Bug 1242954 - SELinux prevents qpidd from starting after update MRGM 3.1 to MRGM 3.2
Summary: SELinux prevents qpidd from starting after update MRGM 3.1 to MRGM 3.2
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: qpid-cpp
Version: Development
Hardware: Unspecified
OS: Linux
high
high
Target Milestone: 3.2
: ---
Assignee: Irina Boverman
QA Contact: Zdenek Kraus
URL:
Whiteboard:
Depends On: 1251584
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-07-14 13:22 UTC by Matej Lesko
Modified: 2015-11-04 15:51 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
.IMPORTANT: Customers should be aware that they need to upgrade to the latest version of Red Hat Enterprise Linux 6 (6.7.2) and the SELinux policy files shipped with it to get started with MRG-M 3.2. Any other version of RHEL/SELinux can produce `Permission denied` errors.
Clone Of:
: 1251584 (view as bug list)
Environment:
Last Closed: 2015-11-04 15:51:00 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Matej Lesko 2015-07-14 13:22:00 UTC 
Description of problem:
After update there is a problem with manual upgrade of linearstore EFP to the new partitioning structure. After changing file owner and group of created files in qls directory qpidd says that it has permission denied to access migrated journal file. The problem is only solved by changing SELinux to permissive mode.  

Version-Release number of selected component (if applicable):
RHEL 6.7, 7.1
qpid-cpp-0.34-1

How reproducible:
always

Steps to Reproduce:
1. Install MRMG 3.1
2. start qpidd
   service qpidd start
3. Create durable queue e.g.
   qpid-config add queue test-queue --durable
4. Send some messages
   qpid-send -a test-queue -b $server -m 150 --durable yes
5. stop qpidd
   service qpidd stop
6. update to MRGM 3.2 according to documentation
7. go to default store directory
   on RHEL6 /var/lib/qpidd/qls
   on RHEL7 /var/lib/qpidd/.qpidd/qls
8. upgrade linearstore EFP to the new partitioning structure according to documentation
9. start qpidd

Actual results:
qpidd won't start - Permission denied error will be printed

Expected results:
qpidd starts normally

Additional info:
On RHEL 6.6 SELinux works with this scenario as expected.
Comment 8 Zdenek Kraus 2015-09-14 09:44:21 UTC 
MRG 3.2:
qpid-cpp-server-0.34-3

current:
selinux-policy-3.7.19-279.el6_7.5.noarch
.. FAIL
type=AVC msg=audit(1442222583.008:3089): avc:  denied  { read } for  pid=7515 comm="qpidd" name="q" dev=dm-0 ino=136060  context=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:qpidd_var_lib_t:s0 tclass=lnk_file

selinux-policy-3.13.1-23.el7_1.17.noarch
.. FAIL
type=AVC msg=audit(1442222868.693:361): avc:  denied  { read } for  pid=2583 comm="qpidd" name="psched" dev="proc" ino=4026531980 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1442222868.957:362): avc:  denied  { read } for  pid=2583 comm="qpidd" name="q" dev="dm-0" ino=34347348 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:qpidd_var_lib_t:s0 tclass=lnk_file



new packages:
selinux-policy-3.7.19-279.el6_7.6.noarch
.. PASS

selinux-policy-3.13.1-23.el7_1.18.noarch
.. FAIL
type=AVC msg=audit(1442222868.693:361): avc:  denied  { read } for  pid=2583 comm="qpidd" name="psched" dev="proc" ino=4026531980 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1442222868.957:362): avc:  denied  { read } for  pid=2583 comm="qpidd" name="q" dev="dm-0" ino=34347348 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:qpidd_var_lib_t:s0 tclass=lnk_file
Comment 11 Irina Boverman 2015-09-18 20:06:17 UTC 
Fixed in selinux-policy-3.7.19-279.el6_7.6
Comment 14 Zdenek Kraus 2015-11-04 15:46:15 UTC 
resolved by selinux-policy-3.13.1-23.el7_1.21.noarch

-> VERIFIED
Comment 15 Zdenek Kraus 2015-11-04 15:51:00 UTC 
above package is live moving to close

-> CLOSED ERRATA
Note You need to log in before you can comment on or make changes to this bug.