Description of problem: This is only related to RHEL 7 When creating a federation between brokers, it is refused by the SELinux. Version-Release number of selected component (if applicable): qpid-cpp-0.18-25 qpid-cpp-0.18-35 How reproducible: 100% Steps to Reproduce: let have two brokers mrg1 and mrg2 1. setenforce 1 2. qpid-config -b mrg1 add queue q 3. qpid-route queue add mrg1 mrg2 amq.fanout q 4. qpid-route link list mrg1 Actual results: Host Port Transport Durable State Last Error ============================================================================= mrg2 5672 tcp N Waiting Permission denied: mrg2:5672 (qpid/sys/posix/Socket.cpp:161) # SElinux Audit type=SERVICE_STOP msg=audit(1414072843.433:2004): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="qpidd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_START msg=audit(1414072843.433:2005): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="qpidd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1414072843.457:2006): avc: denied { read } for pid=5765 comm="qpidd" name="psched" dev="proc" ino=4026531980 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file type=SYSCALL msg=audit(1414072843.457:2006): arch=c000003e syscall=2 success=no exit=-13 a0=7fff70add1a0 a1=0 a2=1b6 a3=fd items=0 ppid=1 pid=5765 auid=4294967295 uid=996 gid=996 euid=996 suid=996 fsuid=996 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="qpidd" exe="/usr/sbin/qpidd" subj=system_u:system_r:qpidd_t:s0 key=(null) type=AVC msg=audit(1414072944.590:2014): avc: denied { name_connect } for pid=5770 comm="qpidd" dest=5672 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1414072944.590:2014): arch=c000003e syscall=42 success=no exit=-13 a0=17 a1=7fd138040ab0 a2=10 a3=7fd13feab730 items=0 ppid=1 pid=5770 auid=4294967295 uid=996 gid=996 euid=996 suid=996 fsuid=996 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="qpidd" exe="/usr/sbin/qpidd" subj=system_u:system_r:qpidd_t:s0 key=(null) type=AVC msg=audit(1414072946.590:2015): avc: denied { name_connect } for pid=5769 comm="qpidd" dest=5672 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1414072946.590:2015): arch=c000003e syscall=42 success=no exit=-13 a0=16 a1=7fd130015930 a2=10 a3=0 items=0 ppid=1 pid=5769 auid=4294967295 uid=996 gid=996 euid=996 suid=996 fsuid=996 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="qpidd" exe="/usr/sbin/qpidd" subj=system_u:system_r:qpidd_t:s0 key=(null) type=AVC msg=audit(1414072950.590:2016): avc: denied { name_connect } for pid=5769 comm="qpidd" dest=5672 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1414072950.590:2016): arch=c000003e syscall=42 success=no exit=-13 a0=16 a1=7fd130015810 a2=10 a3=0 items=0 ppid=1 pid=5769 auid=4294967295 uid=996 gid=996 euid=996 suid=996 fsuid=996 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="qpidd" exe="/usr/sbin/qpidd" subj=system_u:system_r:qpidd_t:s0 key=(null) type=AVC msg=audit(1414072958.590:2017): avc: denied { name_connect } for pid=5769 comm="qpidd" dest=5672 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1414072958.590:2017): arch=c000003e syscall=42 success=no exit=-13 a0=17 a1=7fd1300114b0 a2=10 a3=0 items=0 ppid=1 pid=5769 auid=4294967295 uid=996 gid=996 euid=996 suid=996 fsuid=996 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="qpidd" exe="/usr/sbin/qpidd" subj=system_u:system_r:qpidd_t:s0 key=(null) type=AVC msg=audit(1414072974.590:2018): avc: denied { name_connect } for pid=5769 comm="qpidd" dest=5672 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1414072974.590:2018): arch=c000003e syscall=42 success=no