| Summary: | qpidd broker triggers SELinux AVCs avc: denied { search } for pid=27642 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise MRG | Reporter: | Frantisek Reznicek <freznice> | |
| Component: | qpid-cpp | Assignee: | Miroslav Grepl <mgrepl> | |
| Status: | CLOSED DUPLICATE | QA Contact: | Frantisek Reznicek <freznice> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | Development | CC: | dwalsh, esammons, iboverma, jneedle, jross, pmoravec, sgraf | |
| Target Milestone: | 2.1.2 | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.10.0-58.fc16 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 769352 (view as bug list) | Environment: | ||
| Last Closed: | 2012-01-23 20:33:32 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Bug Depends On: | ||||
| Bug Blocks: | 769352, 783492, 784337 | |||
an update, issue pending on packages:
[root@dhcp-26-228 examples]# rpm -qa | grep -E '(qpid|qmf|sesame)' | sort
libvirt-qpid-0.2.22-6.el6.i686
python-qpid-0.10-1.el6.noarch
python-qpid-qmf-0.10-10.el6.i686
qpid-cpp-client-0.10-6.el6.i686
qpid-cpp-client-devel-0.10-6.el6.i686
qpid-cpp-client-devel-docs-0.10-6.el6.noarch
qpid-cpp-client-rdma-0.10-6.el6.i686
qpid-cpp-client-ssl-0.10-6.el6.i686
qpid-cpp-debuginfo-0.10-6.el6.i686
qpid-cpp-server-0.10-6.el6.i686
qpid-cpp-server-cluster-0.10-6.el6.i686
qpid-cpp-server-devel-0.10-6.el6.i686
qpid-cpp-server-rdma-0.10-6.el6.i686
qpid-cpp-server-ssl-0.10-6.el6.i686
qpid-cpp-server-store-0.10-6.el6.i686
qpid-cpp-server-xml-0.10-6.el6.i686
qpid-java-client-0.10-6.el6.noarch
qpid-java-common-0.10-6.el6.noarch
qpid-java-example-0.10-6.el6.noarch
qpid-java-jca-0.10-6.el6.noarch
qpid-qmf-0.10-10.el6.i686
qpid-qmf-debuginfo-0.10-10.el6.i686
qpid-qmf-devel-0.10-10.el6.i686
qpid-tests-0.10-1.el6.noarch
qpid-tools-0.10-5.el6.noarch
rh-qpid-cpp-tests-0.10-6.el6.i686
ruby-qpid-0.7.946106-2.el6.i686
ruby-qpid-qmf-0.10-10.el6.i686
sesame-0.10-1.el6.i686
sesame-debuginfo-0.10-1.el6.i686
The AVC is detected after 'service qpidd start' as shows below transcript:
[root@dhcp-26-228 examples]# grep -i AVC /var/log/audit/audit.log
type=AVC msg=audit(1307710727.291:785): avc: denied { search } for pid=30286 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
[root@dhcp-26-228 examples]# tail -5 /etc/qpidd.conf
# "qpidd --help" or "man qpidd" for more details.
cluster-mechanism=ANONYMOUS
auth=no
#cluster-name=X
[root@dhcp-26-228 examples]# service qpidd restart
Stopping Qpid AMQP daemon: [ OK ]
Starting Qpid AMQP daemon: [ OK ]
[root@dhcp-26-228 examples]# grep -i AVC /var/log/audit/audit.log
type=AVC msg=audit(1307710727.291:785): avc: denied { search } for pid=30286 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1307710825.207:798): avc: denied { search } for pid=30328 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
[root@dhcp-26-228 examples]# service qpidd stop
Stopping Qpid AMQP daemon: [ OK ]
[root@dhcp-26-228 examples]# grep -i AVC /var/log/audit/audit.log
type=AVC msg=audit(1307710727.291:785): avc: denied { search } for pid=30286 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1307710825.207:798): avc: denied { search } for pid=30328 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
[root@dhcp-26-228 examples]# service qpidd start
Starting Qpid AMQP daemon: [ OK ]
[root@dhcp-26-228 examples]# grep -i AVC /var/log/audit/audit.log
type=AVC msg=audit(1307710727.291:785): avc: denied { search } for pid=30286 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1307710825.207:798): avc: denied { search } for pid=30328 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1307710861.195:819): avc: denied { search } for pid=30384 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
[root@dhcp-26-228 examples]# ps auxZ | grep qpidd
unconfined_u:system_r:qpidd_t:s0 qpidd 30384 0.1 1.7 51916 6752 ? Ssl 15:01 0:00 /usr/sbin/qpidd --data-dir /var/lib/qpidd --daemon
