Bug 786467

Summary:

SELinux prevents clustered qpidd (qpidd_t) from name_connect (tcp_socket, amqp_port_t)

Product:

Red Hat Enterprise Linux 6

Reporter:

Frantisek Reznicek <freznice>

Component:

selinux-policy

Assignee:

Miroslav Grepl <mgrepl>

Status:

CLOSED ERRATA

QA Contact:

Frantisek Reznicek <freznice>

Severity:

urgent

Docs Contact:

Priority:

unspecified

Version:

6.3

CC:

dwalsh, esammons, mmalik, msvoboda

Target Milestone:

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

selinux-policy-3.7.19-138.el6

Doc Type:

Bug Fix

Doc Text:

An incorrect SELinux policy prevented the qpidd service from connecting to the AMQP (Advanced Message Queuing Protocol) port when the qpidd daemon was configured with Corosync clustering. These selinux-policy packages contain updated SELinux rules, which allow the qpidd service to be started correctly.

Story Points:

---

Clone Of:

Clones:

791294 (view as bug list)

Environment:

Last Closed:

2012-06-20 12:30:50 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

Bug Blocks:

791294

Attachments:

Description	Flags
New reproducer for both qpidd and matahari-broker	none

Description Frantisek Reznicek 2012-02-01 14:16:19 UTC

Description of problem:


qpidd service started the recommended way (service qpidd <action>) and configured with corosync clustering triggers
reliably following RHEL6.3-20120201.n.0 SELinux AVC:

    type=AVC msg=audit(1328104969.329:127240): avc:  denied  { name_connect } for  pid=14033 comm="qpidd" dest=5672 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket


This case was observed on RHEL6.3-20120201.n.0 x86_64 arch only.


Version-Release number of selected component (if applicable):
RHEL6.3-20120201.n.0
  corosync-1.4.1-5.el6.x86_64
  corosynclib-1.4.1-5.el6.x86_64
  libselinux-2.0.94-5.2.el6.x86_64
  libselinux-devel-2.0.94-5.2.el6.x86_64
  libselinux-utils-2.0.94-5.2.el6.x86_64
  python-qpid-0.14-2.el6.noarch
  python-qpid-qmf-0.14-3.el6.x86_64
  qpid-cpp-client-0.14-1.el6.x86_64
  qpid-cpp-client-devel-0.14-1.el6.x86_64
  qpid-cpp-client-devel-docs-0.14-1.el6.noarch
  qpid-cpp-client-rdma-0.14-1.el6.x86_64
  qpid-cpp-client-ssl-0.14-1.el6.x86_64
  qpid-cpp-debuginfo-0.14-1.el6.x86_64
  qpid-cpp-server-0.14-1.el6.x86_64
  qpid-cpp-server-cluster-0.14-1.el6.x86_64
  qpid-cpp-server-devel-0.14-1.el6.x86_64
  qpid-cpp-server-rdma-0.14-1.el6.x86_64
  qpid-cpp-server-ssl-0.14-1.el6.x86_64
  qpid-cpp-server-store-0.14-1.el6.x86_64
  qpid-cpp-server-xml-0.14-1.el6.x86_64
  qpid-java-client-0.14-1.el6.noarch
  qpid-java-common-0.14-1.el6.noarch
  qpid-java-example-0.14-1.el6.noarch
  qpid-qmf-0.14-3.el6.x86_64
  qpid-qmf-debuginfo-0.14-3.el6.x86_64
  qpid-qmf-devel-0.14-3.el6.x86_64
  qpid-tests-0.14-1.el6.noarch
  qpid-tools-0.14-1.el6.noarch
  rh-qpid-cpp-tests-0.14-1.el6.x86_64
  ruby-qpid-qmf-0.14-3.el6.x86_64
  selinux-policy-3.7.19-136.el6.noarch
  selinux-policy-targeted-3.7.19-136.el6.noarch
  sesame-1.0-2.el6.x86_64
  sesame-debuginfo-1.0-2.el6.x86_64


How reproducible:
100%

Steps to Reproduce:
1. ./bz769352.sh
2. echo $?
  