exit=-13 a0=16 a1=7fd130015320 a2=10 a3=0 items=0 ppid=1 pid=5769 auid=4294967295 uid=996 gid=996 euid=996 suid=996 fsuid=996 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="qpidd" exe="/usr/sbin/qpidd" subj=system_u:system_r:qpidd_t:s0 key=(null) type=AVC msg=audit(1414073006.590:2019): avc: denied { name_connect } for pid=5769 comm="qpidd" dest=5672 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1414073006.590:2019): arch=c000003e syscall=42 success=no exit=-13 a0=16 a1=7fd130013e20 a2=10 a3=0 items=0 ppid=1 pid=5769 auid=4294967295 uid=996 gid=996 euid=996 suid=996 fsuid=996 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="qpidd" exe="/usr/sbin/qpidd" subj=system_u:system_r:qpidd_t:s0 key=(null) type=AVC msg=audit(1414073070.590:2020): avc: denied { name_connect } for pid=5769 comm="qpidd" dest=5672 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1414073070.590:2020): arch=c000003e syscall=42 success=no exit=-13 a0=16 a1=7fd130013e20 a2=10 a3=0 items=0 ppid=1 pid=5769 auid=4294967295 uid=996 gid=996 euid=996 suid=996 fsuid=996 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="qpidd" exe="/usr/sbin/qpidd" subj=system_u:system_r:qpidd_t:s0 key=(null) type=AVC msg=audit(1414073134.590:2021): avc: denied { name_connect } for pid=5769 comm="qpidd" dest=5672 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1414073134.590:2021): arch=c000003e syscall=42 success=no exit=-13 a0=16 a1=7fd13003d540 a2=10 a3=0 items=0 ppid=1 pid=5769 auid=4294967295 uid=996 gid=996 euid=996 suid=996 fsuid=996 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="qpidd" exe="/usr/sbin/qpidd" subj=system_u:system_r:qpidd_t:s0 key=(null) 2014-10-23 16:02:38 [System] info Connecting: mrg2:5672 2014-10-23 16:02:38 [Broker] info Inter-broker link disconnected from mrg2:5672 Success 2014-10-23 16:02:38 [Broker] error Link connection to mrg2:5672 failed: Permission denied: mrg2:5672 (qpid/sys/posix/Socket.cpp:161) 2014-10-23 16:02:54 [System] info Connecting: mrg2:5672 2014-10-23 16:02:54 [Broker] info Inter-broker link disconnected from mrg2:5672 Success 2014-10-23 16:02:54 [Broker] error Link connection to mrg2:5672 failed: Permission denied: mrg2:5672 (qpid/sys/posix/Socket.cpp:161) 2014-10-23 16:03:26 [System] info Connecting: mrg2:5672 2014-10-23 16:03:26 [Broker] info Inter-broker link disconnected from mrg2:5672 Success 2014-10-23 16:03:26 [Broker] error Link connection to mrg2:5672 failed: Permission denied: mrg2:5672 (qpid/sys/posix/Socket.cpp:161) 2014-10-23 16:04:30 [System] info Connecting: mrg2:5672 2014-10-23 16:04:30 [Broker] info Inter-broker link disconnected from mrg2:5672 Success 2014-10-23 16:04:30 [Broker] error Link connection to mrg2:5672 failed: Permission denied: mrg2:5672 (qpid/sys/posix/Socket.cpp:161) 2014-10-23 16:05:34 [System] info Connecting: mrg2:5672 2014-10-23 16:05:34 [Broker] info Inter-broker link disconnected from mrg2:5672 Success 2014-10-23 16:05:34 [Broker] error Link connection to mrg2:5672 failed: Permission denied: mrg2:5672 (qpid/sys/posix/Socket.cpp:161) Expected results: creating federation is not blocked by SELinux and federation is successfully created. Additional info: please note that IP addesses was substituted for mrg1 and mrg2 strings.
You're right, Simon. The qpid daemon is not allowed to connect to TCP port 5672 on RHEL-7. # sesearch -s qpidd_t -t amqp_port_t -c tcp_socket -p name_connect -A -C # sesearch -s qpidd_t -t amqp_port_t -c tcp_socket -p name_connect -D -C #
resolved by selinux-policy-3.13.1-23.el7_1.21.noarch -> VERIFIED
above package is live moving to close -> CLOSED ERRATA