Description of problem: Since version 1.1 CouchDB supports normal HTTP connections on port 5984 and SSL connections on port 6984. Selinux does not allow CouchDB to listen on the extra 6984 port. Version-Release number of selected component (if applicable): couchdb-1.3.1-3.fc19.x86_64 selinux-policy-targeted-3.12.1-74.13.fc19.noarch How reproducible: Always. Steps to Reproduce: 1. yum install couchdb 2. setenforce 1 3. service coouchdb start Actual results: Expected results: CouchDB to listen for SSL connections on port 6984 Additional info: # sealert -l ac0155e6-f90e-47ab-87f7-c9f9546fbc0b SELinux is preventing /usr/lib64/erlang/erts-5.10.3/bin/beam from name_bind access on the tcp_socket . ***** Plugin bind_ports (92.2 confidence) suggests ************************* If you want to allow /usr/lib64/erlang/erts-5.10.3/bin/beam to bind to network port 6984 Then you need to modify the port type. Do # semanage port -a -t PORT_TYPE -p tcp 6984 where PORT_TYPE is one of the following: amqp_port_t, couchdb_port_t, jabber_client_port_t, jabber_interserver_port_t. ***** Plugin catchall_boolean (7.83 confidence) suggests ******************* If you want to allow nis to enabled Then you must tell SELinux about this by enabling the 'nis_enabled' boolean. You can read 'None' man page for more details. Do setsebool -P nis_enabled 1 ***** Plugin catchall (1.41 confidence) suggests *************************** If you believe that beam should be allowed name_bind access on the tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep beam /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:rabbitmq_beam_t:s0 Target Context system_u:object_r:unreserved_port_t:s0 Target Objects [ tcp_socket ] Source beam Source Path /usr/lib64/erlang/erts-5.10.3/bin/beam Port 6984 Host myhost.iginet.local Source RPM Packages erlang-erts-R16B-02.3.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-74.13.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name myhost.iginet.local Platform Linux myhost.iginet.local 3.11.7-200.fc19.x86_64 #1 SMP Mon Nov 4 14:09:03 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-12-01 08:56:59 CET Last Seen 2013-12-01 08:56:59 CET Local ID ac0155e6-f90e-47ab-87f7-c9f9546fbc0b Raw Audit Messages type=AVC msg=audit(1385884619.787:4241): avc: denied { name_bind } for pid=9961 comm="beam" src=6984 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1385884619.787:4241): arch=x86_64 syscall=bind success=yes exit=0 a0=13 a1=7fff15ebe030 a2=10 a3=1 items=0 ppid=1 pid=9961 auid=4294967295 uid=996 gid=995 euid=996 suid=996 fsuid=996 egid=995 sgid=995 fsgid=995 ses=4294967295 tty=(none) comm=beam exe=/usr/lib64/erlang/erts-5.10.3/bin/beam subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null) Hash: beam,rabbitmq_beam_t,unreserved_port_t,tcp_socket,name_bind
Bumped the version from Fedora 19 to Fedora 20. libselinux-2.2.1-6.fc20.x86_64 selinux-policy-3.12.1-122.fc20.noarch couchdb-1.5.0-1.fc20.x86_64 Workaround: setenforce 0
commit e7ff27ee05314fec9434a934e12ad5c31a830c25 fixes this in git.
selinux-policy-3.12.1-149.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-149.fc20
Package selinux-policy-3.12.1-149.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-149.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-4604/selinux-policy-3.12.1-149.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-149.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.