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 30419 0.0 0.1 4328 740 pts/2 S+ 15:01 0:00 grep qpidd
[root@dhcp-26-228 examples]# uname -a
Linux dhcp-26-228... 2.6.32-131.0.15.el6.i686 #1 SMP Tue May 10 15:42:28 EDT 2011 i686 i686 i386 GNU/Linux
[root@dhcp-26-228 examples]# head -1 /etc/issue
Red Hat Enterprise Linux Server release 6.1 (Santiago)
The same problem here on both RHEL6 i386/x86_64, all packages updated from RHN to latest version:
# grep AVC /var/log/audit/audit.log
# service qpidd restart
Stopping Qpid AMQP daemon: [FAILED]
Starting Qpid AMQP daemon: Daemon startup failed: Failed to initialize CPG.: library (2)
[FAILED]
# grep AVC /var/log/audit/audit.log
type=AVC msg=audit(1317898912.634:26262): avc: denied { search } for pid=1886 comm="qpidd" name="/" dev=tmpfs ino=5531 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
# getenforce
Enforcing
# rpm -qa | grep -E '(qpid|qmf|sesame)' | sort
python-qpid-0.10-1.el6.noarch
python-qpid-qmf-0.10-10.el6.i686
qpid-cpp-client-0.10-6.el6.i686
qpid-cpp-client-devel-0.10-6.el6.i686
qpid-cpp-client-devel-docs-0.10-6.el6.noarch
qpid-cpp-client-rdma-0.10-6.el6.i686
qpid-cpp-client-ssl-0.10-6.el6.i686
qpid-cpp-debuginfo-0.10-6.el6.i686
qpid-cpp-server-0.10-6.el6.i686
qpid-cpp-server-cluster-0.10-6.el6.i686
qpid-cpp-server-devel-0.10-6.el6.i686
qpid-cpp-server-rdma-0.10-6.el6.i686
qpid-cpp-server-ssl-0.10-6.el6.i686
qpid-cpp-server-store-0.10-6.el6.i686
qpid-cpp-server-xml-0.10-6.el6.i686
qpid-java-client-0.10-9.el6.noarch
qpid-java-common-0.10-9.el6.noarch
qpid-java-example-0.10-9.el6.noarch
qpid-qmf-0.10-10.el6.i686
qpid-tools-0.10-5.el6.noarch
rh-qpid-cpp-tests-0.10-6.el6.i686
sesame-0.10-1.el6.i686
The issue is still pending on python-qpid-0.12-1.el6.noarch python-qpid-qmf-0.12-6.el6.i686 qpid-cpp-*0.12-6.el6.i686 qpid-java-*0.10-11.el6.noarch qpid-qmf-0.12-6.el6.i686 qpid-qmf-debuginfo-0.12-6.el6.i686 qpid-qmf-devel-0.12-6.el6.i686 qpid-tests-0.12-1.el6.noarch qpid-tools-0.12-2.el6.noarch rh-qpid-cpp-tests-0.12-6.el6.i686 ruby-qpid-0.7.946106-2.el6.i686 ruby-qpid-qmf-0.12-6.el6.i686 The issue is visible only if clustering is enabled by cluster-name=<name> as shows following transcript:
[root@dhcp-lab-231 ~]# setenforce 0
[root@dhcp-lab-231 ~]# htop
[root@dhcp-lab-231 ~]# service qpidd restart
Stopping Qpid AMQP daemon: [FAILED]
Starting Qpid AMQP daemon: [ OK ]
[root@dhcp-lab-231 ~]# setenforce 1
[root@dhcp-lab-231 ~]# service qpidd restart
Stopping Qpid AMQP daemon: [ OK ]
Starting Qpid AMQP daemon: Daemon startup failed: Failed to initialize CPG.: library (2)
[FAILED]
[root@dhcp-lab-231 ~]# setenforce 0
[root@dhcp-lab-231 ~]# service qpidd restart
Stopping Qpid AMQP daemon: [FAILED]
Starting Qpid AMQP daemon: [ OK ]
[root@dhcp-lab-231 ~]# service qpidd stop
Stopping Qpid AMQP daemon: [ OK ]
[root@dhcp-lab-231 ~]# vi /etc/qpidd.conf
[root@dhcp-lab-231 ~]# service qpidd restart
Stopping Qpid AMQP daemon: [FAILED]
Starting Qpid AMQP daemon: [ OK ]
[root@dhcp-lab-231 ~]# qpid-stat -b
Brokers
broker cluster uptime conn sess exch queue
===============================================================
localhost:5672 <standalone> 10s 1 1 8 12
[root@dhcp-lab-231 ~]# setenforce 1
[root@dhcp-lab-231 ~]# service qpidd restart
Stopping Qpid AMQP daemon: [ OK ]
Starting Qpid AMQP daemon: [ OK ]
[root@dhcp-lab-231 ~]# getenforce
Enforcing
[root@dhcp-lab-231 ~]# qpid-stat -b
Brokers
broker cluster uptime conn sess exch queue
===============================================================
localhost:5672 <standalone> 15s 1 1 8 12
[root@dhcp-lab-231 ~]# getenforce
Enforcing
[root@dhcp-lab-231 ~]# service qpidd restart
Stopping Qpid AMQP daemon: [ OK ]
Starting Qpid AMQP daemon: [ OK ]
This is an SELinux policy issue. We have dev_read_sysfs(qpidd_t) in Fedora policy. We need to back port qpidd policy from Fedora 16 to RHEL6 Fixed in selinux-policy-3.10.0-58.fc16 I'm not clear whether the change was applied to selinux-policy-3.7.19-126.el6.noarch.
