Description of problem: ejabberd won't start, due to SELinux denials, after upgrade from F31 to F33. Version-Release number of selected component (if applicable): ejabberd-20.07-1.fc33.noarch How reproducible: Every time Steps to Reproduce: 1. Upgrade system with ejabberd from F31 to F33 (I don't know if this is a required step) 2. Attempt to start ejabberd Actual results: `journalctl -u ejabberd`: Nov 24 14:58:57 host.example.com systemd[1]: Starting A distributed, fault-tolerant Jabber/XMPP server... Nov 24 15:00:27 host.example.com systemd[1]: ejabberd.service: start operation timed out. Terminating. Nov 24 15:00:29 host.example.com systemd[1]: ejabberd.service: Failed with result 'timeout'. Nov 24 15:00:29 host.example.com systemd[1]: Failed to start A distributed, fault-tolerant Jabber/XMPP server. SELinux denials (in permissive mode): Nov 23 16:34:19 host.example.com audit[139545]: AVC avc: denied { search } for pid=139545 comm="beam.smp" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:ejabberd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 Nov 23 16:34:19 host.example.com audit[139545]: AVC avc: denied { read } for pid=139545 comm="beam.smp" name="cgroup.controllers" dev="cgroup2" ino=4 scontext=system_u:system_r:ejabberd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1 Nov 23 16:34:19 host.example.com audit[139545]: AVC avc: denied { open } for pid=139545 comm="beam.smp" path="/sys/fs/cgroup/cgroup.controllers" dev="cgroup2" ino=4 scontext=system_u:system_r:ejabberd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1 Nov 23 16:34:20 host.example.com audit[139545]: AVC avc: denied { name_bind } for pid=139545 comm="2_scheduler" src=3478 scontext=system_u:system_r:ejabberd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=1 Expected results: ejabberd starts Additional info: See also bug 1577363 and bug 1809085.
I can confirm this. After upgrading my server from Fedora 32 to Fedora 33 and updating the configuration, ejabberd didn't start anymore. This seems to be due to the new STUN service that's present in the default configuration: > - > port: 3478 > ip: "::" > transport: udp > module: ejabberd_stun > use_turn: true > ## The server's public IPv4 address: > # turn_ipv4_address: "203.0.113.3" > ## The server's public IPv6 address: > # turn_ipv6_address: "2001:db8::3" If I comment this out, ejabberd starts again. The name_bind denial seems to be the only one preventing ejabberd from starting.
I think you can turn a boolean on to allow ejabberd to do that name bind, like this: $ sudo semanage boolean --on nis_enabled
FEDORA-2021-f8d7785a5d has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-f8d7785a5d
I believe I have a fix for the SELinux policy in the builds associated with this ticket (should be fixed in F33-F36), and with the fixed build you should not need to enable the nis_enabled bool that I mentioned in Comment 2.
F33 update: https://bodhi.fedoraproject.org/updates/FEDORA-2021-fd910a2e59
FEDORA-2021-fd910a2e59 has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-fd910a2e59` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-fd910a2e59 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-f8d7785a5d has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-f8d7785a5d` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-f8d7785a5d See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-f8d7785a5d has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2021-fd910a2e59 has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.