Bug 967186

Summary: Selinux crashes epm/beam for ejabberd
Product: [Fedora] Fedora Reporter: Grosswiler Roger <roger>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 19CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-47.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 968158 (view as bug list) Environment:
Last Closed: 2013-05-30 03:34:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 968158    

Description Grosswiler Roger 2013-05-25 10:17:12 UTC 
Description of problem:
Ejabberd won't start if selinux in enforcing mode. Works in permissive.


Version-Release number of selected component (if applicable):
guile-5:1.8.8-5.fc18.2

How reproducible:
Always. Have above policy installed in enforcing an boot


Steps to Reproduce:
1. Set selinux to enforcing
2. Start ejabberd.service
3. Get just beam working, but not ejabberd

Actual results:
Ejabberd not working


Expected results:
Ejabberd working


Additional info:

Excerpt from audit.log:

 setenforce notice (enforcing=1)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1369476952.154:534): avc:  denied  { write } for  pid=1896 comm="epmd" path="/run/lock/ejabberdctl/ejabberdctl-1" dev="tmpfs" ino=19001 scontext=system_u:system_r:rabbitmq_epmd_t:s0 tcontext=system_u:object_r:lvm_lock_t:s0 tclass=file
type=SYSCALL msg=audit(1369476952.154:534): arch=c000003e syscall=59 success=yes exit=0 a0=ac6be0 a1=ac6b70 a2=ac55d0 a3=7ffffdaf2380 items=0 ppid=1892 pid=1896 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="epmd" exe="/usr/lib64/erlang/erts-5.10.1/bin/epmd" subj=system_u:system_r:rabbitmq_epmd_t:s0 key=(null)
type=AVC msg=audit(1369476952.164:535): avc:  denied  { write } for  pid=1892 comm="beam.smp" path="/run/lock/ejabberdctl/ejabberdctl-1" dev="tmpfs" ino=19001 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:lvm_lock_t:s0 tclass=file
type=SYSCALL msg=audit(1369476952.164:535): arch=c000003e syscall=59 success=yes exit=0 a0=f5c050 a1=f5c2c0 a2=7fffac5e6ce0 a3=7fffac5e68e0 items=0 ppid=1890 pid=1892 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
type=AVC msg=audit(1369476952.298:536): avc:  denied  { node_bind } for  pid=1915 comm="beam.smp" scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1369476952.298:536): arch=c000003e syscall=49 success=no exit=-13 a0=7 a1=7f534e74cab0 a2=10 a3=7f534e74c500 items=0 ppid=1890 pid=1915 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
type=AVC msg=audit(1369476952.362:537): avc:  denied  { getattr } for  pid=1905 comm="beam.smp" path="/var/lib/ejabberd/spool/.erlang.cookie" dev="vda4" ino=3381 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1369476952.362:537): arch=c000003e syscall=4 success=no exit=-13 a0=7f5350600808 a1=7f534fc7dd90 a2=7f534fc7dd90 a3=0 items=0 ppid=1890 pid=1905 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
type=AVC msg=audit(1369476952.896:538): avc:  denied  { write } for  pid=1915 comm="beam.smp" name="ejabberd" dev="vda4" ino=3229 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1369476952.896:538): arch=c000003e syscall=2 success=no exit=-13 a0=7f534e74dbc0 a1=241 a2=1a0 a3=323530333130325f items=0 ppid=1890 pid=1915 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
type=SERVICE_STOP msg=audit(1369476952.932:539): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="ejabberd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
type=AVC msg=audit(1369476953.140:540): avc:  denied  { node_bind } for  pid=1956 comm="beam.smp" scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1369476953.140:540): arch=c000003e syscall=49 success=no exit=-13 a0=7 a1=7f9bf7b2eab0 a2=10 a3=7f9bf7b2e500 items=0 ppid=1933 pid=1956 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
type=AVC msg=audit(1369476953.206:541): avc:  denied  { getattr } for  pid=1950 comm="beam.smp" path="/var/lib/ejabberd/spool/.erlang.cookie" dev="vda4" ino=3381 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1369476953.206:541): arch=c000003e syscall=4 success=no exit=-13 a0=7f9bf99c0808 a1=7f9bf83b9d90 a2=7f9bf83b9d90 a3=0 items=0 ppid=1933 pid=1950 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
type=AVC msg=audit(1369476953.730:542): avc:  denied  { write } for  pid=1956 comm="beam.smp" name="ejabberd" dev="vda4" ino=3229 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1369476953.730:542): arch=c000003e syscall=2 success=no exit=-13 a0=7f9bf7b2fbc0 a1=241 a2=1a0 a3=323530333130325f items=0 ppid=1933 pid=1956 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
type=SERVICE_START msg=audit(1369476953.774:543): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="ejabberd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1369476953.904:544): avc:  denied  { node_bind } for  pid=1981 comm="beam.smp" scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1369476953.904:544): arch=c000003e syscall=49 success=no exit=-13 a0=8 a1=7fceb7c8cab0 a2=10 a3=7fceb7c8c500 items=0 ppid=1 pid=1981 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
type=AVC msg=audit(1369476953.965:545): avc:  denied  { getattr } for  pid=1975 comm="beam.smp" path="/var/lib/ejabberd/spool/.erlang.cookie" dev="vda4" ino=3381 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1369476953.965:545): arch=c000003e syscall=4 success=no exit=-13 a0=7fceb9b40808 a1=7fceb8517d90 a2=7fceb8517d90 a3=0 items=0 ppid=1 pid=1975 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
type=AVC msg=audit(1369476954.488:546): avc:  denied  { write } for  pid=1981 comm="beam.smp" name="ejabberd" dev="vda4" ino=3229 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1369476954.488:546): arch=c000003e syscall=2 success=no exit=-13 a0=7fceb7c8dbc0 a1=241 a2=1a0 a3=323530333130325f items=0 ppid=1 pid=1981 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
Comment 1 Miroslav Grepl 2013-05-28 08:11:53 UTC 
We need to add a policy for 

ejabberd.service
Comment 2 Miroslav Grepl 2013-05-29 06:48:21 UTC 
I added support for ejabberd for F19.
Comment 3 Fedora Update System 2013-05-29 14:20:22 UTC 
selinux-policy-3.12.1-47.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-47.fc19
Comment 4 Fedora Update System 2013-05-29 17:47:19 UTC 
Package selinux-policy-3.12.1-47.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-47.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-9565/selinux-policy-3.12.1-47.fc19
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2013-05-30 03:34:20 UTC 
selinux-policy-3.12.1-47.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.