But as behavior slightly changed it looks it was.
The behavior of qpid 0.14 on RHEL 6.2 is slightly better but still producing AVCs, see detailed list below...
-> ASSIGNED
# Installed packages
[root@dhcp-27-49 ~]# uname -a
Linux dhcp-27-49.brq.redhat.com 2.6.32-220.el6.i686 #1 SMP Wed Nov 9 08:02:18 EST 2011 i686 i686 i386 GNU/Linux
[root@dhcp-27-49 ~]# rpm -q selinux-policy
selinux-policy-3.7.19-126.el6.noarch
[root@dhcp-27-49 ~]# rpm -qa | egrep 'qpid|sesame|corosync' | sort
corosync-1.4.1-4.el6.i686
corosynclib-1.4.1-4.el6.i686
corosynclib-devel-1.4.1-4.el6.i686
python-qpid-0.14-1.el6.noarch
python-qpid-qmf-0.14-2.el6.i686
qpid-cpp-client-0.14-1.el6.i686
qpid-cpp-client-devel-0.14-1.el6.i686
qpid-cpp-client-rdma-0.14-1.el6.i686
qpid-cpp-client-ssl-0.14-1.el6.i686
qpid-cpp-debuginfo-0.14-1.el6.i686
qpid-cpp-server-0.14-1.el6.i686
qpid-cpp-server-cluster-0.14-1.el6.i686
qpid-cpp-server-devel-0.14-1.el6.i686
qpid-cpp-server-rdma-0.14-1.el6.i686
qpid-cpp-server-ssl-0.14-1.el6.i686
qpid-cpp-server-store-0.14-1.el6.i686
qpid-cpp-server-xml-0.14-1.el6.i686
qpid-java-client-0.14-1.el6.noarch
qpid-java-common-0.14-1.el6.noarch
qpid-java-example-0.14-1.el6.noarch
qpid-qmf-0.14-2.el6.i686
qpid-qmf-debuginfo-0.14-2.el6.i686
qpid-qmf-devel-0.14-2.el6.i686
qpid-tests-0.14-1.el6.noarch
qpid-tools-0.14-1.el6.noarch
rh-qpid-cpp-tests-0.14-1.el6.i686
ruby-qpid-qmf-0.14-2.el6.i686
sesame-1.0-2.el6.i686
sesame-debuginfo-1.0-2.el6.i686
# IPTABLES does not affect tests
[root@dhcp-27-49 ~]# service iptables status
iptables: Firewall is not running.
