintainers to release my patches for F26. I've also considered pulling those
policies out of the selinux package and providing my own package, but the
problem is that ejabberd gets matched by the rabbitmq policy unless my patch is
in there so I can't do that on my own either.
--
You are receiving this mail because:
You are on the CC list for the bug.
12:01 a.m.
New subject: [Bug 1424823] ejabberd won't start with SELinux enforcing on Rawhide
https://bugzilla.redhat.com/show_bug.cgi?id=1424823
--- Comment #11 from Jonas Sell <redhat(a)johnassel.de> ---
Strange. When issuing the command I get the correct output. Is it possible to
see which rules are applied in the ejabbered policy? Or maybe I'm facing an
other problem eg. wrong labeled filesystem. It was an upgrade from F25 where
everything went fine.
--
You are receiving this mail because:
You are on the CC list for the bug.
12:25 p.m.
New subject: [Bug 1424823] ejabberd won't start with SELinux enforcing on Rawhide
https://bugzilla.redhat.com/show_bug.cgi?id=1424823
--- Comment #12 from Randy Barlow <randy(a)electronsweatshop.com> ---
Jonas,
I forgot to tell you a step that would matter - after you edit the systemd unit
file, you need to tell systemd to reload the daemon:
$ sudo systemctl daemon-reload
Alternatively, you can reboot.
If you do that, does it help?
--
You are receiving this mail because:
You are on the CC list for the bug.
2:59 p.m.
New subject: [Bug 1424823] ejabberd won't start with SELinux enforcing on Rawhide
https://bugzilla.redhat.com/show_bug.cgi?id=1424823
--- Comment #13 from Jonas Sell <redhat(a)johnassel.de> ---
Yes, I did that. That was the first thing systemd suggested after editing the
files. Unfortunately it didn't help.
--
You are receiving this mail because:
You are on the CC list for the bug.
3:32 p.m.
New subject: [Bug 1424823] ejabberd won't start with SELinux enforcing on Rawhide
https://bugzilla.redhat.com/show_bug.cgi?id=1424823
--- Comment #14 from Jonas Sell <redhat(a)johnassel.de> ---
Now I got it running! The problem was the ejabberd_http module which is still
blocked by SELinux (by preventing opening port 5281). This showed up in
ejabberd's crash. log:
@ejabberd_listener:socket_error:580 Failed to open socket:
{5281,ejabberd_http,[inet,{ip,{0,0,0,0}}]}
Reason: permission denied
After disabling ejabberd_http in ejabberd.yml ejabberd started again. Ok, maybe
I can get a workaround for this tomorrow.
--
You are receiving this mail because:
You are on the CC list for the bug.
4:07 p.m.
New subject: [Bug 1424823] ejabberd won't start with SELinux enforcing on Rawhide
https://bugzilla.redhat.com/show_bug.cgi?id=1424823
--- Comment #15 from Randy Barlow <randy(a)electronsweatshop.com> ---
Oh fantastic! Perhaps we just need the policy to allow port 5281.
--
You are receiving this mail because:
You are on the CC list for the bug.
12:24 a.m.
New subject: [Bug 1424823] ejabberd won't start with SELinux enforcing on Rawhide
https://bugzilla.redhat.com/show_bug.cgi?id=1424823
--- Comment #16 from Jonas Sell <redhat(a)johnassel.de> ---
Yes, we need that. I added it manually with
semanage port -a -t jabber_client_port_t -p tcp 5281
After that ejabberd works with ejabberd_http! Not sure how to create a rule for
selinux-policy though.
--
You are receiving this mail because:
You are on the CC list for the bug.
12:13 p.m.
New subject: [Bug 1424823] ejabberd won't start with SELinux enforcing on Rawhide
https://bugzilla.redhat.com/show_bug.cgi?id=1424823
--- Comment #17 from Randy Barlow <randy(a)electronsweatshop.com> ---
Hi Jonas!
