Bug 1221291 - Add protocol support for MQTT to selinux policies
Summary: Add protocol support for MQTT to selinux policies
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: IoT
TreeView+ depends on / blocked
 
Reported: 2015-05-13 15:45 UTC by Peter Robinson
Modified: 2024-09-02 07:38 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2024-09-02 07:38:18 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Peter Robinson 2015-05-13 15:45:22 UTC 
It would be useful to have a selinux policy for MQTT (MQ Telemetry Transport) to enable to run a MQTT server/broker in enforcing mode.

From the broker side there are currently 3 message brokers that can support MQTT. ActiveMQ, RabbitMQ and mosquitto.

mqtt ports are as follows:
1883/tcp for non encrypted mqtt traffic
8883/tcp for mqtt over SSL/TLS

http://mqtt.org/faq

At least with mosquitto testing it doesn't work in enforcing mode, I couldn't find the port details. Possibly need to file system changes too but I'm not sure what I need to supply there, and presumably it's broker/server specific unlike the port?
Comment 1 Jan Kurik 2015-07-15 14:09:57 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle.
Changing version to '23'.

(As we did not run this process for some time, it could affect also pre-Fedora 23 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23
Comment 2 Jan Kurik 2016-02-24 13:24:07 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
Comment 3 Fedora Admin XMLRPC Client 2016-09-27 15:04:33 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 4 Peter Robinson 2017-04-23 09:53:58 UTC 
Any update?
Comment 5 Lukas Vrabec 2019-07-10 07:32:29 UTC 
Hi All, 

Is this still actual? 

Thanks,
Lukas.
Comment 6 Peter Robinson 2019-07-10 12:12:03 UTC 
> Is this still actual? 

What do you mean by actual? If you mean if it's still a requirement, yes.
Comment 7 Peter Robinson 2019-11-01 12:41:04 UTC 
Why did you remove tracking?
Comment 8 Zdenek Pytela 2019-11-07 07:18:29 UTC 
Peter,

This is how Tracking is described in bugzilla:

This bug is a tracking bug. That means that this bug is only used as a placeholder for a particular set of changes which are split over a number of different bugs. All those bugs can be set to block this Tracking bug, so we have an easy way to query the status of a larger project based on the dependency tree of the Tracking bug. Tracking bugs do not require a release flag or acks.

Did you really mean it this way?
Comment 9 Peter Robinson 2019-11-09 11:17:26 UTC 
(In reply to Zdenek Pytela from comment #8)
> Peter,
> 
> This is how Tracking is described in bugzilla:
> 
> This bug is a tracking bug. That means that this bug is only used as a
> placeholder for a particular set of changes which are split over a number of
> different bugs. All those bugs can be set to block this Tracking bug, so we
> have an easy way to query the status of a larger project based on the
> dependency tree of the Tracking bug. Tracking bugs do not require a release
> flag or acks.
> 
> Did you really mean it this way?

It also means it's not closed or moved to a specific release when it's not been fixed and it's an RFE so yes, I meant to have it on tracking so it doens't get closed and i don't have to keep moving it until it's implemented.
Comment 10 Fedora Admin XMLRPC Client 2020-01-23 16:23:53 UTC 
This package has changed maintainer in the Fedora.
Reassigning to the new maintainer of this component.
Comment 11 Nikola Knazekova 2022-09-06 08:38:28 UTC 
Hi Peter,

Can you please reproduce it again and attach AVC messages?


Also before reproducing it is useful to have enabled full auditing:

Open /etc/audit/rules.d/audit.rules file in an editor.

 1. Remove following line if it exists:

-a task,never

 2. Add following line at the end of the file:

-w /etc/shadow -p w

 3. Restart the audit daemon:

 # service auditd restart

Thank you

Nikola
Comment 12 Milos Malik 2022-09-06 08:47:37 UTC 
# rpm -qa selinux\* mosquitto\* | sort
mosquitto-2.0.15-1.fc36.x86_64
selinux-policy-36.14-1.fc36.noarch
selinux-policy-devel-36.14-1.fc36.noarch
selinux-policy-targeted-36.14-1.fc36.noarch
# rpm -V mosquitto
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
# service mosquitto status
Redirecting to /bin/systemctl status mosquitto.service
● mosquitto.service - Mosquitto MQTT Broker
     Loaded: loaded (/usr/lib/systemd/system/mosquitto.service; disabled; vendor preset: disabled)
     Active: active (running) since Tue 2022-09-06 10:34:46 CEST; 9min ago
       Docs: man:mosquitto.conf(5)
             man:mosquitto(8)
    Process: 1800 ExecStartPre=/bin/mkdir -m 740 -p /var/log/mosquitto (code=exited, status=0/SUCCESS)
    Process: 1801 ExecStartPre=/bin/chown mosquitto:mosquitto /var/log/mosquitto (code=exited, status=0/SUCCESS)
    Process: 1802 ExecStartPre=/bin/mkdir -m 740 -p /run/mosquitto (code=exited, status=0/SUCCESS)
    Process: 1803 ExecStartPre=/bin/chown mosquitto:mosquitto /run/mosquitto (code=exited, status=0/SUCCESS)
   Main PID: 1804 (mosquitto)
      Tasks: 1 (limit: 2317)
     Memory: 1.1M
        CPU: 357ms
     CGroup: /system.slice/mosquitto.service
             └─ 1804 /usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf

Sep 06 10:34:46 fedora systemd[1]: Starting mosquitto.service - Mosquitto MQTT Broker...
Sep 06 10:34:46 fedora mosquitto[1804]: 1662453286: mosquitto version 2.0.15 starting
Sep 06 10:34:46 fedora mosquitto[1804]: 1662453286: Config loaded from /etc/mosquitto/mosquitto.conf.
Sep 06 10:34:46 fedora mosquitto[1804]: 1662453286: Starting in local only mode. Connections will only be possible from clients running on this machine.
Sep 06 10:34:46 fedora mosquitto[1804]: 1662453286: Create a configuration file which defines a listener to allow remote access.
Sep 06 10:34:46 fedora mosquitto[1804]: 1662453286: For more details see https://mosquitto.org/documentation/authentication-methods/
Sep 06 10:34:46 fedora mosquitto[1804]: 1662453286: Opening ipv4 listen socket on port 1883.
Sep 06 10:34:46 fedora mosquitto[1804]: 1662453286: Opening ipv6 listen socket on port 1883.
Sep 06 10:34:46 fedora mosquitto[1804]: 1662453286: mosquitto version 2.0.15 running
Sep 06 10:34:46 fedora systemd[1]: Started mosquitto.service - Mosquitto MQTT Broker.
# ps -efZ | grep mosq
system_u:system_r:unconfined_service_t:s0 mosquit+ 1804 1  0 10:34 ?       00:00:00 /usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1971 1901  0 10:44 pts/0 00:00:00 grep --color=auto mosq
# ls -lZ /usr/sbin/mosquitto 
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 294008 Aug 17 17:15 /usr/sbin/mosquitto
# ausearch -m avc -m user_avc -m selinux_err -i -ts today
<no matches>
#

The mosquitto service seems to run successfully on my Fedora 36 VM. No configuration changes made.
Comment 13 Peter Robinson 2024-09-02 07:38:18 UTC 
CLosing until I can revisit.
Note You need to log in before you can comment on or make changes to this bug.