# TEST qpidd without clustering
# Results: AVC detected and dependent on Selinux mode...
[root@dhcp-27-49 ~]# service qpidd stop
Stopping Qpid AMQP daemon: [FAILED]
[root@dhcp-27-49 ~]# function foo () {
> setenforce $1
> getenforce
> rm -f /var/log/audit/audit.log
> service auditd restart
> grep AVC /var/log/audit/audit.log
> service qpidd restart
> grep AVC /var/log/audit/audit.log
> pidof qpidd
> netstat -nlp | grep qpidd
> }
[root@dhcp-27-49 ~]#
[root@dhcp-27-49 ~]#
[root@dhcp-27-49 ~]#
[root@dhcp-27-49 ~]#
[root@dhcp-27-49 ~]# cat /etc/qpidd.conf
log-enable=info+
mgmt-pub-interval=5
log-to-file=/var/lib/qpidd/qpidd.log
#cluster-name=mycluster
auth=no
[root@dhcp-27-49 ~]# foo 0
Permissive
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Stopping Qpid AMQP daemon: [FAILED]
Starting Qpid AMQP daemon: [ OK ]
2795
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 2795/qpidd
tcp 0 0 :::5672 :::* LISTEN 2795/qpidd
[root@dhcp-27-49 ~]# foo 0
Permissive
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Stopping Qpid AMQP daemon: [ OK ]
Starting Qpid AMQP daemon: [ OK ]
2875
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 2875/qpidd
tcp 0 0 :::5672 :::* LISTEN 2875/qpidd
[root@dhcp-27-49 ~]# foo 0
Permissive
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Stopping Qpid AMQP daemon: [ OK ]
Starting Qpid AMQP daemon: [ OK ]
2955
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 2955/qpidd
tcp 0 0 :::5672 :::* LISTEN 2955/qpidd
[root@dhcp-27-49 ~]# foo 0
Permissive
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Stopping Qpid AMQP daemon: [ OK ]
Starting Qpid AMQP daemon: [ OK ]
3035
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 3035/qpidd
tcp 0 0 :::5672 :::* LISTEN 3035/qpidd
[root@dhcp-27-49 ~]# foo 0
Permissive
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Stopping Qpid AMQP daemon: [ OK ]
Starting Qpid AMQP daemon: [ OK ]
3115
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 3115/qpidd
tcp 0 0 :::5672 :::* LISTEN 3115/qpidd
[root@dhcp-27-49 ~]# foo 0
Permissive
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Stopping Qpid AMQP daemon: [ OK ]
Starting Qpid AMQP daemon: [ OK ]
3195
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 3195/qpidd
tcp 0 0 :::5672 :::* LISTEN 3195/qpidd
[root@dhcp-27-49 ~]# foo 0
Permissive
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Stopping Qpid AMQP daemon: [ OK ]
Starting Qpid AMQP daemon: [ OK ]
3275
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 3275/qpidd
tcp 0 0 :::5672 :::* LISTEN 3275/qpidd
[root@dhcp-27-49 ~]# foo 0
Permissive
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Stopping Qpid AMQP daemon: [ OK ]
Starting Qpid AMQP daemon: [ OK ]
3355
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 3355/qpidd
tcp 0 0 :::5672 :::* LISTEN 3355/qpidd
[root@dhcp-27-49 ~]# foo 0
Permissive
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Stopping Qpid AMQP daemon: [ OK ]
Starting Qpid AMQP daemon: [ OK ]
3435
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 3435/qpidd
tcp 0 0 :::5672 :::* LISTEN 3435/qpidd
[root@dhcp-27-49 ~]# foo 0
Permissive
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Stopping Qpid AMQP daemon: [ OK ]
Starting Qpid AMQP daemon: [ OK ]
3515
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 3515/qpidd
tcp 0 0 :::5672 :::* LISTEN 3515/qpidd
[root@dhcp-27-49 ~]# foo 0
Permissive
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Stopping Qpid AMQP daemon: [ OK ]
Starting Qpid AMQP daemon: [ OK ]
3595
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 3595/qpidd
tcp 0 0 :::5672 :::* LISTEN 3595/qpidd
[root@dhcp-27-49 ~]# foo 1
Enforcing
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Stopping Qpid AMQP daemon: [ OK ]
Starting Qpid AMQP daemon: [ OK ]
type=AVC msg=audit(1324377039.684:490): avc: denied { search } for pid=3675 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
3675
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 3675/qpidd
tcp 0 0 :::5672 :::* LISTEN 3675/qpidd
[root@dhcp-27-49 ~]#
[root@dhcp-27-49 ~]# foo 1
Enforcing
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Stopping Qpid AMQP daemon: [ OK ]
Starting Qpid AMQP daemon: [ OK ]
type=AVC msg=audit(1324377060.632:506): avc: denied { search } for pid=3755 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
3755
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 3755/qpidd
tcp 0 0 :::5672 :::* LISTEN 3755/qpidd
[root@dhcp-27-49 ~]# foo 0
Permissive
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Stopping Qpid AMQP daemon: [ OK ]
Starting Qpid AMQP daemon: [ OK ]
type=AVC msg=audit(1324377064.806:523): avc: denied { search } for pid=3835 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
3835
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 3835/qpidd
tcp 0 0 :::5672 :::* LISTEN 3835/qpidd
[root@dhcp-27-49 ~]# foo 0
Permissive
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Stopping Qpid AMQP daemon: [ OK ]
Starting Qpid AMQP daemon: [ OK ]
3915
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 3915/qpidd
tcp 0 0 :::5672 :::* LISTEN 3915/qpidd
[root@dhcp-27-49 ~]# foo 1
Enforcing
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Stopping Qpid AMQP daemon: [ OK ]
Starting Qpid AMQP daemon: [ OK ]
type=AVC msg=audit(1324377072.234:555): avc: denied { search } for pid=3995 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
3995
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 3995/qpidd
tcp 0 0 :::5672 :::* LISTEN 3995/qpidd
[root@dhcp-27-49 ~]# foo 0
Permissive
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Stopping Qpid AMQP daemon: [ OK ]
Starting Qpid AMQP daemon: [ OK ]
type=AVC msg=audit(1324377075.718:572): avc: denied { search } for pid=4075 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
4075
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 4075/qpidd
tcp 0 0 :::5672 :::* LISTEN 4075/qpidd
[root@dhcp-27-49 ~]#
[root@dhcp-27-49 ~]#
[root@dhcp-27-49 ~]# foo 0
Permissive
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Stopping Qpid AMQP daemon: [ OK ]
Starting Qpid AMQP daemon: [ OK ]