I'm going to use this ticket to track the work I need to do to get ejabberd
running under the correct SELinux context. I've filed a new issue for you about
port 5281, against the selinux-policy-targeted package:
https://bugzilla.redhat.com/show_bug.cgi?id=1494854
--
You are receiving this mail because:
You are on the CC list for the bug.
12:17 p.m.
New subject: [Bug 1424823] ejabberd won't start with SELinux enforcing on Rawhide
https://bugzilla.redhat.com/show_bug.cgi?id=1424823
Randy Barlow <randy(a)electronsweatshop.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |MODIFIED
Fixed In Version| |ejabberd-17.01-5.fc28
--
You are receiving this mail because:
You are on the CC list for the bug.
12:17 p.m.
New subject: [Bug 1424823] ejabberd won't start with SELinux enforcing on Rawhide
https://bugzilla.redhat.com/show_bug.cgi?id=1424823
--- Comment #18 from Fedora Update System <updates(a)fedoraproject.org> ---
ejabberd-17.01-3.fc26 has been submitted as an update to Fedora 26.
https://bodhi.fedoraproject.org/updates/FEDORA-2017-55b5527f23
--
You are receiving this mail because:
You are on the CC list for the bug.
12:19 p.m.
New subject: [Bug 1424823] ejabberd won't start with SELinux enforcing on Rawhide
https://bugzilla.redhat.com/show_bug.cgi?id=1424823
--- Comment #19 from Fedora Update System <updates(a)fedoraproject.org> ---
ejabberd-17.01-5.fc27 has been submitted as an update to Fedora 27.
https://bodhi.fedoraproject.org/updates/FEDORA-2017-213b09d56d
--
You are receiving this mail because:
You are on the CC list for the bug.
3:04 p.m.
New subject: [Bug 1424823] ejabberd won't start with SELinux enforcing on F26+
https://bugzilla.redhat.com/show_bug.cgi?id=1424823
Randy Barlow <randy(a)electronsweatshop.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|ejabberd won't start with |ejabberd won't start with
|SELinux enforcing on |SELinux enforcing on F26+
|Rawhide |
--
You are receiving this mail because:
You are on the CC list for the bug.
6:50 p.m.
New subject: [Bug 1424823] ejabberd won't start with SELinux enforcing on F26+
https://bugzilla.redhat.com/show_bug.cgi?id=1424823
Jason Spangler <jasons(a)wumple.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jasons(a)wumple.com
--- Comment #20 from Jason Spangler <jasons(a)wumple.com> ---
Possibly related to this issue, even though I have SELinux disabled: ejabberd
can't do PAM auth when PrivateDevices=true is present in ejabberd.service.
ejabberd runs epam as ejabberd user instead of root user when
PrivateDevices=true is present, so epam can't access /etc/shadow, etc files to
do auth. Disabling PrivateDevices=true and making epam setuid root was the
only workaround I found that worked.
--
You are receiving this mail because:
You are on the CC list for the bug.
6:53 p.m.
New subject: [Bug 1424823] ejabberd won't start with SELinux enforcing on F26+
https://bugzilla.redhat.com/show_bug.cgi?id=1424823
--- Comment #21 from Jason Spangler <jasons(a)wumple.com> ---
I should've included my versions in comment 20 :
[jasons@linus ~]$ cat /etc/fedora-release
Fedora release 26 (Twenty Six)
[jasons@linus ~]$ rpm -q ejabberd erlang-p1_pam
ejabberd-17.01-2.fc26.x86_64
erlang-p1_pam-1.0.0-3.fc26.x86_64
--
You are receiving this mail because:
You are on the CC list for the bug.
6:55 p.m.
New subject: [Bug 1424823] ejabberd won't start with SELinux enforcing on F26+
https://bugzilla.redhat.com/show_bug.cgi?id=1424823
--- Comment #22 from Jason Spangler <jasons(a)wumple.com> ---
Related to comment 20 , I tried the Rawhide fc27 packages and had the same
result:
ejabberd-17.01-4.fc27.x86_64.rpm
erlang-p1_pam-1.0.3-3.fc27.x86_64.rpm
--
You are receiving this mail because:
You are on the CC list for the bug.
