Bug 757055

Summary: qpidd broker triggers SELinux AVCs avc: denied { name_connect } for pid=2088 comm="qpidd" dest=5672 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket
Product: Red Hat Enterprise MRG Reporter: Stanislav Graf <sgraf>
Component: qpid-cppAssignee: Kim van der Riet <kim.vdriet>
Status: CLOSED WORKSFORME QA Contact: Frantisek Reznicek <freznice>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 2.1CC: dwalsh, esammons, freznice, iboverma, jross, mgrepl, ppecka
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-15 19:10:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stanislav Graf 2011-11-25 11:23:58 UTC 
Description of problem:
Use scenario from Bug 691654 on RHEL6 and you get following entry into audit.log:
type=AVC msg=audit(1322219322.363:157): avc:  denied  { name_connect } for  pid=2088 comm="qpidd" dest=5672 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1322219322.363:157): arch=c000003e syscall=42 success=no exit=-13 a0=20 a1=7f7014011b80 a2=10 a3=ff00 items=0 ppid=1 pid=2088 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=2 comm="qpidd" exe="/usr/sbin/qpidd" subj=unconfined_u:system_r:qpidd_t:s0 key=(null)

# ps -eLf | grep 2088
qpidd     2087     1  2088  0    4 11:27 ?        00:00:06 /usr/sbin/qpidd --data-dir /var/lib/qpidd --daemon


Cumin web shows for broker link:
State: Waiting
Last error: Permission denied: localhost:5672 (qpid/sys/posix/Socket.cpp:173)

There is similar (?) selinux bug: Bug 691654

Version-Release number of selected component (if applicable):
only RHEL6

MRG 2.0, RHEL 6.0
cumin-0.1.4916-1.el6.noarch
qpid-cpp-server-0.10-8.el6_1.x86_64
selinux-policy-3.7.19-93.el6_1.7.noarch

MRG 2.1, RHEL 6.1
cumin-0.1.5098-2.el6.noarch
qpid-cpp-server-0.12-6.el6.i686
selinux-policy-3.7.19-124.el6.noarch


How reproducible:
100%

Steps to Reproduce:
1. Bug 691654
2. See audit.log
  
Actual results:
Selinux blocks connection from cumin into qpidd

Expected results:
Selinux allows connection from cumin into qpidd

Additional info:
Comment 1 Stanislav Graf 2011-11-25 11:25:44 UTC 
The steps to reproduce are from Bug 756939. I mistyped.
Comment 3 Stanislav Graf 2011-12-06 09:31:40 UTC 
I was able to reproduce this one using qpid-route:

<dest-broker># qpid-route link add <dest-broker> <src-broker>
[10:29:22] ecode=0

<dest-broker># cat /var/log/audit/audit.log | grep type=AVC 
type=AVC msg=audit(1323163763.507:42319): avc:  denied  { name_connect } for  pid=1719 comm="qpidd" dest=5672 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket
Comment 4 Stanislav Graf 2012-01-31 13:41:02 UTC 
# sealert -l bc54ba02-f12b-455b-886c-2c21d0a346ef
SELinux is preventing qpidd from name_connect access on the tcp_socket port 5672.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that qpidd should be allowed name_connect access on the port 5672 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qpidd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Comment 13 Frantisek Reznicek 2012-03-12 13:00:59 UTC 
The issue has been resolved.
See bug 791294 comment 8 and bug 786467 comment 15.

-> VERIFIED