4155
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 4155/qpidd
tcp 0 0 :::5672 :::* LISTEN 4155/qpidd
[root@dhcp-27-49 ~]#
# TEST qpidd with clustering (corosync)
# Results: AVC detected and dependent on Selinux mode...
# Special set of AVCs detected during first cluster node start
# Note: just one cluster member
[root@dhcp-27-49 ~]# vi /etc/qpidd.conf
[root@dhcp-27-49 ~]# cat /etc/qpidd.conf
log-enable=info+
mgmt-pub-interval=5
log-to-file=/var/lib/qpidd/qpidd.log
cluster-name=mycluster
auth=no
[root@dhcp-27-49 ~]# rm -rf /var/lib/qpidd/*cluster* /var/lib/qpidd/rhm/ /var/lib/qpidd/.qpidd/ /var/lib/qpidd/lock
[root@dhcp-27-49 ~]# service qpidd stop
Stopping Qpid AMQP daemon: [FAILED]
[root@dhcp-27-49 ~]# function foo () {
> setenforce $1
> getenforce
> rm -f /var/log/audit/audit.log
> service auditd restart
> grep AVC /var/log/audit/audit.log
>
> if [ -n "$2" ]; then
> service corosync restart
> grep AVC /var/log/audit/audit.log
> fi
>
> service qpidd restart
> grep AVC /var/log/audit/audit.log
> pidof qpidd
> netstat -nlp | grep qpidd
> }
[root@dhcp-27-49 ~]#
[root@dhcp-27-49 ~]# foo 0 1
Permissive
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Signaling Corosync Cluster Engine (corosync) to terminate: [ OK ]
Waiting for corosync services to unload:. [ OK ]
Starting Corosync Cluster Engine (corosync): [ OK ]
Stopping Qpid AMQP daemon: [FAILED]
Starting Qpid AMQP daemon: [ OK ]
type=AVC msg=audit(1324377453.392:690): avc: denied { search } for pid=4717 comm="qpidd" name="/" dev=tmpfs ino=5384 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1324377453.392:690): avc: denied { write } for pid=4717 comm="qpidd" name="/" dev=tmpfs ino=5384 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1324377453.392:690): avc: denied { add_name } for pid=4717 comm="qpidd" name="control_buffer-ZHFGex" scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1324377453.392:690): avc: denied { create } for pid=4717 comm="qpidd" name="control_buffer-ZHFGex" scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file
type=AVC msg=audit(1324377453.392:690): avc: denied { read write open } for pid=4717 comm="qpidd" name="control_buffer-ZHFGex" dev=tmpfs ino=21998 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file
type=AVC msg=audit(1324377453.405:691): avc: denied { search } for pid=4717 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
4717
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 4717/qpidd
tcp 0 0 :::5672 :::* LISTEN 4717/qpidd
[root@dhcp-27-49 ~]# foo 0 1
Permissive
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Signaling Corosync Cluster Engine (corosync) to terminate: [ OK ]
Waiting for corosync services to unload:. [ OK ]
Starting Corosync Cluster Engine (corosync): [ OK ]
Stopping Qpid AMQP daemon: [FAILED]
Starting Qpid AMQP daemon: [ OK ]
4827
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 4827/qpidd
tcp 0 0 :::5672 :::* LISTEN 4827/qpidd
[root@dhcp-27-49 ~]#
[root@dhcp-27-49 ~]# foo 0 1
Permissive
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Signaling Corosync Cluster Engine (corosync) to terminate: [ OK ]
Waiting for corosync services to unload:. [ OK ]
Starting Corosync Cluster Engine (corosync): [ OK ]
Stopping Qpid AMQP daemon: [FAILED]
Starting Qpid AMQP daemon: [ OK ]
4937
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 4937/qpidd
tcp 0 0 :::5672 :::* LISTEN 4937/qpidd
[root@dhcp-27-49 ~]# foo 1 1
Enforcing
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Signaling Corosync Cluster Engine (corosync) to terminate: [ OK ]
Waiting for corosync services to unload:. [ OK ]
Starting Corosync Cluster Engine (corosync): [ OK ]
Stopping Qpid AMQP daemon: [FAILED]
Starting Qpid AMQP daemon: Daemon startup failed: Failed to initialize CPG.: library (2)
2011-12-20 11:38:07 critical Unexpected error: Daemon startup failed: Failed to initialize CPG.: library (2)
[FAILED]
type=AVC msg=audit(1324377487.007:738): avc: denied { search } for pid=5047 comm="qpidd" name="/" dev=tmpfs ino=5384 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
Similar results are seen on RHEL 6.2 x86_64.
