Bug 1156081 - Creating federation fails with AVC Deny
Summary: Creating federation fails with AVC Deny
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: qpid-cpp
Version: 2.5
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: ---
Assignee: messaging-bugs
QA Contact: Zdenek Kraus
URL:
Whiteboard:
Depends On:
Blocks: 1261805
TreeView+ depends on / blocked
 
Reported: 2014-10-23 14:15 UTC by Zdenek Kraus
Modified: 2019-07-11 08:17 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1261805 1264549 (view as bug list)
Environment:
Last Closed: 2015-11-04 15:51:08 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1148984 1 unspecified NEW qpid upgrade/downgrade selinux AVC message found 2024-01-19 19:11:17 UTC

Internal Links: 1148984

Description Zdenek Kraus 2014-10-23 14:15:04 UTC 
Description of problem:
This is only related to RHEL 7

When creating a federation between brokers, it is refused by the SELinux.

Version-Release number of selected component (if applicable):
qpid-cpp-0.18-25
qpid-cpp-0.18-35

How reproducible:
100%

Steps to Reproduce:
let have two brokers mrg1 and mrg2

1. setenforce 1
2. qpid-config -b mrg1 add queue q
3. qpid-route queue add mrg1 mrg2 amq.fanout q
4. qpid-route link list mrg1

Actual results:

Host            Port    Transport Durable  State             Last Error
=============================================================================
mrg2    5672    tcp          N     Waiting           Permission denied: mrg2:5672 (qpid/sys/posix/Socket.cpp:161)

# SElinux Audit
type=SERVICE_STOP msg=audit(1414072843.433:2004): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="qpidd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1414072843.433:2005): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="qpidd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1414072843.457:2006): avc:  denied  { read } for  pid=5765 comm="qpidd" name="psched" dev="proc" ino=4026531980 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=SYSCALL msg=audit(1414072843.457:2006): arch=c000003e syscall=2 success=no exit=-13 a0=7fff70add1a0 a1=0 a2=1b6 a3=fd items=0 ppid=1 pid=5765 auid=4294967295 uid=996 gid=996 euid=996 suid=996 fsuid=996 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="qpidd" exe="/usr/sbin/qpidd" subj=system_u:system_r:qpidd_t:s0 key=(null)
type=AVC msg=audit(1414072944.590:2014): avc:  denied  { name_connect } for  pid=5770 comm="qpidd" dest=5672 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1414072944.590:2014): arch=c000003e syscall=42 success=no exit=-13 a0=17 a1=7fd138040ab0 a2=10 a3=7fd13feab730 items=0 ppid=1 pid=5770 auid=4294967295 uid=996 gid=996 euid=996 suid=996 fsuid=996 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="qpidd" exe="/usr/sbin/qpidd" subj=system_u:system_r:qpidd_t:s0 key=(null)
type=AVC msg=audit(1414072946.590:2015): avc:  denied  { name_connect } for  pid=5769 comm="qpidd" dest=5672 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1414072946.590:2015): arch=c000003e syscall=42 success=no exit=-13 a0=16 a1=7fd130015930 a2=10 a3=0 items=0 ppid=1 pid=5769 auid=4294967295 uid=996 gid=996 euid=996 suid=996 fsuid=996 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="qpidd" exe="/usr/sbin/qpidd" subj=system_u:system_r:qpidd_t:s0 key=(null)
type=AVC msg=audit(1414072950.590:2016): avc:  denied  { name_connect } for  pid=5769 comm="qpidd" dest=5672 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1414072950.590:2016): arch=c000003e syscall=42 success=no exit=-13 a0=16 a1=7fd130015810 a2=10 a3=0 items=0 ppid=1 pid=5769 auid=4294967295 uid=996 gid=996 euid=996 suid=996 fsuid=996 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="qpidd" exe="/usr/sbin/qpidd" subj=system_u:system_r:qpidd_t:s0 key=(null)
type=AVC msg=audit(1414072958.590:2017): avc:  denied  { name_connect } for  pid=5769 comm="qpidd" dest=5672 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1414072958.590:2017): arch=c000003e syscall=42 success=no exit=-13 a0=17 a1=7fd1300114b0 a2=10 a3=0 items=0 ppid=1 pid=5769 auid=4294967295 uid=996 gid=996 euid=996 suid=996 fsuid=996 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="qpidd" exe="/usr/sbin/qpidd" subj=system_u:system_r:qpidd_t:s0 key=(null)
type=AVC msg=audit(1414072974.590:2018): avc:  denied  { name_connect } for  pid=5769 comm="qpidd" dest=5672 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1414072974.590:2018): arch=c000003e syscall=42 success=no exit=-13 a0=16 a1=7fd130015320 a2=10 a3=0 items=0 ppid=1 pid=5769 auid=4294967295 uid=996 gid=996 euid=996 suid=996 fsuid=996 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="qpidd" exe="/usr/sbin/qpidd" subj=system_u:system_r:qpidd_t:s0 key=(null)
type=AVC msg=audit(1414073006.590:2019): avc:  denied  { name_connect } for  pid=5769 comm="qpidd" dest=5672 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1414073006.590:2019): arch=c000003e syscall=42 success=no exit=-13 a0=16 a1=7fd130013e20 a2=10 a3=0 items=0 ppid=1 pid=5769 auid=4294967295 uid=996 gid=996 euid=996 suid=996 fsuid=996 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="qpidd" exe="/usr/sbin/qpidd" subj=system_u:system_r:qpidd_t:s0 key=(null)
type=AVC msg=audit(1414073070.590:2020): avc:  denied  { name_connect } for  pid=5769 comm="qpidd" dest=5672 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1414073070.590:2020): arch=c000003e syscall=42 success=no exit=-13 a0=16 a1=7fd130013e20 a2=10 a3=0 items=0 ppid=1 pid=5769 auid=4294967295 uid=996 gid=996 euid=996 suid=996 fsuid=996 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="qpidd" exe="/usr/sbin/qpidd" subj=system_u:system_r:qpidd_t:s0 key=(null)
type=AVC msg=audit(1414073134.590:2021): avc:  denied  { name_connect } for  pid=5769 comm="qpidd" dest=5672 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1414073134.590:2021): arch=c000003e syscall=42 success=no exit=-13 a0=16 a1=7fd13003d540 a2=10 a3=0 items=0 ppid=1 pid=5769 auid=4294967295 uid=996 gid=996 euid=996 suid=996 fsuid=996 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="qpidd" exe="/usr/sbin/qpidd" subj=system_u:system_r:qpidd_t:s0 key=(null)

