Bug 1341738

Summary: AVC: beam.smp tries to write in SSL certificate
Product: [Community] RDO Reporter: Emilien Macchi <emacchi>
Component: openstack-selinuxAssignee: Ryan Hallisey <rhallise>
Status: CLOSED WORKSFORME QA Contact: Udi Shkalim <ushkalim>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: trunkCC: apevec, emacchi, lhh, mgrepl, srevivo
Target Milestone: Milestone1Keywords: ZStream
Target Release: trunk   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-20 04:01:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Emilien Macchi 2016-06-01 16:14:33 UTC 
2016-06-01 14:24:47.771 | SELinux is preventing /usr/lib64/erlang/erts-7.3.1/bin/beam.smp from write access on the file centos-7-internap-nyj01-1338789.pem.
2016-06-01 14:24:47.771 | 
2016-06-01 14:24:47.771 | *****  Plugin catchall_labels (83.8 confidence) suggests   *******************
2016-06-01 14:24:47.771 | 
2016-06-01 14:24:47.771 | If you want to allow beam.smp to have write access on the centos-7-internap-nyj01-1338789.pem file
2016-06-01 14:24:47.771 | Then you need to change the label on centos-7-internap-nyj01-1338789.pem
2016-06-01 14:24:47.771 | Do
2016-06-01 14:24:47.771 | # semanage fcontext -a -t FILE_TYPE 'centos-7-internap-nyj01-1338789.pem'
2016-06-01 14:24:47.771 | where FILE_TYPE is one of the following: afs_cache_t, cluster_conf_t, cluster_tmp_t, cluster_var_lib_t, cluster_var_run_t, faillog_t, init_tmp_t, initrc_tmp_t, krb5_host_rcache_t, lastlog_t, puppet_tmp_t, rabbitmq_var_lib_t, rabbitmq_var_lock_t, rabbitmq_var_log_t, rabbitmq_var_run_t, security_t, user_cron_spool_t. 
2016-06-01 14:24:47.771 | Then execute: 
2016-06-01 14:24:47.771 | restorecon -v 'centos-7-internap-nyj01-1338789.pem'
2016-06-01 14:24:47.771 | 
2016-06-01 14:24:47.772 | 
2016-06-01 14:24:47.772 | *****  Plugin catchall (17.1 confidence) suggests   **************************
2016-06-01 14:24:47.772 | 
2016-06-01 14:24:47.772 | If you believe that beam.smp should be allowed write access on the centos-7-internap-nyj01-1338789.pem file by default.
2016-06-01 14:24:47.772 | Then you should report this as a bug.
2016-06-01 14:24:47.772 | You can generate a local policy module to allow this access.
2016-06-01 14:24:47.772 | Do
2016-06-01 14:24:47.772 | allow this access for now by executing:
2016-06-01 14:24:47.772 | # grep async_16 /var/log/audit/audit.log | audit2allow -M mypol
2016-06-01 14:24:47.772 | # semodule -i mypol.pp
2016-06-01 14:24:47.772 | 
2016-06-01 14:24:47.773 | 
2016-06-01 14:24:47.773 | Additional Information:
2016-06-01 14:24:47.773 | Source Context                system_u:system_r:rabbitmq_t:s0
2016-06-01 14:24:47.773 | Target Context                unconfined_u:object_r:etc_t:s0
2016-06-01 14:24:47.773 | Target Objects                centos-7-internap-nyj01-1338789.pem [ file ]
2016-06-01 14:24:47.773 | Source                        async_16
2016-06-01 14:24:47.773 | Source Path                   /usr/lib64/erlang/erts-7.3.1/bin/beam.smp
2016-06-01 14:24:47.773 | Port                          <Unknown>
2016-06-01 14:24:47.773 | Host                          <Unknown>
2016-06-01 14:24:47.773 | Source RPM Packages           erlang-erts-18.3.3-1.el7.x86_64
2016-06-01 14:24:47.773 | Target RPM Packages           
2016-06-01 14:24:47.773 | Policy RPM                    selinux-policy-3.13.1-60.el7_2.3.noarch
2016-06-01 14:24:47.774 | Selinux Enabled               True
2016-06-01 14:24:47.774 | Policy Type                   targeted
2016-06-01 14:24:47.774 | Enforcing Mode                Permissive
2016-06-01 14:24:47.774 | Host Name                     centos-7-internap-nyj01-1338789
2016-06-01 14:24:47.774 | Platform                      Linux centos-7-internap-nyj01-1338789
2016-06-01 14:24:47.774 |                               3.10.0-327.18.2.el7.x86_64 #1 SMP Thu May 12
2016-06-01 14:24:47.774 |                               11:03:55 UTC 2016 x86_64 x86_64
2016-06-01 14:24:47.774 | Alert Count                   12
2016-06-01 14:24:47.774 | First Seen                    2016-06-01 14:00:50 UTC
2016-06-01 14:24:47.774 | Last Seen                     2016-06-01 14:22:50 UTC
2016-06-01 14:24:47.774 | Local ID                      a2e20bec-0eed-4828-bb08-2dd492ab67d9
2016-06-01 14:24:47.775 | 
2016-06-01 14:24:47.775 | Raw Audit Messages
2016-06-01 14:24:47.775 | type=AVC msg=audit(1464790970.956:5132): avc:  denied  { write } for  pid=7758 comm="async_16" name="centos-7-internap-nyj01-1338789.pem" dev="vda1" ino=4702782 scontext=system_u:system_r:rabbitmq_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
2016-06-01 14:24:47.775 | 
2016-06-01 14:24:47.775 | 
2016-06-01 14:24:47.775 | type=SYSCALL msg=audit(1464790970.956:5132): arch=x86_64 syscall=access success=yes exit=0 a0=7f6d5b802e00 a1=2 a2=0 a3=0 items=0 ppid=1 pid=7758 auid=4294967295 uid=493 gid=491 euid=493 suid=493 fsuid=493 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm=async_16 exe=/usr/lib64/erlang/erts-7.3.1/bin/beam.smp subj=system_u:system_r:rabbitmq_t:s0 key=(null)
2016-06-01 14:24:47.775 | 
2016-06-01 14:24:47.775 | Hash: async_16,rabbitmq_t,etc_t,file,write
Comment 2 Ryan Hallisey 2016-06-01 17:20:57 UTC 
Should rabbit be writing a cert?

The directory it's writing to '/etc/pki'? Seems to be mislabeled.

restorecon -Rv /etc/pki
Comment 3 Lon Hohberger 2017-02-17 15:25:07 UTC 
If this is still an issue, please attach /var/log/audit/audit.log
Comment 4 Emilien Macchi 2017-02-20 04:01:03 UTC 
Indeed, I don't see it anymore. I guess it was fixed, but I'm not able to tell when exactly, since I reported the bug long time ago and didn't check until now.
Closing it for now.