Below data show that selinux policy is not reliably fixed (3rd run)
# Installed packages
[root@dhcp-27-50 ~]# rpm -q selinux-policy
selinux-policy-3.7.19-126.el6.noarch
[root@dhcp-27-50 ~]# rpm -qa | egrep 'qpid|sesame|corosync' | sort
corosync-1.4.1-4.el6.x86_64
corosynclib-1.4.1-4.el6.x86_64
python-qpid-0.14-1.el6.noarch
python-qpid-qmf-0.14-2.el6.x86_64
qpid-cpp-client-0.14-1.el6.x86_64
qpid-cpp-client-devel-0.14-1.el6.x86_64
qpid-cpp-client-rdma-0.14-1.el6.x86_64
qpid-cpp-client-ssl-0.14-1.el6.x86_64
qpid-cpp-debuginfo-0.14-1.el6.x86_64
qpid-cpp-server-0.14-1.el6.x86_64
qpid-cpp-server-cluster-0.14-1.el6.x86_64
qpid-cpp-server-devel-0.14-1.el6.x86_64
qpid-cpp-server-rdma-0.14-1.el6.x86_64
qpid-cpp-server-ssl-0.14-1.el6.x86_64
qpid-cpp-server-store-0.14-1.el6.x86_64
qpid-cpp-server-xml-0.14-1.el6.x86_64
qpid-java-client-0.14-1.el6.noarch
qpid-java-common-0.14-1.el6.noarch
qpid-java-example-0.14-1.el6.noarch
qpid-java-jca-0.10-11.el6.noarch
qpid-java-jca-zip-0.10-11.el6.noarch
qpid-qmf-0.14-2.el6.x86_64
qpid-qmf-debuginfo-0.14-2.el6.x86_64
qpid-qmf-devel-0.14-2.el6.x86_64
qpid-tests-0.14-1.el6.noarch
qpid-tools-0.14-1.el6.noarch
rh-qpid-cpp-tests-0.14-1.el6.x86_64
ruby-qpid-qmf-0.14-2.el6.x86_64
sesame-1.0-2.el6.x86_64
sesame-debuginfo-1.0-2.el6.x86_64
[root@dhcp-27-50 ~]# uname -a
Linux dhcp-27-50.brq.redhat.com 2.6.32-220.el6.x86_64 #1 SMP Wed Nov 9 08:03:13 EST 2011 x86_64 x86_64 x86_64 GNU/Linux
