Hide Forgot
Description of problem: SELinux is preventing /usr/lib64/erlang/lib/couch-1.2.2/priv/couchjs from using the execmem access on a process. Version-Release number of selected component (if applicable): couchdb-1.3.1-1.fc19.x86_64 selinux-policy-3.12.1-74.4.fc19.noarch How reproducible: - Steps to Reproduce: SELinux is preventing /usr/lib64/erlang/lib/couch-1.2.2/priv/couchjs from using the execmem access on a process. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that couchjs should be allowed execmem access on processes labeled rabbitmq_beam_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep couchjs /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:rabbitmq_beam_t:s0 Target Context system_u:system_r:rabbitmq_beam_t:s0 Target Objects [ process ] Source couchjs Source Path /usr/lib64/erlang/lib/couch-1.2.2/priv/couchjs Port <Unknown> Host celcius Source RPM Packages couchdb-1.3.1-1.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-74.4.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name celcius Platform Linux celcius 3.11.1-200.fc19.x86_64 #1 SMP Sat Sep 14 15:04:51 UTC 2013 x86_64 x86_64 Alert Count 269 First Seen 2013-07-10 09:22:52 CEST Last Seen 2013-09-29 18:01:44 CEST Local ID e786642b-e7a3-47cd-9e34-e9702c981c4a Raw Audit Messages type=AVC msg=audit(1380470504.711:525): avc: denied { execmem } for pid=3285 comm="couchjs" scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:system_r:rabbitmq_beam_t:s0 tclass=process type=SYSCALL msg=audit(1380470504.711:525): arch=x86_64 syscall=mmap success=yes exit=140466332749824 a0=0 a1=10000 a2=7 a3=22 items=0 ppid=3181 pid=3285 auid=4294967295 uid=988 gid=980 euid=988 suid=988 fsuid=988 egid=980 sgid=980 fsgid=980 ses=4294967295 tty=(none) comm=couchjs exe=/usr/lib64/erlang/lib/couch-1.3.1/priv/couchjs subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null) Hash: couchjs,rabbitmq_beam_t,rabbitmq_beam_t,process,execmem Actual results: Expected results: Additional info:
Did you need to switch to permissive mode to make it working?
Sorry. I should have mentioned that. -> Yes, I am running in permissive mode at the moment. $ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 $
Hi Egon, It's working only in enforcing mode or also in permissive mode?
Hai Lukas, I have updated my machine from Fedora 19 to 20 in the mean time. This is one of the selinux problems that occurred when I tried to start CouchDB with selinux in enforcing mode. I think a serious test should be done to make SElinux & CouchDB work nicely: 1) service stop couchdb 2) setenforce 1 3) service start couchdb <and watch /var/log/messages for errors> Following the above steps in Fedora 20 still does not result in a nice clean start of CouchDB. kind regards, Egon
Hi Egon, Could you re-test it with the newiest selinux-policy package for F20? If problems still persists please attach your audit log or attach all your AVCs.
Hi Lukas, I retested the problem with: couchdb-1.5.0-1.fc20.x86_64 selinux-policy-3.12.1-149.fc20.noarch # getenforce Enforcing The problem with execmem does not seem to occur any more. I see another problem with couchdb and selinux which mentions that Couchdb is trying to use 'df', but I'll register a separate bug for that. -> I think this bug can be closed now. kind regards, Egon
Agree. Thank you for testing!