Bug 1360165

Summary: Add a rule to allow a non-ephemeral cluster port for rabbitmq
Product: [Community] RDO Reporter: Michele Baldessari <michele>
Component: openstack-selinuxAssignee: Lon Hohberger <lhh>
Status: CLOSED CURRENTRELEASE QA Contact: Ofer Blaut <oblaut>
Severity: medium Docs Contact:
Priority: medium    
Version: trunkCC: srevivo
Target Milestone: ---   
Target Release: trunk   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-17 15:39:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1357522    

Description Michele Baldessari 2016-07-26 06:59:39 UTC 
Description of problem:
Currently rabbitmq uses port 35672 for cluster communications which is in the 
ephemeral range.

Ephemeral ports are the ports kernel assigns to application if it doesn't specify which port to open. So there is a small chance that this application being started before RabbitMQ itself could grab this port. Unfortunately we've just seen this in the wild.

Via BZ https://bugzilla.redhat.com/show_bug.cgi?id=1357522 we would like
to move rabbit's cluster port outside of this range, to 25672.

This is all ready in https://review.openstack.org/345851, but I'd like to make
sure that we explicitely allow this port in the selinux policy.

Could we add this port to the allowed ports to bind and connect to?
Comment 1 Michele Baldessari 2016-09-15 07:58:05 UTC 
I think we are actually already good to go:
rabbitmq_port_t tcp 25672
corenet_tcp_bind_rabbitmq_port(rabbitmq_t)
corenet_tcp_connect_rabbitmq_port(rabbitmq_t)
Comment 2 Lon Hohberger 2017-02-17 15:39:35 UTC 
[root@localhost ~]# semanage port -l | grep rabbit
rabbitmq_port_t                tcp      25672

0.7.13 has this