# TEST qpidd with clustering (corosync)
# Results: AVC detected and dependent on Selinux mode...
# Special set of AVCs detected during first cluster node start
# Different behavior during repetitive operations foo 0 1 (i.e. permissive with corosync restart)
# Note: just one cluster member
[root@dhcp-27-50 ~]# cat /etc/qpidd.conf
log-enable=info+
mgmt-pub-interval=5
log-to-file=/var/lib/qpidd/qpidd.log
cluster-name=mycluster
auth=no
[root@dhcp-27-50 ~]# function foo () {
> setenforce $1
> getenforce
> rm -f /var/log/audit/audit.log
> service auditd restart
> grep AVC /var/log/audit/audit.log
>
> if [ -n "$2" ]; then
> service corosync restart
> grep AVC /var/log/audit/audit.log
> fi
>
> service qpidd restart
> grep AVC /var/log/audit/audit.log
> pidof qpidd
> netstat -nlp | grep qpidd
> }
[root@dhcp-27-50 ~]# rm -rf /var/lib/qpidd/*cluster* /var/lib/qpidd/rhm/ /var/lib/qpidd/.qpidd/ /var/lib/qpidd/lock
[root@dhcp-27-50 ~]# foo 0 1
Permissive
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Signaling Corosync Cluster Engine (corosync) to terminate: [ OK ]
Waiting for corosync services to unload: [ OK ]
Starting Corosync Cluster Engine (corosync): [ OK ]
Stopping Qpid AMQP daemon: [FAILED]
Starting Qpid AMQP daemon: [ OK ]
type=AVC msg=audit(1324378256.380:111): avc: denied { search } for pid=1731 comm="qpidd" name="/" dev=tmpfs ino=5271 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1324378256.380:111): avc: denied { write } for pid=1731 comm="qpidd" name="/" dev=tmpfs ino=5271 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1324378256.380:111): avc: denied { add_name } for pid=1731 comm="qpidd" name="control_buffer-VK2uPX" scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1324378256.380:111): avc: denied { create } for pid=1731 comm="qpidd" name="control_buffer-VK2uPX" scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file
type=AVC msg=audit(1324378256.380:111): avc: denied { read write open } for pid=1731 comm="qpidd" name="control_buffer-VK2uPX" dev=tmpfs ino=13288 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file
1731
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 1731/qpidd
tcp 0 0 :::5672 :::* LISTEN 1731/qpidd
[root@dhcp-27-50 ~]#
[root@dhcp-27-50 ~]# foo 0 1
Permissive
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Signaling Corosync Cluster Engine (corosync) to terminate: [ OK ]
Waiting for corosync services to unload: [ OK ]
Starting Corosync Cluster Engine (corosync): [ OK ]
Stopping Qpid AMQP daemon: [FAILED]
Starting Qpid AMQP daemon: [ OK ]
1839
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 1839/qpidd
tcp 0 0 :::5672 :::* LISTEN 1839/qpidd
[root@dhcp-27-50 ~]# foo 0 1
Permissive
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Signaling Corosync Cluster Engine (corosync) to terminate: [ OK ]
Waiting for corosync services to unload: [ OK ]
Starting Corosync Cluster Engine (corosync): [ OK ]
Stopping Qpid AMQP daemon: [FAILED]
Starting Qpid AMQP daemon: [ OK ]
type=AVC msg=audit(1324378269.450:142): avc: denied { search } for pid=1947 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
1947
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 1947/qpidd
tcp 0 0 :::5672 :::* LISTEN 1947/qpidd
[root@dhcp-27-50 ~]# foo 0 1
Permissive
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Signaling Corosync Cluster Engine (corosync) to terminate: [ OK ]
Waiting for corosync services to unload: [ OK ]
Starting Corosync Cluster Engine (corosync): [ OK ]
Stopping Qpid AMQP daemon: [FAILED]
Starting Qpid AMQP daemon: [ OK ]
2055
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 2055/qpidd
tcp 0 0 :::5672 :::* LISTEN 2055/qpidd
[root@dhcp-27-50 ~]# foo 0 1
Permissive
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Signaling Corosync Cluster Engine (corosync) to terminate: [ OK ]
Waiting for corosync services to unload: [ OK ]
Starting Corosync Cluster Engine (corosync): [ OK ]
Stopping Qpid AMQP daemon: [FAILED]
Starting Qpid AMQP daemon: [ OK ]
2163
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 2163/qpidd
tcp 0 0 :::5672 :::* LISTEN 2163/qpidd
[root@dhcp-27-50 ~]# foo 0 1
Permissive
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Signaling Corosync Cluster Engine (corosync) to terminate: [ OK ]
Waiting for corosync services to unload: [ OK ]
Starting Corosync Cluster Engine (corosync): [ OK ]