2014-10-23 16:02:38 [System] info Connecting: mrg2:5672
2014-10-23 16:02:38 [Broker] info Inter-broker link disconnected from mrg2:5672 Success
2014-10-23 16:02:38 [Broker] error Link connection to mrg2:5672 failed: Permission denied: mrg2:5672 (qpid/sys/posix/Socket.cpp:161)
2014-10-23 16:02:54 [System] info Connecting: mrg2:5672
2014-10-23 16:02:54 [Broker] info Inter-broker link disconnected from mrg2:5672 Success
2014-10-23 16:02:54 [Broker] error Link connection to mrg2:5672 failed: Permission denied: mrg2:5672 (qpid/sys/posix/Socket.cpp:161)
2014-10-23 16:03:26 [System] info Connecting: mrg2:5672
2014-10-23 16:03:26 [Broker] info Inter-broker link disconnected from mrg2:5672 Success
2014-10-23 16:03:26 [Broker] error Link connection to mrg2:5672 failed: Permission denied: mrg2:5672 (qpid/sys/posix/Socket.cpp:161)
2014-10-23 16:04:30 [System] info Connecting: mrg2:5672
2014-10-23 16:04:30 [Broker] info Inter-broker link disconnected from mrg2:5672 Success
2014-10-23 16:04:30 [Broker] error Link connection to mrg2:5672 failed: Permission denied: mrg2:5672 (qpid/sys/posix/Socket.cpp:161)
2014-10-23 16:05:34 [System] info Connecting: mrg2:5672
2014-10-23 16:05:34 [Broker] info Inter-broker link disconnected from mrg2:5672 Success
2014-10-23 16:05:34 [Broker] error Link connection to mrg2:5672 failed: Permission denied: mrg2:5672 (qpid/sys/posix/Socket.cpp:161)


Expected results:
creating federation is not blocked by SELinux and federation is successfully created.

Additional info:
please note that IP addesses was substituted for mrg1 and mrg2 strings.
Comment 5 Milos Malik 2015-08-19 13:02:58 UTC 
You're right, Simon. The qpid daemon is not allowed to connect to TCP port 5672 on RHEL-7.

# sesearch -s qpidd_t -t amqp_port_t -c tcp_socket -p name_connect -A -C

# sesearch -s qpidd_t -t amqp_port_t -c tcp_socket -p name_connect -D -C

#
Comment 16 Zdenek Kraus 2015-11-04 15:46:22 UTC 
resolved by selinux-policy-3.13.1-23.el7_1.21.noarch

-> VERIFIED
Comment 17 Zdenek Kraus 2015-11-04 15:51:08 UTC 
above package is live moving to close

-> CLOSED ERRATA
Note You need to log in before you can comment on or make changes to this bug.