RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/
Bug 1360165 - Add a rule to allow a non-ephemeral cluster port for rabbitmq
Summary: Add a rule to allow a non-ephemeral cluster port for rabbitmq
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: RDO
Classification: Community
Component: openstack-selinux
Version: trunk
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: trunk
Assignee: Lon Hohberger
QA Contact: Ofer Blaut
URL:
Whiteboard:
Depends On:
Blocks: 1357522
TreeView+ depends on / blocked
 
Reported: 2016-07-26 06:59 UTC by Michele Baldessari
Modified: 2017-02-17 15:39 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2017-02-17 15:39:35 UTC
Embargoed:

Attachments (Terms of Use)

Description Michele Baldessari 2016-07-26 06:59:39 UTC 
Description of problem:
Currently rabbitmq uses port 35672 for cluster communications which is in the 
ephemeral range.

Ephemeral ports are the ports kernel assigns to application if it doesn't specify which port to open. So there is a small chance that this application being started before RabbitMQ itself could grab this port. Unfortunately we've just seen this in the wild.

Via BZ https://bugzilla.redhat.com/show_bug.cgi?id=1357522 we would like
to move rabbit's cluster port outside of this range, to 25672.

This is all ready in https://review.openstack.org/345851, but I'd like to make
sure that we explicitely allow this port in the selinux policy.

Could we add this port to the allowed ports to bind and connect to?
Comment 1 Michele Baldessari 2016-09-15 07:58:05 UTC 
I think we are actually already good to go:
rabbitmq_port_t tcp 25672
corenet_tcp_bind_rabbitmq_port(rabbitmq_t)
corenet_tcp_connect_rabbitmq_port(rabbitmq_t)
Comment 2 Lon Hohberger 2017-02-17 15:39:35 UTC 
[root@localhost ~]# semanage port -l | grep rabbit
rabbitmq_port_t                tcp      25672

0.7.13 has this
Note You need to log in before you can comment on or make changes to this bug.