Description of problem: qpidd service started the recommended way (service qpidd <action>) triggers reliably following RHEL 6.1 SELinux AVC: type=AVC msg=audit(1301383207.124:38396): avc: denied { search } for pid=27642 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir This case is observed on RHEL 6.1 beta i386 / x86_64 only. Version-Release number of selected component (if applicable): [root@mrg-qe-10 ~]# rpm -qa | grep -E '(qpid|qmf|sesame)' ruby-qpid-0.7.946106-2.el6.x86_64 qpid-tests-0.10-1.el6.noarch ruby-qpid-qmf-0.10-4.el6.x86_64 qpid-cpp-server-ssl-0.10-1.el6.x86_64 rh-qpid-cpp-tests-0.10-1.el6.x86_64 qpid-cpp-client-0.10-1.el6.x86_64 python-qpid-qmf-0.10-4.el6.x86_64 qpid-cpp-client-rdma-0.10-1.el6.x86_64 qpid-java-common-0.10-1.el6.noarch qpid-qmf-devel-0.10-4.el6.x86_64 qpid-cpp-server-xml-0.10-1.el6.x86_64 qpid-cpp-server-store-0.10-1.el6.x86_64 qpid-qmf-0.10-4.el6.x86_64 qpid-java-client-0.10-1.el6.noarch qpid-cpp-server-devel-0.10-1.el6.x86_64 qpid-cpp-server-cluster-0.10-1.el6.x86_64 qpid-cpp-client-devel-docs-0.10-1.el6.noarch qpid-cpp-server-0.10-1.el6.x86_64 python-qpid-0.10-1.el6.noarch qpid-cpp-server-rdma-0.10-1.el6.x86_64 qpid-cpp-client-ssl-0.10-1.el6.x86_64 qpid-cpp-client-devel-0.10-1.el6.x86_64 qpid-java-example-0.10-1.el6.noarch qpid-tools-0.10-1.el6.noarch sesame-0.10-1.el6.x86_64 How reproducible: 100% Steps to Reproduce: see bottom section for steps Actual results: qpidd broker daemon triggers SELinux AVCs. Expected results: qpidd broker daemon should not trigger SELinux AVCs. Additional info (steps): [root@mrg-qe-10 ~]# rm -f /var/log/audit/audit.log [root@mrg-qe-10 ~]# service auditd restart Stopping auditd: [ OK ] Starting auditd: [ OK ] [root@mrg-qe-10 ~]# grep AVC /var/log/audit/audit.log [root@mrg-qe-10 ~]# service qpidd restart Stopping Qpid AMQP daemon: [ OK ] Starting Qpid AMQP daemon: [ OK ] [root@mrg-qe-10 ~]# grep AVC /var/log/audit/audit.log type=AVC msg=audit(1301383207.124:38396): avc: denied { search } for pid=27642 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir [root@mrg-qe-10 ~]# getenforce Enforcing [root@mrg-qe-10 ~]# rpm -qa | grep -E '(qpid|qmf|sesame)' ruby-qpid-0.7.946106-2.el6.x86_64 qpid-tests-0.10-1.el6.noarch ruby-qpid-qmf-0.10-4.el6.x86_64 qpid-cpp-server-ssl-0.10-1.el6.x86_64 rh-qpid-cpp-tests-0.10-1.el6.x86_64 qpid-cpp-client-0.10-1.el6.x86_64 python-qpid-qmf-0.10-4.el6.x86_64 qpid-cpp-client-rdma-0.10-1.el6.x86_64 qpid-java-common-0.10-1.el6.noarch qpid-qmf-devel-0.10-4.el6.x86_64 qpid-cpp-server-xml-0.10-1.el6.x86_64 qpid-cpp-server-store-0.10-1.el6.x86_64 qpid-qmf-0.10-4.el6.x86_64 qpid-java-client-0.10-1.el6.noarch qpid-cpp-server-devel-0.10-1.el6.x86_64 qpid-cpp-server-cluster-0.10-1.el6.x86_64 qpid-cpp-client-devel-docs-0.10-1.el6.noarch qpid-cpp-server-0.10-1.el6.x86_64 python-qpid-0.10-1.el6.noarch