Description of problem: Attempted to start RabbitMQ service SELinux is preventing /usr/lib64/erlang/erts-5.10.4/bin/epmd from 'write' accesses on the file /var/log/rabbitmq/startup_log. ***** Plugin leaks (86.2 confidence) suggests ***************************** If you want to ignore epmd trying to write access the startup_log file, because you believe it should not need this access. Then you should report this as a bug. You can generate a local policy module to dontaudit this access. Do # grep /usr/lib64/erlang/erts-5.10.4/bin/epmd /var/log/audit/audit.log | audit2allow -D -M mypol # semodule -i mypol.pp ***** Plugin catchall (14.7 confidence) suggests ************************** If you believe that epmd should be allowed write access on the startup_log file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep epmd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:rabbitmq_epmd_t:s0 Target Context system_u:object_r:rabbitmq_var_log_t:s0 Target Objects /var/log/rabbitmq/startup_log [ file ] Source epmd Source Path /usr/lib64/erlang/erts-5.10.4/bin/epmd Port <Unknown> Host (removed) Source RPM Packages erlang-erts-R16B-03.1.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-119.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.12.9-301.fc20.x86_64 #1 SMP Wed Jan 29 15:56:22 UTC 2014 x86_64 x86_64 Alert Count 21 First Seen 2014-01-28 10:34:26 EST Last Seen 2014-02-03 11:22:11 EST Local ID bd20d28b-49a8-4827-aa71-2aa5ba5059ea Raw Audit Messages type=AVC msg=audit(1391444531.803:509): avc: denied { write } for pid=2832 comm="epmd" path="/var/log/rabbitmq/startup_log" dev="sda3" ino=223889 scontext=system_u:system_r:rabbitmq_epmd_t:s0 tcontext=system_u:object_r:rabbitmq_var_log_t:s0 tclass=file type=AVC msg=audit(1391444531.803:509): avc: denied { write } for pid=2832 comm="epmd" path="/var/log/rabbitmq/startup_err" dev="sda3" ino=223890 scontext=system_u:system_r:rabbitmq_epmd_t:s0 tcontext=system_u:object_r:rabbitmq_var_log_t:s0 tclass=file type=SYSCALL msg=audit(1391444531.803:509): arch=x86_64 syscall=execve success=yes exit=0 a0=1fd74c0 a1=1fd7450 a2=1fd62b0 a3=8 items=0 ppid=2731 pid=2832 auid=4294967295 uid=986 gid=983 euid=986 suid=986 fsuid=986 egid=983 sgid=983 fsgid=983 ses=4294967295 tty=(none) comm=epmd exe=/usr/lib64/erlang/erts-5.10.4/bin/epmd subj=system_u:system_r:rabbitmq_epmd_t:s0 key=(null) Hash: epmd,rabbitmq_epmd_t,rabbitmq_var_log_t,file,write Additional info: reporter: libreport-2.1.11 hashmarkername: setroubleshoot kernel: 3.12.9-301.fc20.x86_64 type: libreport
Description of problem: Attempted to start RabbitMQ service Additional info: reporter: libreport-2.1.11 hashmarkername: setroubleshoot kernel: 3.12.9-301.fc20.x86_64 type: libreport
commit eaa7fa0ffc53a790738c67405998a8ba1460e337 Author: Miroslav Grepl <mgrepl> Date: Tue Feb 4 11:15:32 2014 +0100 Allow epmd to manage /var/log/rabbitmq/startup_err file
selinux-policy-3.12.1-126.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-126.fc20
Package selinux-policy-3.12.1-126.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-126.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-126.fc20 then log in and leave karma (feedback).
Description of problem: Error occurred in trying to start RabbitMQ Additional info: reporter: libreport-2.1.12 hashmarkername: setroubleshoot kernel: 3.13.4-200.fc20.x86_64 type: libreport
Description of problem: Error occurred when stopping RabbitMQ service Additional info: reporter: libreport-2.1.12 hashmarkername: setroubleshoot kernel: 3.13.4-200.fc20.x86_64 type: libreport
Description of problem: Starting RabbitMQ service Additional info: reporter: libreport-2.1.12 hashmarkername: setroubleshoot kernel: 3.13.4-200.fc20.x86_64 type: libreport
Package selinux-policy-3.12.1-127.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-127.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-127.fc20 then log in and leave karma (feedback).
Description of problem: Started RabbitMQ server Additional info: reporter: libreport-2.1.12 hashmarkername: setroubleshoot kernel: 3.13.5-200.fc20.x86_64 type: libreport
selinux-policy-3.12.1-127.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
The fix in version 3.12.1-127.fc20 helps and the software appears to function. However, more SELinux alerts continue to arise.
Could you attach them?
I continue to use the SELinux troubleshooting tool to report the bugs here, and they are apparently either appended as comments or not appended as duplicates of existing comments. These are strange in that they don't specify /which/ file is being prevented, unlike the first set of bug reports. I don't know if the SELinux tool is a little broken or . . . I'm happy to follow instructions to provide more data.
It looks like the SELinux troubleshooter won't add more comments here when this bug is in CLOSED state. It /did/ just add a comment to #1060809. Would it probably help if I tried the screencast option?
Daniel, I wrote you in different threat. I think it will be better for us to store AVCs related to rabbitmq in one threat. Thank you!