12:52 a.m.
New subject: [Bug 1424823] ejabberd won't start with SELinux enforcing on F26+
https://bugzilla.redhat.com/show_bug.cgi?id=1424823
Fedora Update System <updates(a)fedoraproject.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|MODIFIED |ON_QA
--- Comment #23 from Fedora Update System <updates(a)fedoraproject.org> ---
ejabberd-17.01-3.fc26 has been pushed to the Fedora 26 testing repository. If
problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here:
https://bodhi.fedoraproject.org/updates/FEDORA-2017-55b5527f23
--
You are receiving this mail because:
You are on the CC list for the bug.
11:45 a.m.
New subject: [Bug 1424823] ejabberd won't start with SELinux enforcing on F26+
https://bugzilla.redhat.com/show_bug.cgi?id=1424823
--- Comment #25 from Fedora Update System <updates(a)fedoraproject.org> ---
ejabberd-17.01-5.fc27 has been pushed to the Fedora 27 testing repository. If
problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here:
https://bodhi.fedoraproject.org/updates/FEDORA-2017-213b09d56d
--
You are receiving this mail because:
You are on the CC list for the bug.
11:45 a.m.
New subject: [Bug 1424823] ejabberd won't start with SELinux enforcing on F26+
https://bugzilla.redhat.com/show_bug.cgi?id=1424823
--- Comment #24 from Randy Barlow <randy(a)electronsweatshop.com> ---
Hi Jason,
As part of the change I made to get ejabberd to run confined, I also found it
necessary to remove PrivateDevices=true. Please try out the new versions linked
by the Fedora Update System here and report back karma!
--
You are receiving this mail because:
You are on the CC list for the bug.
1:18 p.m.
New subject: [Bug 1424823] ejabberd won't start with SELinux enforcing on F26+
https://bugzilla.redhat.com/show_bug.cgi?id=1424823
Fedora Update System <updates(a)fedoraproject.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ON_QA |CLOSED
Fixed In Version|ejabberd-17.01-5.fc28 |ejabberd-17.01-5.fc28
| |ejabberd-17.01-5.fc27
Resolution|--- |ERRATA
Last Closed| |2017-10-01 14:18:06
--- Comment #26 from Fedora Update System <updates(a)fedoraproject.org> ---
ejabberd-17.01-5.fc27 has been pushed to the Fedora 27 stable repository. If
problems still persist, please make note of it in this bug report.
--
You are receiving this mail because:
You are on the CC list for the bug.
11:21 a.m.
New subject: [Bug 1424823] ejabberd won't start with SELinux enforcing on F26+
https://bugzilla.redhat.com/show_bug.cgi?id=1424823
Fedora Update System <updates(a)fedoraproject.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Fixed In Version|ejabberd-17.01-5.fc28 |ejabberd-17.01-5.fc28
|ejabberd-17.01-5.fc27 |ejabberd-17.01-5.fc27
| |ejabberd-17.01-3.fc26
--- Comment #27 from Fedora Update System <updates(a)fedoraproject.org> ---
ejabberd-17.01-3.fc26 has been pushed to the Fedora 26 stable repository. If
problems still persist, please make note of it in this bug report.
--
You are receiving this mail because:
You are on the CC list for the bug.
4:34 p.m.
New subject: [Bug 1424823] ejabberd won't start with SELinux enforcing on F26+
https://bugzilla.redhat.com/show_bug.cgi?id=1424823
Bug 1424823 depends on bug 1429126, which changed state.
Bug 1429126 Summary: The SELinux policy is matching ejabberdctl as rabbitmq_t and
doesn't work
https://bugzilla.redhat.com/show_bug.cgi?id=1429126
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |CLOSED
Resolution|--- |EOL
--
You are receiving this mail because:
You are on the CC list for the bug.
820
days inactive
1469
days old
erlang@lists.fedoraproject.org
31 comments
1 participants
participants (1)
-
bugzilla@redhat.com