qpid-cpp-server-rdma-0.10-1.el6.x86_64 qpid-cpp-client-ssl-0.10-1.el6.x86_64 qpid-cpp-client-devel-0.10-1.el6.x86_64 qpid-java-example-0.10-1.el6.noarch qpid-tools-0.10-1.el6.noarch sesame-0.10-1.el6.x86_64 [root@mrg-qe-10 ~]# uname -a Linux mrg-qe-10.lab.eng.brq.redhat.com 2.6.32-125.el6.x86_64 #1 SMP Mon Mar 21 10:06:08 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux [root@mrg-qe-10 ~]# head -1 /etc/issue Red Hat Enterprise Linux Server release 6.1 Beta (Santiago)
an update, issue pending on packages: [root@dhcp-26-228 examples]# rpm -qa | grep -E '(qpid|qmf|sesame)' | sort libvirt-qpid-0.2.22-6.el6.i686 python-qpid-0.10-1.el6.noarch python-qpid-qmf-0.10-10.el6.i686 qpid-cpp-client-0.10-6.el6.i686 qpid-cpp-client-devel-0.10-6.el6.i686 qpid-cpp-client-devel-docs-0.10-6.el6.noarch qpid-cpp-client-rdma-0.10-6.el6.i686 qpid-cpp-client-ssl-0.10-6.el6.i686 qpid-cpp-debuginfo-0.10-6.el6.i686 qpid-cpp-server-0.10-6.el6.i686 qpid-cpp-server-cluster-0.10-6.el6.i686 qpid-cpp-server-devel-0.10-6.el6.i686 qpid-cpp-server-rdma-0.10-6.el6.i686 qpid-cpp-server-ssl-0.10-6.el6.i686 qpid-cpp-server-store-0.10-6.el6.i686 qpid-cpp-server-xml-0.10-6.el6.i686 qpid-java-client-0.10-6.el6.noarch qpid-java-common-0.10-6.el6.noarch qpid-java-example-0.10-6.el6.noarch qpid-java-jca-0.10-6.el6.noarch qpid-qmf-0.10-10.el6.i686 qpid-qmf-debuginfo-0.10-10.el6.i686 qpid-qmf-devel-0.10-10.el6.i686 qpid-tests-0.10-1.el6.noarch qpid-tools-0.10-5.el6.noarch rh-qpid-cpp-tests-0.10-6.el6.i686 ruby-qpid-0.7.946106-2.el6.i686 ruby-qpid-qmf-0.10-10.el6.i686 sesame-0.10-1.el6.i686 sesame-debuginfo-0.10-1.el6.i686 The AVC is detected after 'service qpidd start' as shows below transcript: [root@dhcp-26-228 examples]# grep -i AVC /var/log/audit/audit.log type=AVC msg=audit(1307710727.291:785): avc: denied { search } for pid=30286 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir [root@dhcp-26-228 examples]# tail -5 /etc/qpidd.conf # "qpidd --help" or "man qpidd" for more details. cluster-mechanism=ANONYMOUS auth=no #cluster-name=X [root@dhcp-26-228 examples]# service qpidd restart Stopping Qpid AMQP daemon: [ OK ] Starting Qpid AMQP daemon: [ OK ] [root@dhcp-26-228 examples]# grep -i AVC /var/log/audit/audit.log type=AVC msg=audit(1307710727.291:785): avc: denied { search } for pid=30286 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir type=AVC msg=audit(1307710825.207:798): avc: denied { search } for pid=30328 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir [root@dhcp-26-228 examples]# service qpidd stop Stopping Qpid AMQP daemon: [ OK ] [root@dhcp-26-228 examples]# grep -i AVC /var/log/audit/audit.log type=AVC msg=audit(1307710727.291:785): avc: denied { search } for pid=30286 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir type=AVC msg=audit(1307710825.207:798): avc: denied { search } for pid=30328 