Description of problem: RabbitMQ listens on a tcp port for clustering communication. By default, this is the AMQP port + 20000, which is port 25672. Trying to name_bind on this port produces the following denial: type=AVC msg=audit(1409320961.606:2704): avc: denied { name_bind } for pid=26070 comm="beam.smp" src=25672 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=1 type=SYSCALL msg=audit(1409320961.606:2704): arch=c000003e syscall=49 success=yes exit=0 a0=a a1=7f7d999fb9d0 a2=10 a3=1 items=0 ppid=26040 pid=26070 auid=4294967295 uid=994 gid=991 euid=994 suid=994 fsuid=994 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.4/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null) I think it might make sense to add a new port type (rabbitmq_port_t?) and by default label 25672 with it. Port 5672 is covered by amqp_port_t. I've verified I can make the clustering port work with: semanage port -a -t amqp_port_t -p tcp 25672 But really that port is not carrying AMQP traffic. It's the intercluster chatter. The clustering traffic should probably be a distinct type. Version-Release number of selected component (if applicable): rabbitmq-server-3.3.5-1.fc22.noarch selinux-policy-3.13.1-76.fc22.noarch How reproducible: Always Steps to Reproduce: 1. systemctl start rabbitmq-server.service Actual results: Service fails to start, denials in audit.log Expected results: Service starts
6f0e7414de1e6f28c3db475cb875a673edd74689 7383f728e1dabfcee26154cd105cd6373985934f Assign rabbitmq_port_t in git.
commit 6f0e7414de1e6f28c3db475cb875a673edd74689 Author: Dan Walsh <dwalsh> Date: Sun Aug 31 06:53:15 2014 -0400 Assign rabbitmq port. BZ#1135523 https://github.com/selinux-policy/selinux-policy/commit/6f0e7414de1e6f28c3db475cb875a673edd74689 commit 7383f728e1dabfcee26154cd105cd6373985934f Author: Dan Walsh <dwalsh> Date: Sun Aug 31 06:53:01 2014 -0400 Assign rabbitmq port. BZ#1135523 https://github.com/selinux-policy/selinux-policy/commit/7383f728e1dabfcee26154cd105cd6373985934f
Lukas, is this what we want to have? network_port(rabbitmq, tcp,25672,s0) I would think about a different name because we want to re-write the rabbit policy which is completely wrong.
But no problem to keep this name for now until we get fixes.
Miroslav, It's unassigned port (http://www.speedguide.net/port.php?port=25672) so I don't have problem with name rabbitmq. Do you agree?
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle. Changing version to '22'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
selinux-policy-3.13.1-116.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-116.fc22
Package selinux-policy-3.13.1-116.fc22: * should fix your issue, * was pushed to the Fedora 22 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-116.fc22' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-3508/selinux-policy-3.13.1-116.fc22 then log in and leave karma (feedback).
selinux-policy-3.13.1-116.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.