Actual results:
SElinux AVCs present during qpidd service restart.

Expected results:
No SElinux AVCs present.

Additional info:

Comment 2 Daniel Walsh 2012-02-01 20:46:58 UTC

Should it be allowed to connect to the matahari ports also? 49000?

Comment 9 Miroslav Grepl 2012-02-21 20:22:01 UTC

Fixed in selinux-policy-3.7.19-137.el6

Comment 11 Frantisek Reznicek 2012-02-23 12:56:54 UTC

Package selinux-policy-3.7.19-137.el6 reliably fixes the original reported issue (tested on RHEL6.3-20120222.n.0 i686 / x86_64 / ppc64 / s390x).

When extending tests to matahari-broker as well I'm still able to trigger the similar AVC to matahari broker's port 49000.

services qpidd and matahari-broker launch separate brokers by default listening on 5672 (qpidd) and 49000 (matahari-broker).

I expect that selinux-policy-3.7.19-137.el6 should not deny matahari-broker  from name_connect (to port 49000):

  ...
  [root@hp-bl460cg7-01 bz786467_769352]# service matahari-broker restart
  
  [root@hp-bl460cg7-01 bz786467_769352]# grep  'AVC' /var/log/audit/audit.log
  [root@hp-bl460cg7-01 bz786467_769352]# qpid-route link add $(hostname):49000 hp-bl495cg5-01:49000
  [root@hp-bl460cg7-01 bz786467_769352]# service qpidd status
  qpidd (pid  13898) is running...
  [root@hp-bl460cg7-01 bz786467_769352]# service matahari-broker status
  qpidd (pid  14181) is running...
  [root@hp-bl460cg7-01 bz786467_769352]# netstat -nlp | grep -E '(matahari|qpidd)'
  tcp        0      0 0.0.0.0:49000               0.0.0.0:*                   LISTEN      14181/matahari-brok 
  tcp        0      0 0.0.0.0:5672                0.0.0.0:*                   LISTEN      13898/qpidd         
  tcp        0      0 :::49000                    :::*                        LISTEN      14181/matahari-brok 
  tcp        0      0 :::5672                     :::*                        LISTEN      13898/qpidd         
  [root@hp-bl460cg7-01 bz786467_769352]# grep  'AVC' /var/log/audit/audit.log|tail -1 
  type=AVC msg=audit(1330001026.984:148354): avc:  denied  { name_connect } for  pid=14182 comm="qpidd" dest=49000 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:matahari_port_t:s0 tclass=tcp_socket


I'm seeing fix included in selinux-policy-3.7.19-137.el6 incomplete pointing out Dan's comment 2.


-> ASSIGNED


P.S. Let me know if you want to track matahari's ACL in separate BZ.

Comment 12 Frantisek Reznicek 2012-02-23 13:36:19 UTC

Created attachment 565304 [details]
New reproducer for both qpidd and matahari-broker

New reproducers.

Please update hosts:
  run_matahari-broker.sh:29
  run_qpidd.sh:30

At least one remote broker has to be running while the test process.

Comment 13 Miroslav Grepl 2012-02-23 14:05:56 UTC

So we need also add

corenet_tcp_connect_matahari_port(qpidd_t)

Comment 15 Frantisek Reznicek 2012-03-01 12:11:19 UTC

The issue has been reliably fixed for both daemons (qpidd, matahari-broker) in selinux-policy-3.7.19-138.el6.noarch.

Tested on RHEL6.3-20120222.n.0 and RHEL6.3-20120229.n.2 (selinux-policy-3.7.19-138.el6) i686 / x86_64 / s390x / ppc64.


-> VERIFIED

Comment 16 Miroslav Svoboda 2012-03-02 14:23:11 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
An incorrect SELinux policy prevented the qpidd service from connecting to the AMQP (Advanced Message Queuing Protocol) port when the qpidd daemon was configured with Corosync clustering. These selinux-policy packages contain updated SELinux rules, which allow the qpidd service to be started correctly.

Comment 17 errata-xmlrpc 2012-06-20 12:30:50 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html