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir [root@dhcp-26-228 examples]# service qpidd start Starting Qpid AMQP daemon: [ OK ] [root@dhcp-26-228 examples]# grep -i AVC /var/log/audit/audit.log type=AVC msg=audit(1307710727.291:785): avc: denied { search } for pid=30286 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir type=AVC msg=audit(1307710825.207:798): avc: denied { search } for pid=30328 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir type=AVC msg=audit(1307710861.195:819): avc: denied { search } for pid=30384 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir [root@dhcp-26-228 examples]# ps auxZ | grep qpidd unconfined_u:system_r:qpidd_t:s0 qpidd 30384 0.1 1.7 51916 6752 ? Ssl 15:01 0:00 /usr/sbin/qpidd --data-dir /var/lib/qpidd --daemon unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 30419 0.0 0.1 4328 740 pts/2 S+ 15:01 0:00 grep qpidd [root@dhcp-26-228 examples]# uname -a Linux dhcp-26-228... 2.6.32-131.0.15.el6.i686 #1 SMP Tue May 10 15:42:28 EDT 2011 i686 i686 i386 GNU/Linux [root@dhcp-26-228 examples]# head -1 /etc/issue Red Hat Enterprise Linux Server release 6.1 (Santiago)
The same problem here on both RHEL6 i386/x86_64, all packages updated from RHN to latest version: # grep AVC /var/log/audit/audit.log # service qpidd restart Stopping Qpid AMQP daemon: [FAILED] Starting Qpid AMQP daemon: Daemon startup failed: Failed to initialize CPG.: library (2) [FAILED] # grep AVC /var/log/audit/audit.log type=AVC msg=audit(1317898912.634:26262): avc: denied { search } for pid=1886 comm="qpidd" name="/" dev=tmpfs ino=5531 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir # getenforce Enforcing # rpm -qa | grep -E '(qpid|qmf|sesame)' | sort python-qpid-0.10-1.el6.noarch python-qpid-qmf-0.10-10.el6.i686 qpid-cpp-client-0.10-6.el6.i686 qpid-cpp-client-devel-0.10-6.el6.i686 qpid-cpp-client-devel-docs-0.10-6.el6.noarch qpid-cpp-client-rdma-0.10-6.el6.i686 qpid-cpp-client-ssl-0.10-6.el6.i686 qpid-cpp-debuginfo-0.10-6.el6.i686 qpid-cpp-server-0.10-6.el6.i686 qpid-cpp-server-cluster-0.10-6.el6.i686 qpid-cpp-server-devel-0.10-6.el6.i686 qpid-cpp-server-rdma-0.10-6.el6.i686 qpid-cpp-server-ssl-0.10-6.el6.i686 qpid-cpp-server-store-0.10-6.el6.i686 qpid-cpp-server-xml-0.10-6.el6.i686 qpid-java-client-0.10-9.el6.noarch qpid-java-common-0.10-9.el6.noarch qpid-java-example-0.10-9.el6.noarch qpid-qmf-0.10-10.el6.i686 qpid-tools-0.10-5.el6.noarch rh-qpid-cpp-tests-0.10-6.el6.i686 sesame-0.10-1.el6.i686
The issue is still pending on python-qpid-0.12-1.el6.noarch python-qpid-qmf-0.12-6.el6.i686 qpid-cpp-*0.12-6.el6.i686 qpid-java-*0.10-11.el6.noarch qpid-qmf-0.12-6.el6.i686 qpid-qmf-debuginfo-0.12-6.el6.i686 qpid-qmf-devel-0.12-6.el6.i686 qpid-tests-0.12-1.el6.noarch qpid-tools-0.12-2.el6.noarch rh-qpid-cpp-tests-0.12-6.el6.i686 ruby-qpid-0.7.946106-2.el6.i686 ruby-qpid-qmf-0.12-6.el6.i686
