Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1341738 - AVC: beam.smp tries to write in SSL certificate
Summary: AVC: beam.smp tries to write in SSL certificate
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: RDO
Classification: Community
Component: openstack-selinux
Version: trunk
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: Milestone1
: trunk
Assignee: Ryan Hallisey
QA Contact: Udi Shkalim
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-06-01 16:14 UTC by Emilien Macchi
Modified: 2017-02-20 04:01 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-02-20 04:01:03 UTC


Attachments (Terms of Use)

Description Emilien Macchi 2016-06-01 16:14:33 UTC
2016-06-01 14:24:47.771 | SELinux is preventing /usr/lib64/erlang/erts-7.3.1/bin/beam.smp from write access on the file centos-7-internap-nyj01-1338789.pem.
2016-06-01 14:24:47.771 | 
2016-06-01 14:24:47.771 | *****  Plugin catchall_labels (83.8 confidence) suggests   *******************
2016-06-01 14:24:47.771 | 
2016-06-01 14:24:47.771 | If you want to allow beam.smp to have write access on the centos-7-internap-nyj01-1338789.pem file
2016-06-01 14:24:47.771 | Then you need to change the label on centos-7-internap-nyj01-1338789.pem
2016-06-01 14:24:47.771 | Do
2016-06-01 14:24:47.771 | # semanage fcontext -a -t FILE_TYPE 'centos-7-internap-nyj01-1338789.pem'
2016-06-01 14:24:47.771 | where FILE_TYPE is one of the following: afs_cache_t, cluster_conf_t, cluster_tmp_t, cluster_var_lib_t, cluster_var_run_t, faillog_t, init_tmp_t, initrc_tmp_t, krb5_host_rcache_t, lastlog_t, puppet_tmp_t, rabbitmq_var_lib_t, rabbitmq_var_lock_t, rabbitmq_var_log_t, rabbitmq_var_run_t, security_t, user_cron_spool_t. 
2016-06-01 14:24:47.771 | Then execute: 
2016-06-01 14:24:47.771 | restorecon -v 'centos-7-internap-nyj01-1338789.pem'
2016-06-01 14:24:47.771 | 
2016-06-01 14:24:47.772 | 
2016-06-01 14:24:47.772 | *****  Plugin catchall (17.1 confidence) suggests   **************************
2016-06-01 14:24:47.772 | 
2016-06-01 14:24:47.772 | If you believe that beam.smp should be allowed write access on the centos-7-internap-nyj01-1338789.pem file by default.
2016-06-01 14:24:47.772 | Then you should report this as a bug.
2016-06-01 14:24:47.772 | You can generate a local policy module to allow this access.
2016-06-01 14:24:47.772 | Do
2016-06-01 14:24:47.772 | allow this access for now by executing:
2016-06-01 14:24:47.772 | # grep async_16 /var/log/audit/audit.log | audit2allow -M mypol
2016-06-01 14:24:47.772 | # semodule -i mypol.pp
2016-06-01 14:24:47.772 | 
2016-06-01 14:24:47.773 | 
2016-06-01 14:24:47.773 | Additional Information:
2016-06-01 14:24:47.773 | Source Context                system_u:system_r:rabbitmq_t:s0
2016-06-01 14:24:47.773 | Target Context                unconfined_u:object_r:etc_t:s0
2016-06-01 14:24:47.773 | Target Objects                centos-7-internap-nyj01-1338789.pem [ file ]
2016-06-01 14:24:47.773 | Source                        async_16
2016-06-01 14:24:47.773 | Source Path                   /usr/lib64/erlang/erts-7.3.1/bin/beam.smp
2016-06-01 14:24:47.773 | Port                          <Unknown>
2016-06-01 14:24:47.773 | Host                          <Unknown>
2016-06-01 14:24:47.773 | Source RPM Packages           erlang-erts-18.3.3-1.el7.x86_64
2016-06-01 14:24:47.773 | Target RPM Packages           
2016-06-01 14:24:47.773 | Policy RPM                    selinux-policy-3.13.1-60.el7_2.3.noarch
2016-06-01 14:24:47.774 | Selinux Enabled               True
2016-06-01 14:24:47.774 | Policy Type                   targeted
2016-06-01 14:24:47.774 | Enforcing Mode                Permissive
2016-06-01 14:24:47.774 | Host Name                     centos-7-internap-nyj01-1338789
2016-06-01 14:24:47.774 | Platform                      Linux centos-7-internap-nyj01-1338789
2016-06-01 14:24:47.774 |                               3.10.0-327.18.2.el7.x86_64 #1 SMP Thu May 12
2016-06-01 14:24:47.774 |                               11:03:55 UTC 2016 x86_64 x86_64
2016-06-01 14:24:47.774 | Alert Count                   12
2016-06-01 14:24:47.774 | First Seen                    2016-06-01 14:00:50 UTC
2016-06-01 14:24:47.774 | Last Seen                     2016-06-01 14:22:50 UTC
2016-06-01 14:24:47.774 | Local ID                      a2e20bec-0eed-4828-bb08-2dd492ab67d9
2016-06-01 14:24:47.775 | 
2016-06-01 14:24:47.775 | Raw Audit Messages
2016-06-01 14:24:47.775 | type=AVC msg=audit(1464790970.956:5132): avc:  denied  { write } for  pid=7758 comm="async_16" name="centos-7-internap-nyj01-1338789.pem" dev="vda1" ino=4702782 scontext=system_u:system_r:rabbitmq_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
2016-06-01 14:24:47.775 | 
2016-06-01 14:24:47.775 | 
2016-06-01 14:24:47.775 | type=SYSCALL msg=audit(1464790970.956:5132): arch=x86_64 syscall=access success=yes exit=0 a0=7f6d5b802e00 a1=2 a2=0 a3=0 items=0 ppid=1 pid=7758 auid=4294967295 uid=493 gid=491 euid=493 suid=493 fsuid=493 egid=491 sgid=491 fsgid=491 tty=(none) ses=4294967295 comm=async_16 exe=/usr/lib64/erlang/erts-7.3.1/bin/beam.smp subj=system_u:system_r:rabbitmq_t:s0 key=(null)
2016-06-01 14:24:47.775 | 
2016-06-01 14:24:47.775 | Hash: async_16,rabbitmq_t,etc_t,file,write

Comment 2 Ryan Hallisey 2016-06-01 17:20:57 UTC
Should rabbit be writing a cert?

The directory it's writing to '/etc/pki'? Seems to be mislabeled.

restorecon -Rv /etc/pki

Comment 3 Lon Hohberger 2017-02-17 15:25:07 UTC
If this is still an issue, please attach /var/log/audit/audit.log

Comment 4 Emilien Macchi 2017-02-20 04:01:03 UTC
Indeed, I don't see it anymore. I guess it was fixed, but I'm not able to tell when exactly, since I reported the bug long time ago and didn't check until now.
Closing it for now.


Note You need to log in before you can comment on or make changes to this bug.