Bug 2157891
| Summary: | SELinux prevents the prosody service from creating the /run/prosody/prosody.sock socket | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Milos Malik <mmalik> | |
| Component: | selinux-policy | Assignee: | Nikola Knazekova <nknazeko> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 9.2 | CC: | lvrabec, mmalik, zpytela | |
| Target Milestone: | rc | Keywords: | AutoVerified, Triaged | |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
|
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-38.1.4-1.el9 | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2157902 (view as bug list) | Environment: | ||
| Last Closed: | 2023-05-09 08:17:04 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2157902 | |||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2483 |
Description of problem: * the prosody service starts and runs successfully, but the SELinux denial is triggered Version-Release number of selected component (if applicable): prosody-0.12.2-1.el9.x86_64 selinux-policy-38.1.3-1.el9.noarch selinux-policy-targeted-38.1.3-1.el9.noarch How reproducible: * always Steps to Reproduce: 1. get a RHEL-9.2 machine (targeted policy is active) 2. install the prosody package (comes from the EPEL repository) 3. start the prosody service 4. search for SELinux denials Actual results (enforcing mode): ---- type=PROCTITLE msg=audit(01/03/2023 08:00:07.165:332) : proctitle=/usr/bin/lua /usr/bin/prosody -F type=PATH msg=audit(01/03/2023 08:00:07.165:332) : item=1 name=/run/prosody/prosody.sock nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(01/03/2023 08:00:07.165:332) : item=0 name=/run/prosody/ inode=1013 dev=00:19 mode=dir,755 ouid=prosody ogid=prosody rdev=00:00 obj=system_u:object_r:prosody_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(01/03/2023 08:00:07.165:332) : cwd=/var/lib/prosody type=SOCKADDR msg=audit(01/03/2023 08:00:07.165:332) : saddr={ saddr_fam=local path=/run/prosody/prosody.sock } type=SYSCALL msg=audit(01/03/2023 08:00:07.165:332) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0xb a1=0x7ffcd551b950 a2=0x1b a3=0x564633519a70 items=2 ppid=1 pid=4532 auid=unset uid=prosody gid=prosody euid=prosody suid=prosody fsuid=prosody egid=prosody sgid=prosody fsgid=prosody tty=(none) ses=unset comm=prosody exe=/usr/bin/lua subj=system_u:system_r:prosody_t:s0 key=(null) type=AVC msg=audit(01/03/2023 08:00:07.165:332) : avc: denied { create } for pid=4532 comm=prosody name=prosody.sock scontext=system_u:system_r:prosody_t:s0 tcontext=system_u:object_r:prosody_var_run_t:s0 tclass=sock_file permissive=0 ---- Expected results: * no SELinux denials Additional info: the only SELinux denial that appears in permissive mode is ---- type=PROCTITLE msg=audit(01/03/2023 08:08:15.106:336) : proctitle=/usr/bin/lua /usr/bin/prosody -F type=PATH msg=audit(01/03/2023 08:08:15.106:336) : item=1 name=/run/prosody/prosody.sock inode=1042 dev=00:19 mode=socket,750 ouid=prosody ogid=prosody rdev=00:00 obj=system_u:object_r:prosody_var_run_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(01/03/2023 08:08:15.106:336) : item=0 name=/run/prosody/ inode=1013 dev=00:19 mode=dir,755 ouid=prosody ogid=prosody rdev=00:00 obj=system_u:object_r:prosody_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(01/03/2023 08:08:15.106:336) : cwd=/var/lib/prosody type=SOCKADDR msg=audit(01/03/2023 08:08:15.106:336) : saddr={ saddr_fam=local path=/run/prosody/prosody.sock } type=SYSCALL msg=audit(01/03/2023 08:08:15.106:336) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x7 a1=0x7ffd175eaa50 a2=0x1b a3=0x560929632310 items=2 ppid=1 pid=4576 auid=unset uid=prosody gid=prosody euid=prosody suid=prosody fsuid=prosody egid=prosody sgid=prosody fsgid=prosody tty=(none) ses=unset comm=prosody exe=/usr/bin/lua subj=system_u:system_r:prosody_t:s0 key=(null) type=AVC msg=audit(01/03/2023 08:08:15.106:336) : avc: denied { create } for pid=4576 comm=prosody name=prosody.sock scontext=system_u:system_r:prosody_t:s0 tcontext=system_u:object_r:prosody_var_run_t:s0 tclass=sock_file permissive=1 ----