The issue is visible only if clustering is enabled by cluster-name=<name> as shows following transcript: [root@dhcp-lab-231 ~]# setenforce 0 [root@dhcp-lab-231 ~]# htop [root@dhcp-lab-231 ~]# service qpidd restart Stopping Qpid AMQP daemon: [FAILED] Starting Qpid AMQP daemon: [ OK ] [root@dhcp-lab-231 ~]# setenforce 1 [root@dhcp-lab-231 ~]# service qpidd restart Stopping Qpid AMQP daemon: [ OK ] Starting Qpid AMQP daemon: Daemon startup failed: Failed to initialize CPG.: library (2) [FAILED] [root@dhcp-lab-231 ~]# setenforce 0 [root@dhcp-lab-231 ~]# service qpidd restart Stopping Qpid AMQP daemon: [FAILED] Starting Qpid AMQP daemon: [ OK ] [root@dhcp-lab-231 ~]# service qpidd stop Stopping Qpid AMQP daemon: [ OK ] [root@dhcp-lab-231 ~]# vi /etc/qpidd.conf [root@dhcp-lab-231 ~]# service qpidd restart Stopping Qpid AMQP daemon: [FAILED] Starting Qpid AMQP daemon: [ OK ] [root@dhcp-lab-231 ~]# qpid-stat -b Brokers broker cluster uptime conn sess exch queue =============================================================== localhost:5672 <standalone> 10s 1 1 8 12 [root@dhcp-lab-231 ~]# setenforce 1 [root@dhcp-lab-231 ~]# service qpidd restart Stopping Qpid AMQP daemon: [ OK ] Starting Qpid AMQP daemon: [ OK ] [root@dhcp-lab-231 ~]# getenforce Enforcing [root@dhcp-lab-231 ~]# qpid-stat -b Brokers broker cluster uptime conn sess exch queue =============================================================== localhost:5672 <standalone> 15s 1 1 8 12 [root@dhcp-lab-231 ~]# getenforce Enforcing [root@dhcp-lab-231 ~]# service qpidd restart Stopping Qpid AMQP daemon: [ OK ] Starting Qpid AMQP daemon: [ OK ]
This is an SELinux policy issue. We have dev_read_sysfs(qpidd_t) in Fedora policy. We need to back port qpidd policy from Fedora 16 to RHEL6
Fixed in selinux-policy-3.10.0-58.fc16
I'm not clear whether the change was applied to selinux-policy-3.7.19-126.el6.noarch. But as behavior slightly changed it looks it was. The behavior of qpid 0.14 on RHEL 6.2 is slightly better but still producing AVCs, see detailed list below... -> ASSIGNED # Installed packages [root@dhcp-27-49 ~]# uname -a Linux dhcp-27-49.brq.redhat.com 2.6.32-220.el6.i686 #1 SMP Wed Nov 9 08:02:18 EST 2011 i686 i686 i386 GNU/Linux [root@dhcp-27-49 ~]# rpm -q selinux-policy selinux-policy-3.7.19-126.el6.noarch [root@dhcp-27-49 ~]# rpm -qa | egrep 'qpid|sesame|corosync' | sort corosync-1.4.1-4.el6.i686 corosynclib-1.4.1-4.el6.i686 corosynclib-devel-1.4.1-4.el6.i686 python-qpid-0.14-1.el6.noarch python-qpid-qmf-0.14-2.el6.i686 qpid-cpp-client-0.14-1.el6.i686 qpid-cpp-client-devel-0.14-1.el6.i686 qpid-cpp-client-rdma-0.14-1.el6.i686 qpid-cpp-client-ssl-0.14-1.el6.i686 qpid-cpp-debuginfo-0.14-1.el6.i686 qpid-cpp-server-0.14-1.el6.i686 qpid-cpp-server-cluster-0.14-1.el6.i686 qpid-cpp-server-devel-0.14-1.el6.i686 qpid-cpp-server-rdma-0.14-1.el6.i686 