Bug 694418

Summary: qpidd does not start if log-to-file parameter specified in the config file due to SELinux ' avc: denied { write } for pid=31622 comm="qpidd" name="tmp" ...'
Product: Red Hat Enterprise MRG Reporter: Frantisek Reznicek <freznice>
Component: qpid-cppAssignee: messaging-bugs <messaging-bugs>
Status: CLOSED NOTABUG QA Contact: MRG Quality Engineering <mrgqe-bugs>
Severity: urgent Docs Contact:
Priority: urgent    
Version: DevelopmentCC: aconway, esammons, iboverma
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-07 13:26:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Frantisek Reznicek 2011-04-07 10:07:13 UTC 
Description of problem:

Qpidd broker refuses to start if user sets log-to-file parameter specified in the config file to /etc/qpidd.conf:
[root@mrg-qe-10 ~]# service qpidd restart
Stopping Qpid AMQP daemon:                                 [  OK  ]
Starting Qpid AMQP daemon: Unexpected error: Can't open log file: /tmp/qpidd.log
                                                           [FAILED]

Looking to audit.log I was able to see reason:

type=AVC msg=audit(1302170230.481:48522): avc:  denied  { write } for  pid=31622 comm="qpidd" name="tmp" dev=dm-0 ino=1441793 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir

It is understandable, that broker cannot start if it's not able to write a file due to permission.

In this case (file does not exist) qpidd should be able to create log file and set correct SELinux context.


Version-Release number of selected component (if applicable):
python-qpid-0.10-1.el6.noarch
python-qpid-qmf-0.10-6.el6.x86_64
qpid-cpp-client-0.10-3.el6.x86_64
qpid-cpp-client-devel-0.10-3.el6.x86_64
qpid-cpp-client-devel-docs-0.10-3.el6.noarch
qpid-cpp-client-rdma-0.10-3.el6.x86_64
qpid-cpp-client-ssl-0.10-3.el6.x86_64
qpid-cpp-debuginfo-0.10-3.el6.x86_64
qpid-cpp-server-0.10-3.el6.x86_64
qpid-cpp-server-cluster-0.10-3.el6.x86_64
qpid-cpp-server-devel-0.10-3.el6.x86_64
qpid-cpp-server-rdma-0.10-3.el6.x86_64
qpid-cpp-server-ssl-0.10-3.el6.x86_64
qpid-cpp-server-store-0.10-3.el6.x86_64
qpid-cpp-server-xml-0.10-3.el6.x86_64
qpid-java-client-0.10-1.el6.noarch
qpid-java-common-0.10-1.el6.noarch
qpid-java-example-0.10-1.el6.noarch
qpid-java-jca-0.10-1.el6.noarch
qpid-qmf-0.10-6.el6.x86_64
qpid-qmf-debuginfo-0.10-6.el6.x86_64
qpid-qmf-devel-0.10-6.el6.x86_64
qpid-tests-0.10-1.el6.noarch
qpid-tools-0.10-2.el6.noarch
rh-qpid-cpp-tests-0.10-3.el6.x86_64
ruby-qpid-0.7.946106-2.el6.x86_64
ruby-qpid-qmf-0.10-6.el6.x86_64


How reproducible:
100%

Steps to Reproduce:
1. install messaging
2. echo "log-to-file=/tmp/qpidd.log" >> /etc/qpidd.conf
3. service qpidd [re]start ; echo $?
  
Actual results:
Qpidd broker fails to start.

Expected results:
Qpidd broker should start well if specified log file does not exist.

Additional info:
  [root@mrg-qe-10 ~]# getenforce
  Enforcing
  [root@mrg-qe-10 ~]# :>/var/log/audit/audit.log
  [root@mrg-qe-10 ~]# service qpidd start
  Starting Qpid AMQP daemon:                                 [  OK  ]
  [root@mrg-qe-10 ~]# grep type=AVC /var/log/audit/audit.log
  type=AVC msg=audit(1302170138.617:48509): avc:  denied  { search } for  pid=31539 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
  [root@mrg-qe-10 ~]# echo "log-to-file=/tmp/qpidd.log" >> /etc/qpidd.conf
  [root@mrg-qe-10 ~]# tail /etc/qpidd.conf
  #
  # Configuration file for qpidd. Entries are of the form:
  #   name=value
  #
  # (Note: no spaces on either side of '='). Using default settings:
  # "qpidd --help" or "man qpidd" for more details.
  cluster-mechanism=ANONYMOUS
  #auth=yes
  auth=no
  log-to-file=/tmp/qpidd.log
  [root@mrg-qe-10 ~]# ll /tmp/qpidd.log
  -rw-r--r--. 1 root root 88773674 Apr  6 02:48 /tmp/qpidd.log
  [root@mrg-qe-10 ~]# rm -f /tmp/qpidd.log
  [root@mrg-qe-10 ~]# ll /tmp/qpidd.log
  ls: cannot access /tmp/qpidd.log: No such file or directory
  [root@mrg-qe-10 ~]# service qpidd restart
  Stopping Qpid AMQP daemon:                                 [  OK  ]
  Starting Qpid AMQP daemon: Unexpected error: Can't open log file: /tmp/qpidd.log
                                                            [FAILED]
  [root@mrg-qe-10 ~]# grep type=AVC /var/log/audit/audit.log
  type=AVC msg=audit(1302170138.617:48509): avc:  denied  { search } for  pid=31539 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
  type=AVC msg=audit(1302170230.481:48522): avc:  denied  { write } for  pid=31622 comm="qpidd" name="tmp" dev=dm-0 ino=1441793 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
Comment 1 Alan Conway 2011-07-21 12:52:01 UTC 
I can't reproduce the problem, qpidd restarts correctly:

[root@mrg32 etc]# getenforce
Enforcing
[root@mrg32 etc]# cat /etc/qpidd.conf
cluster-mechanism=ANONYMOUS
auth=no
log-to-file=/tmp/qpidd.log
[root@mrg32 etc]# service qpidd stop
Stopping Qpid AMQP daemon: ^[[60G[^[[0;32m  OK  ^[[0;39m]
[root@mrg32 etc]# rm -f /tmp/qpidd.log
[root@mrg32 etc]# service qpidd start
Starting Qpid AMQP daemon: ^[[60G[^[[0;32m  OK  ^[[0;39m]
[root@mrg32 etc]# tail /tmp/qpidd.log
2011-07-21 08:49:56 notice Journal "TplStore": Created
2011-07-21 08:49:56 notice Store module initialized; store-dir=/var/lib/qpidd
2011-07-21 08:49:56 notice SASL disabled: No Authentication Performed
2011-07-21 08:49:56 notice Listening on TCP port 5672
2011-07-21 08:49:56 notice Broker running
[root@mrg32 etc]# service qpidd restart
Stopping Qpid AMQP daemon: ^[[60G[^[[0;32m  OK  ^[[0;39m]
Starting Qpid AMQP daemon: ^[[60G[^[[0;32m  OK  ^[[0;39m]
[root@mrg32 etc]# service qpidd restart
Stopping Qpid AMQP daemon: ^[[60G[^[[0;32m  OK  ^[[0;39m]
Starting Qpid AMQP daemon: ^[[60G[^[[0;32m  OK  ^[[0;39m]
[root@mrg32 etc]# rpm -q qpid-cpp-server
qpid-cpp-server-0.10-8.el5
[root@mrg32 etc]# uname -a
Linux mrg32.lab.bos.redhat.com 2.6.18-238.12.1.el5 #1 SMP Sat May 7 20:18:50 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
[root@mrg32 etc]#
Comment 2 Frantisek Reznicek 2011-07-27 09:42:51 UTC 
ad a]
  The behavior was seen on RHEL6 only (unique‑mrg‑rhel‑6‑bug+)
  Comment 1 is from rhel5

ad b]
  The behavior is correct, the RHEL6 qpidd SELinux policy is enhanced and does not allow to store log files to /tmp directory (as the most of daemons).

Below transcript shows that log storage to /var/lib/qpidd/qpidd.log is just fine and thus I believe this behavior should be cloased as not-a-bug.



Raising NEEDINFO to confirm that above point b] is correct.



Transcript:
  [root@dhcp-26-168 ~]# vi /etc/qpidd.conf
  [root@dhcp-26-168 ~]# :> /var/log/audit/audit.log
  [root@dhcp-26-168 ~]# grep type=AVC /var/log/audit/audit.log
  [root@dhcp-26-168 ~]# service qpidd restart
  Stopping Qpid AMQP daemon:                                 [  OK  ]
  Starting Qpid AMQP daemon: Unexpected error: Can't open log file: /tmp/qpidd.log
                                                            [FAILED]
  [root@dhcp-26-168 ~]# tail -6 /etc/qpidd.conf
  cluster-mechanism=ANONYMOUS
  #auth=no
  log-enable=debug+
  log-to-file=/tmp/qpidd.log
  #cluster-name=X
  
  [root@dhcp-26-168 ~]# vi /etc/qpidd.conf
  [root@dhcp-26-168 ~]# tail -6 /etc/qpidd.conf
  cluster-mechanism=ANONYMOUS
  #auth=no
  log-enable=debug+
  log-to-file=/var/lib/qpidd/qpidd.log
  #cluster-name=X
  
  [root@dhcp-26-168 ~]# grep type=AVC /var/log/audit/audit.log
  type=AVC msg=audit(1311758935.153:17730): avc:  denied  { write } for  pid=1703 comm="qpidd" name="tmp" dev=dm-0 ino=130824 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
  [root@dhcp-26-168 ~]# service qpidd restart
  Stopping Qpid AMQP daemon:                                 [FAILED]
  Starting Qpid AMQP daemon:                                 [  OK  ]
  [root@dhcp-26-168 ~]# grep type=AVC /var/log/audit/audit.log
  type=AVC msg=audit(1311758935.153:17730): avc:  denied  { write } for  pid=1703 comm="qpidd" name="tmp" dev=dm-0 ino=130824 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
  type=AVC msg=audit(1311758976.579:17739): avc:  denied  { search } for  pid=1732 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
  [root@dhcp-26-168 ~]# service qpidd restart
  Stopping Qpid AMQP daemon:                                 [  OK  ]
  Starting Qpid AMQP daemon:                                 [  OK  ]
  [root@dhcp-26-168 ~]# grep type=AVC /var/log/audit/audit.log
  type=AVC msg=audit(1311758935.153:17730): avc:  denied  { write } for  pid=1703 comm="qpidd" name="tmp" dev=dm-0 ino=130824 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
  type=AVC msg=audit(1311758976.579:17739): avc:  denied  { search } for  pid=1732 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
  type=AVC msg=audit(1311758984.022:17752): avc:  denied  { search } for  pid=1775 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir


Please note that the last of the AVC is raised as separate bug 691654.
Comment 3 Alan Conway 2011-07-27 15:09:46 UTC 
comment 2 point b] sounds correct to me.
Comment 4 Frantisek Reznicek 2011-11-07 13:26:45 UTC 
Behavior discussed and with the not-a-bug consensus.

-> CLOSED / NOTABUG