selinux-policy-targeted-3.12.1-171.fc20.noarch serefpolicy-contrib-3.12.1/rabbitmq.fc: /usr/lib/erlang/erts.*/bin/beam.* -- gen_context(system_u:object_r:rabbitmq_beam_exec_t,s0) /usr/lib/erlang/erts.*/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0) beam.* is erlang's Virtual Machine. All erlang programs run it, so it is not appropriate to apply its restrictions on all erlang programs. epmd is similarly used by many erlang programs. Are there other examples of generic interpreters or VM's used by many services?
tfirg said: /usr/lib64/erlang/erts-5.10.4/bin/erl needs to be bin_t It is currently lib_t which is wrong.
/usr/lib64/erlang/erts-5.10.4/bin/beam /usr/lib64/erlang/erts-5.10.4/bin/beam.smp /usr/lib64/erlang/erts-5.10.4/bin/erl These must be bin_t.
https://github.com/wtogami/refpolicy-contrib/commits/couchdb Modified the upstream refpolicy-contrib: * Switched back from init_daemon_pid_file to init_daemon_run_dir because Fedora's policy does not yet have https://github.com/TresysTechnology/refpolicy/commit/d64826b60609afab013c4972a5f53ad4e67430ed * Added Fedora's path to couchjs to solve Bug #1096274. It still has some problems ... type=AVC msg=audit(1404632007.715:5116): avc: denied { write } for pid=4274 comm="beam.smp" name="self.ini" dev="dm-0" ino=666198 scontext=system_u:system_r:couchdb_t:s0 tcontext=system_u:object_r:couchdb_conf_t:s0 tclass=file beam.smp can't write to the .ini file. type=AVC msg=audit(1404632007.556:5115): avc: denied { getattr } for pid=4286 comm="df" path="/sys/kernel/config" dev="configfs" ino=1514 scontext=system_u:system_r:couchdb_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir The dontaudit rules seem to not work?
Running /usr/bin/erl directly from systemd failed to run with the couchdb_t context. couchdb-1.6.0-7+ added /usr/libexec/couchdb as a wrapper for erl which does run as couchdb_t.
http://wtogami.blogspot.com/2014/07/selinux-problems-with-erlang-on.html Please see my blog entry on the multiple things in selinux-policy that must be fixed. I have fixed the couchdb semodule and erlang for general use. rabbitmq, riak and other erlang services may need developers familiar with them to ensure their policies actually work. Note that on distros with systemd (Fedora and RHEL 7) none of these services were actually using their respective semodules. This means the many bug reports on selinux-policy or these packages are only adding to the confusion.
https://github.com/wtogami/refpolicy-contrib/commits/couchdb Fixed couchdb semodule Part of this must go into the core policy.
It's fixed in selinux-policy-3.12.1-185.fc20 Thank you for your report.
selinux-policy-3.12.1-186.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-186.fc20
Package selinux-policy-3.12.1-186.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-186.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-11479/selinux-policy-3.12.1-186.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-187.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-187.fc20
https://bugzilla.redhat.com/show_bug.cgi?id=1096274#c7 This is still very broken.
selinux-policy-3.12.1-188.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-188.fc20
Package selinux-policy-3.12.1-188.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-188.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-11932/selinux-policy-3.12.1-188.fc20 then log in and leave karma (feedback).
I'd installed selinux-policy-3.12.1-192.fc20 and it resolved my Erlang issues. Note that my CouchDB instance is not "stock" one but is running in user home folder. I.e. its couchdb.database_dir,couchdb.view_index_dir and log.file are in user home folder, and running under that user uid.
This message is a reminder that Fedora 20 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 20. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '20'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 20 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.