Description of problem: systemd failed to start couchdb because couchdb could not exec an erlang binary Once again couchdb update has broken selinux or vice versa. On my 64bit system, erlang binaries are now in /usr/lib64 which invalidates the existing rabbitmq filecontexts that were in place: /usr/lib/erlang/erts.*/bin/beam.* -- gen_context(system_u:object_r:rabbitmq_beam_exec_t,s0) /usr/lib/erlang/erts.*/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0) There is apparently a new couchdb specific file context: 'couchdb_exec_t' The binaries in the new lib64 location have a default context, I had to change them with these commands: sudo chcon -v -t couchdb_exec_t /usr/lib64/erlang/erts-5.10.4/bin/beam.* sudo chcon -v -t couchdb_exec_t /usr/lib64/erlang/erts-5.10.4/bin/epmd SELinux is preventing /usr/lib64/erlang/erts-5.10.4/bin/erlexec from 'execute' accesses on the file . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that erlexec should be allowed execute access on the file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep erlexec /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:couchdb_t:s0 Target Context system_u:object_r:unlabeled_t:s0 Target Objects [ file ] Source erlexec Source Path /usr/lib64/erlang/erts-5.10.4/bin/erlexec Port <Unknown> Host (removed) Source RPM Packages erlang-erts-R16B-03.7.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-189.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.16.6-200.fc20.x86_64 #1 SMP Wed Oct 15 13:06:51 UTC 2014 x86_64 x86_64 Alert Count 10 First Seen 2014-10-18 15:37:43 EDT Last Seen 2014-10-18 15:42:19 EDT Local ID 089e139e-65d6-4ddc-a257-f9f98d8f96de Raw Audit Messages type=AVC msg=audit(1413661339.786:705): avc: denied { execute } for pid=25205 comm="erlexec" name="beam.smp" dev="dm-2" ino=921800 scontext=system_u:system_r:couchdb_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1413661339.786:705): arch=x86_64 syscall=execve success=no exit=EACCES a0=a03050 a1=a032f0 a2=7fff76d51dc8 a3=7fff76d51850 items=0 ppid=1 pid=25205 auid=4294967295 uid=989 gid=986 euid=989 suid=989 fsuid=989 egid=986 sgid=986 fsgid=986 tty=(none) ses=4294967295 comm=erlexec exe=/usr/lib64/erlang/erts-5.10.4/bin/erlexec subj=system_u:system_r:couchdb_t:s0 key=(null) Hash: erlexec,couchdb_t,unlabeled_t,file,execute Additional info: reporter: libreport-2.2.3 hashmarkername: setroubleshoot kernel: 3.16.6-200.fc20.x86_64 type: libreport
And now I see a difference denial regarding the 'df' tool, so perhaps my quick fix was not comprehensive: SELinux is preventing /usr/bin/df from search access on the directory . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that df should be allowed search access on the directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep df /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:couchdb_t:s0 Target Context system_u:object_r:sysctl_fs_t:s0 Target Objects [ dir ] Source df Source Path /usr/bin/df Port <Unknown> Host (removed) Source RPM Packages coreutils-8.21-21.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-189.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.16.6-200.fc20.x86_64 #1 SMP Wed Oct 15 13:06:51 UTC 2014 x86_64 x86_64 Alert Count 6 First Seen 2014-10-18 15:59:48 EDT Last Seen 2014-10-18 16:59:48 EDT Local ID 71555f05-7390-47d1-a2cd-85111f6d9c43 Raw Audit Messages type=AVC msg=audit(1413665988.725:837): avc: denied { search } for pid=30601 comm="df" name="fs" dev="proc" ino=9937 scontext=system_u:system_r:couchdb_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1413665988.725:837): arch=x86_64 syscall=statfs success=no exit=EACCES a0=a3a840 a1=7fff0f97c5d0 a2=7fff0f97c8f0 a3=0 items=0 ppid=27467 pid=30601 auid=4294967295 uid=989 gid=986 euid=989 suid=989 fsuid=989 egid=986 sgid=986 fsgid=986 tty=(none) ses=4294967295 comm=df exe=/usr/bin/df subj=system_u:system_r:couchdb_t:s0 key=(null) Hash: df,couchdb_t,sysctl_fs_t,dir,search
The subsequent denials of '/usr/bin/df' seem related to this issue: https://bugzilla.redhat.com/show_bug.cgi?id=969757 couchdb (erlang) is trying to run df for some reason.
commit 0df8aeee19de7bc3534516a12c41c3a6edecf563 Author: Lukas Vrabec <lvrabec> Date: Tue Oct 21 12:49:47 2014 +0200 Allow couchdb read sysctl_fs_t files. BZ(1154327) fixed in rawhide,F21,F20
Excellent, thanks so much Lukas!
No problem :)
selinux-policy-3.12.1-192.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-192.fc20
Package selinux-policy-3.12.1-192.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-192.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-13495/selinux-policy-3.12.1-192.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-192.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.