Created attachment 432014 [details] configuration files Description of problem: SELinux denies QPID access to openais when launching first aisexec and then qpidd as service. cat qpidd.log 2010-07-15 05:26:47 info Registered replication exchange 2010-07-15 05:26:47 notice Initializing CPG 2010-07-15 05:27:07 critical Unexpected error: Timed out waiting for daemon (If store recovery is in progress, use longer wait time) Version-Release number of selected component (if applicable): rpm -qa | grep -P '(ais|qpid)' | sort -u openais-0.80.6-16.el5_5.2 openais-devel-0.80.6-16.el5_5.2 python-qpid-0.7.946106-4.el5 qpid-cpp-client-0.7.946106-6.el5 qpid-cpp-client-devel-0.7.946106-6.el5 qpid-cpp-client-devel-docs-0.7.946106-6.el5 qpid-cpp-client-ssl-0.7.946106-6.el5 qpid-cpp-mrg-debuginfo-0.7.946106-6.el5 qpid-cpp-server-0.7.946106-6.el5 qpid-cpp-server-cluster-0.7.946106-6.el5 qpid-cpp-server-devel-0.7.946106-6.el5 qpid-cpp-server-ssl-0.7.946106-6.el5 qpid-cpp-server-store-0.7.946106-6.el5 qpid-cpp-server-xml-0.7.946106-6.el5 qpid-java-client-0.7.946106-5.el5 qpid-java-common-0.7.946106-5.el5 qpid-tests-0.7.946106-1.el5 qpid-tools-0.7.946106-6.el5 Steps to Reproduce: [configure /etc/qpidd.conf && /etc/ais/openais.conf && /etc/sasl2/qpidd.conf] service qpidd stop kill -9 $(pidof qpidd) >/tmp/qpidd.log;>/tmp/openais.log rm -rf /var/lib/qpidd/cluster/ /var/lib/qpidd/_cluster* /var/lib/qpidd/rhm service openais restart logger qpidd service qpidd start Starting Qpid AMQP daemon: Timed out waiting for daemon (If store recovery is in progress, use longer wait time) [FAILED] #/var/log/messages =snip Jul 15 04:46:13 ibm-ls21-03 setroubleshoot: SELinux is preventing aisexec (aisexec_t) "ipc_owner" to <Unknown> (aisexec_t). For complete SELinux messages. run sealert -l 124f263e-8df8-4144-ad83-2dbc6cf5b6ee =cut # sealert -l 124f263e-8df8-4144-ad83-2dbc6cf5b6ee Summary: SELinux is preventing aisexec (aisexec_t) "ipc_owner" to <Unknown> (aisexec_t). Detailed Description: SELinux denied access requested by aisexec. It is not expected that this access is required by aisexec and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context root:system_r:aisexec_t Target Context root:system_r:aisexec_t Target Objects None [ capability ] Source aisexec Source Path /usr/sbin/aisexec Port <Unknown> Host ibm-ls21-03.rhts.eng.bos.redhat.com Source RPM Packages openais-0.80.6-16.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-279.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name ibm-ls21-03.rhts.eng.bos.redhat.com Platform Linux ibm-ls21-03.rhts.eng.bos.redhat.com 2.6.18-194.el5 #1 SMP Tue Mar 16 21:52:39 EDT 2010 x86_64 x86_64 Alert Count 826 First Seen Mon Jul 12 11:14:48 2010 Last Seen Thu Jul 15 04:46:13 2010 Local ID 124f263e-8df8-4144-ad83-2dbc6cf5b6ee Line Numbers Raw Audit Messages host=ibm-ls21-03.rhts.eng.bos.redhat.com type=AVC msg=audit(1279183573.736:9822): avc: denied { ipc_owner } for pid=9264 comm="aisexec" capability=15 scontext=root:system_r:aisexec_t:s0 tcontext=root:system_r:aisexec_t:s0 tclass=capability host=ibm-ls21-03.rhts.eng.bos.redhat.com type=SYSCALL msg=audit(1279183573.736:9822): arch=c000003e syscall=64 success=no exit=-13 a0=5c207a80 a1=3 a2=180 a3=100 items=0 ppid=1 pid=9264 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=492 comm="aisexec" exe="/usr/sbin/aisexec" subj=root:system_r:aisexec_t:s0 key=(null) Actual results: qpidd fails to join cluster Expected results: qpidd should join cluster when selinux mode is Enforcing
Fixed in selinux-policy-2.4.6-280.el5 You guys will have to add this to your module.
An updated qpidd.pp was sent to mcressmean to be included in the RPM. The source qpidd.te was checked in upstream: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/etc/selinux/qpidd.te?revision=964551&view=markup&sortby=date
The verification was pretty straightforward. qpidd service starts? Things are fine. Doesn't start? Things are broken. Install openais and qpid-cpp-server on a system in Enforcing mode Configure the cluster and add clustery stuff to /etc/qpidd.conf: cluster-mechanism=PLAIN cluster-username=guest cluster-password=guest cluster-name=qpid-test-cluster service openais start service qpidd start If the service starts, everything is likely (check for AVCs anyway). If there is a timeout trying to communicate with openais and AVCs are getting generated, that's a failure. Affects RHEL5 only (RHEL4 does not support cluster, RHEL6 has qpidd policy), and normally we catch this stuff early on in testing since if it's broken, the service doesn't start and AVCs are generated.
Milos, what process is running as initrc_t? # ps -eZ | grep initrc
Here is the culprit: root:system_r:initrc_t:s0 24456 ? 00:00:00 qpidd
From the test machine, which Milos set up: # rpm -qf /usr/share/selinux/packages/qpidd.pp qpidd-0.5.752581-42.el5 So the following http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/etc/selinux/qpidd.te?revision=964551&view=markup&sortby=date should be added to qpidd.te. I am switching this bug back to Modified since msg=audit(1279183573.736:9822): avc: denied { ipc_owner } for pid=9264 comm="aisexec" capability=15 scontext=root:system_r:aisexec_t:s0 tcontext=root:system_r:aisexec_t:s0 tclass=capability is fixed in the policy.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: With SELinux running in the enforcing mode, an attempt to start the qpidd service when the aisexec was already running failed, and the following error message was written to the qpidd.log: Unexpected error: Timed out waiting for daemon (If store recovery is in progress, use longer wait time) This was caused by SELinux incorrectly denying qpidd the access to OpenAIS. This update corrects the SELinux policy, resolving this issue.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0026.html