Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1242954 - SELinux prevents qpidd from starting after update MRGM 3.1 to MRGM 3.2
SELinux prevents qpidd from starting after update MRGM 3.1 to MRGM 3.2
Status: CLOSED ERRATA
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: qpid-cpp (Show other bugs)
Development
Unspecified Linux
high Severity high
: 3.2
: ---
Assigned To: Irina Boverman
Zdenek Kraus
: Tracking
Depends On: 1251584
Blocks:
  Show dependency treegraph
 
Reported: 2015-07-14 09:22 EDT by Matej Lesko
Modified: 2015-11-04 10:51 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Known Issue
Doc Text:
.IMPORTANT: Customers should be aware that they need to upgrade to the latest version of Red Hat Enterprise Linux 6 (6.7.2) and the SELinux policy files shipped with it to get started with MRG-M 3.2. Any other version of RHEL/SELinux can produce `Permission denied` errors.
Story Points: ---
Clone Of:
: 1251584 (view as bug list)
Environment:
Last Closed: 2015-11-04 10:51:00 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Matej Lesko 2015-07-14 09:22:00 EDT 
Description of problem:
After update there is a problem with manual upgrade of linearstore EFP to the new partitioning structure. After changing file owner and group of created files in qls directory qpidd says that it has permission denied to access migrated journal file. The problem is only solved by changing SELinux to permissive mode.  

Version-Release number of selected component (if applicable):
RHEL 6.7, 7.1
qpid-cpp-0.34-1

How reproducible:
always

Steps to Reproduce:
1. Install MRMG 3.1
2. start qpidd
   service qpidd start
3. Create durable queue e.g.
   qpid-config add queue test-queue --durable
4. Send some messages
   qpid-send -a test-queue -b $server -m 150 --durable yes
5. stop qpidd
   service qpidd stop
6. update to MRGM 3.2 according to documentation
7. go to default store directory
   on RHEL6 /var/lib/qpidd/qls
   on RHEL7 /var/lib/qpidd/.qpidd/qls
8. upgrade linearstore EFP to the new partitioning structure according to documentation
9. start qpidd

Actual results:
qpidd won't start - Permission denied error will be printed

Expected results:
qpidd starts normally

Additional info:
On RHEL 6.6 SELinux works with this scenario as expected.
Comment 8 Zdenek Kraus 2015-09-14 05:44:21 EDT 
MRG 3.2:
qpid-cpp-server-0.34-3

current:
selinux-policy-3.7.19-279.el6_7.5.noarch
.. FAIL
type=AVC msg=audit(1442222583.008:3089): avc:  denied  { read } for  pid=7515 comm="qpidd" name="q" dev=dm-0 ino=136060  context=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:qpidd_var_lib_t:s0 tclass=lnk_file

selinux-policy-3.13.1-23.el7_1.17.noarch
.. FAIL
type=AVC msg=audit(1442222868.693:361): avc:  denied  { read } for  pid=2583 comm="qpidd" name="psched" dev="proc" ino=4026531980 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1442222868.957:362): avc:  denied  { read } for  pid=2583 comm="qpidd" name="q" dev="dm-0" ino=34347348 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:qpidd_var_lib_t:s0 tclass=lnk_file



new packages:
selinux-policy-3.7.19-279.el6_7.6.noarch
.. PASS

selinux-policy-3.13.1-23.el7_1.18.noarch
.. FAIL
type=AVC msg=audit(1442222868.693:361): avc:  denied  { read } for  pid=2583 comm="qpidd" name="psched" dev="proc" ino=4026531980 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1442222868.957:362): avc:  denied  { read } for  pid=2583 comm="qpidd" name="q" dev="dm-0" ino=34347348 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:qpidd_var_lib_t:s0 tclass=lnk_file
Comment 11 Irina Boverman 2015-09-18 16:06:17 EDT 
Fixed in selinux-policy-3.7.19-279.el6_7.6
Comment 14 Zdenek Kraus 2015-11-04 10:46:15 EST 
resolved by selinux-policy-3.13.1-23.el7_1.21.noarch

-> VERIFIED
Comment 15 Zdenek Kraus 2015-11-04 10:51:00 EST 
above package is live moving to close

-> CLOSED ERRATA
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.