Bug 1780824 - rabbitmq_server is denied write to etc
Summary: rabbitmq_server is denied write to etc
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 31
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
Assignee: Richard Fiľo
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-12-07 11:15 UTC by drago01
Modified: 2022-06-09 18:27 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.14.4-44.fc31
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-01-21 01:38:39 UTC
Type: Bug


Attachments (Terms of Use)

Description drago01 2019-12-07 11:15:01 UTC
Description of problem:
type=AVC msg=audit(1575717011.282:874): avc:  denied  { write } for  pid=11029 comm="7_dirty_io_sche" name="rabbitmq.config" dev="nvme1n1p4" ino=7077995 scontext=system_u:system_r:rabbitmq_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.


Version-Release number of selected component (if applicable):
selinux-policy-3.14.4-40.fc31.noarch


How reproducible:

Install rabbitmq-server and start it

Steps to Reproduce:
1. Install rabbitmq-server
2. Start
3. Observe logs

Actual results:

AVC denied error


Expected results:

No AVC denied error

Additional info:

audit2allow output

#============= rabbitmq_t ==============
allow rabbitmq_t etc_t:file write;

Comment 1 Richard Fiľo 2019-12-17 16:53:29 UTC
It will be fixed in the selinux-policy packages.

RP: https://github.com/fedora-selinux/selinux-policy-contrib/pull/179

Comment 2 Lukas Vrabec 2019-12-17 16:54:34 UTC
commit 43e2de656ea04a4309c98039a1fcddf416ef6dba (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Richard Filo <rfilo>
Date:   Tue Dec 17 16:13:53 2019 +0100

    Add new file context rabbitmq_conf_t.
    
    The rabbitmq_conf_t is context for configuration files.
    Allow rabbitmq_t domain to manage files and dirs labled rabbitmq_conf_t.
    
    Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1780824

Comment 3 Fedora Update System 2020-01-14 01:43:29 UTC
selinux-policy-3.14.4-44.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-397eea28b7

Comment 4 Fedora Update System 2020-01-21 01:38:39 UTC
selinux-policy-3.14.4-44.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.