Stopping Qpid AMQP daemon: [FAILED]
Starting Qpid AMQP daemon: [ OK ]
2271
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 2271/qpidd
tcp 0 0 :::5672 :::* LISTEN 2271/qpidd
[root@dhcp-27-50 ~]# foo 1 1
Enforcing
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Signaling Corosync Cluster Engine (corosync) to terminate: [ OK ]
Waiting for corosync services to unload:. [ OK ]
Starting Corosync Cluster Engine (corosync): [ OK ]
Stopping Qpid AMQP daemon: [FAILED]
Starting Qpid AMQP daemon: Daemon startup failed: Failed to initialize CPG.: library (2)
2011-12-20 11:51:41 critical Unexpected error: Daemon startup failed: Failed to initialize CPG.: library (2)
[FAILED]
type=AVC msg=audit(1324378301.934:204): avc: denied { search } for pid=2380 comm="qpidd" name="/" dev=tmpfs ino=5271 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
Could you clone this on selinux-policy component? (In reply to comment #11) > Could you clone this on selinux-policy component? cloned as bug 769352 |
Description of problem: qpidd service started the recommended way (service qpidd <action>) triggers reliably following RHEL 6.1 SELinux AVC: type=AVC msg=audit(1301383207.124:38396): avc: denied { search } for pid=27642 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir This case is observed on RHEL 6.1 beta i386 / x86_64 only. Version-Release number of selected component (if applicable): [root@mrg-qe-10 ~]# rpm -qa | grep -E '(qpid|qmf|sesame)' ruby-qpid-0.7.946106-2.el6.x86_64 qpid-tests-0.10-1.el6.noarch ruby-qpid-qmf-0.10-4.el6.x86_64 qpid-cpp-server-ssl-0.10-1.el6.x86_64 rh-qpid-cpp-tests-0.10-1.el6.x86_64 qpid-cpp-client-0.10-1.el6.x86_64 python-qpid-qmf-0.10-4.el6.x86_64 qpid-cpp-client-rdma-0.10-1.el6.x86_64 qpid-java-common-0.10-1.el6.noarch qpid-qmf-devel-0.10-4.el6.x86_64 qpid-cpp-server-xml-0.10-1.el6.x86_64 qpid-cpp-server-store-0.10-1.el6.x86_64 qpid-qmf-0.10-4.el6.x86_64 qpid-java-client-0.10-1.el6.noarch qpid-cpp-server-devel-0.10-1.el6.x86_64 qpid-cpp-server-cluster-0.10-1.el6.x86_64 qpid-cpp-client-devel-docs-0.10-1.el6.noarch qpid-cpp-server-0.10-1.el6.x86_64 python-qpid-0.10-1.el6.noarch qpid-cpp-server-rdma-0.10-1.el6.x86_64 qpid-cpp-client-ssl-0.10-1.el6.x86_64 qpid-cpp-client-devel-0.10-1.el6.x86_64 qpid-java-example-0.10-1.el6.noarch qpid-tools-0.10-1.el6.noarch sesame-0.10-1.el6.x86_64 How reproducible: 100% Steps to Reproduce: see bottom section for steps Actual results: qpidd broker daemon triggers SELinux AVCs. Expected results: qpidd broker daemon should not trigger SELinux AVCs. Additional info (steps): [root@mrg-qe-10 ~]# rm -f /var/log/audit/audit.log [root@mrg-qe-10 ~]# service auditd restart Stopping auditd: [ OK ] Starting auditd: [ OK ] [root@mrg-qe-10 ~]# grep AVC /var/log/audit/audit.log [root@mrg-qe-10 ~]# service qpidd restart Stopping Qpid AMQP daemon: [ OK ] Starting Qpid AMQP daemon: [ OK ] [root@mrg-qe-10 ~]# grep AVC /var/log/audit/audit.log type=AVC msg=audit(1301383207.124:38396): avc: denied { search } for pid=27642 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir [root@mrg-qe-10 ~]# getenforce Enforcing [root@mrg-qe-10 ~]# rpm -qa | grep -E '(qpid|qmf|sesame)' ruby-qpid-0.7.946106-2.el6.x86_64 qpid-tests-0.10-1.el6.noarch ruby-qpid-qmf-0.10-4.el6.x86_64 qpid-cpp-server-ssl-0.10-1.el6.x86_64 rh-qpid-cpp-tests-0.10-1.el6.x86_64 qpid-cpp-client-0.10-1.el6.x86_64 python-qpid-qmf-0.10-4.el6.x86_64 qpid-cpp-client-rdma-0.10-1.el6.x86_64 qpid-java-common-0.10-1.el6.noarch qpid-qmf-devel-0.10-4.el6.x86_64 qpid-cpp-server-xml-0.10-1.el6.x86_64 qpid-cpp-server-store-0.10-1.el6.x86_64 qpid-qmf-0.10-4.el6.x86_64 qpid-java-client-0.10-1.el6.noarch qpid-cpp-server-devel-0.10-1.el6.x86_64 qpid-cpp-server-cluster-0.10-1.el6.x86_64 qpid-cpp-client-devel-docs-0.10-1.el6.noarch qpid-cpp-server-0.10-1.el6.x86_64 python-qpid-0.10-1.el6.noarch qpid-cpp-server-rdma-0.10-1.el6.x86_64 qpid-cpp-client-ssl-0.10-1.el6.x86_64 qpid-cpp-client-devel-0.10-1.el6.x86_64 qpid-java-example-0.10-1.el6.noarch qpid-tools-0.10-1.el6.noarch sesame-0.10-1.el6.x86_64 [root@mrg-qe-10 ~]# uname -a Linux mrg-qe-10.lab.eng.brq.redhat.com 2.6.32-125.el6.x86_64 #1 SMP Mon Mar 21 10:06:08 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux [root@mrg-qe-10 ~]# head -1 /etc/issue Red Hat Enterprise Linux Server release 6.1 Beta (Santiago)