Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1242954

Summary: SELinux prevents qpidd from starting after update MRGM 3.1 to MRGM 3.2
Product: Red Hat Enterprise MRG Reporter: Matej Lesko <mlesko>
Component: qpid-cppAssignee: Irina Boverman <iboverma>
Status: CLOSED ERRATA QA Contact: Zdenek Kraus <zkraus>
Severity: high Docs Contact:
Priority: high    
Version: DevelopmentCC: freznice, iboverma, jross, mlesko, rrajasek, smumford, zkraus
Target Milestone: 3.2Keywords: Tracking
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
.IMPORTANT: Customers should be aware that they need to upgrade to the latest version of Red Hat Enterprise Linux 6 (6.7.2) and the SELinux policy files shipped with it to get started with MRG-M 3.2. Any other version of RHEL/SELinux can produce `Permission denied` errors.
 Story Points: ---
Clone Of:
: 1251584 (view as bug list) Environment:
Last Closed: 2015-11-04 15:51:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1251584    
Bug Blocks:    

Description Matej Lesko 2015-07-14 13:22:00 UTC 
Description of problem:
After update there is a problem with manual upgrade of linearstore EFP to the new partitioning structure. After changing file owner and group of created files in qls directory qpidd says that it has permission denied to access migrated journal file. The problem is only solved by changing SELinux to permissive mode.  

Version-Release number of selected component (if applicable):
RHEL 6.7, 7.1
qpid-cpp-0.34-1

How reproducible:
always

Steps to Reproduce:
1. Install MRMG 3.1
2. start qpidd
   service qpidd start
3. Create durable queue e.g.
   qpid-config add queue test-queue --durable
4. Send some messages
   qpid-send -a test-queue -b $server -m 150 --durable yes
5. stop qpidd
   service qpidd stop
6. update to MRGM 3.2 according to documentation
7. go to default store directory
   on RHEL6 /var/lib/qpidd/qls
   on RHEL7 /var/lib/qpidd/.qpidd/qls
8. upgrade linearstore EFP to the new partitioning structure according to documentation
9. start qpidd

Actual results:
qpidd won't start - Permission denied error will be printed

Expected results:
qpidd starts normally

Additional info:
On RHEL 6.6 SELinux works with this scenario as expected.
Comment 8 Zdenek Kraus 2015-09-14 09:44:21 UTC 
MRG 3.2:
qpid-cpp-server-0.34-3

current:
selinux-policy-3.7.19-279.el6_7.5.noarch
.. FAIL
type=AVC msg=audit(1442222583.008:3089): avc:  denied  { read } for  pid=7515 comm="qpidd" name="q" dev=dm-0 ino=136060  context=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:qpidd_var_lib_t:s0 tclass=lnk_file

selinux-policy-3.13.1-23.el7_1.17.noarch
.. FAIL
type=AVC msg=audit(1442222868.693:361): avc:  denied  { read } for  pid=2583 comm="qpidd" name="psched" dev="proc" ino=4026531980 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1442222868.957:362): avc:  denied  { read } for  pid=2583 comm="qpidd" name="q" dev="dm-0" ino=34347348 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:qpidd_var_lib_t:s0 tclass=lnk_file



new packages:
selinux-policy-3.7.19-279.el6_7.6.noarch
.. PASS

selinux-policy-3.13.1-23.el7_1.18.noarch
.. FAIL
type=AVC msg=audit(1442222868.693:361): avc:  denied  { read } for  pid=2583 comm="qpidd" name="psched" dev="proc" ino=4026531980 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1442222868.957:362): avc:  denied  { read } for  pid=2583 comm="qpidd" name="q" dev="dm-0" ino=34347348 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:qpidd_var_lib_t:s0 tclass=lnk_file
Comment 11 Irina Boverman 2015-09-18 20:06:17 UTC 
Fixed in selinux-policy-3.7.19-279.el6_7.6
Comment 14 Zdenek Kraus 2015-11-04 15:46:15 UTC 
resolved by selinux-policy-3.13.1-23.el7_1.21.noarch

-> VERIFIED
Comment 15 Zdenek Kraus 2015-11-04 15:51:00 UTC 
above package is live moving to close

-> CLOSED ERRATA