qpid-cpp-server-ssl-0.14-1.el6.i686 qpid-cpp-server-store-0.14-1.el6.i686 qpid-cpp-server-xml-0.14-1.el6.i686 qpid-java-client-0.14-1.el6.noarch qpid-java-common-0.14-1.el6.noarch qpid-java-example-0.14-1.el6.noarch qpid-qmf-0.14-2.el6.i686 qpid-qmf-debuginfo-0.14-2.el6.i686 qpid-qmf-devel-0.14-2.el6.i686 qpid-tests-0.14-1.el6.noarch qpid-tools-0.14-1.el6.noarch rh-qpid-cpp-tests-0.14-1.el6.i686 ruby-qpid-qmf-0.14-2.el6.i686 sesame-1.0-2.el6.i686 sesame-debuginfo-1.0-2.el6.i686 # IPTABLES does not affect tests [root@dhcp-27-49 ~]# service iptables status iptables: Firewall is not running. # TEST qpidd without clustering # Results: AVC detected and dependent on Selinux mode... [root@dhcp-27-49 ~]# service qpidd stop Stopping Qpid AMQP daemon: [FAILED] [root@dhcp-27-49 ~]# function foo () { > setenforce $1 > getenforce > rm -f /var/log/audit/audit.log > service auditd restart > grep AVC /var/log/audit/audit.log > service qpidd restart > grep AVC /var/log/audit/audit.log > pidof qpidd > netstat -nlp | grep qpidd > } [root@dhcp-27-49 ~]# [root@dhcp-27-49 ~]# [root@dhcp-27-49 ~]# [root@dhcp-27-49 ~]# [root@dhcp-27-49 ~]# cat /etc/qpidd.conf log-enable=info+ mgmt-pub-interval=5 log-to-file=/var/lib/qpidd/qpidd.log #cluster-name=mycluster auth=no [root@dhcp-27-49 ~]# foo 0 Permissive Stopping auditd: [ OK ] Starting auditd: [ OK ] Stopping Qpid AMQP daemon: [FAILED] Starting Qpid AMQP daemon: [ OK ] 2795 tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 2795/qpidd tcp 0 0 :::5672 :::* LISTEN 2795/qpidd [root@dhcp-27-49 ~]# foo 0 Permissive Stopping auditd: [ OK ] Starting auditd: [ OK ] Stopping Qpid AMQP daemon: [ OK ] Starting Qpid AMQP daemon: [ OK ] 2875 tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 2875/qpidd tcp 0 0 :::5672 :::* LISTEN 2875/qpidd [root@dhcp-27-49 ~]# foo 0 Permissive Stopping auditd: [ OK ] Starting auditd: [ OK ] Stopping Qpid AMQP daemon: [ OK ] Starting Qpid AMQP daemon: [ OK ] 2955 tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 2955/qpidd tcp 0 0 :::5672 :::* LISTEN 2955/qpidd [root@dhcp-27-49 ~]# foo 0 Permissive Stopping auditd: [ OK ] Starting auditd: [ OK ] Stopping Qpid AMQP daemon: [ OK ] Starting Qpid AMQP daemon: [ OK ] 3035 tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 3035/qpidd tcp 0 0 :::5672 :::* LISTEN 3035/qpidd [root@dhcp-27-49 ~]# foo 0 Permissive Stopping auditd: [ OK ] Starting auditd: [ OK ] Stopping Qpid AMQP daemon: [ OK ] Starting Qpid AMQP daemon: [ OK ] 3115 tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 3115/qpidd tcp 0 0 :::5672 :::* LISTEN 3115/qpidd [root@dhcp-27-49 ~]# foo 0 Permissive Stopping auditd: [ OK ] Starting auditd: [ OK ] Stopping Qpid AMQP daemon: [ OK ] Starting Qpid AMQP daemon: [ OK ] 3195 tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 3195/qpidd tcp 0 0 :::5672 :::* LISTEN 3195/qpidd [root@dhcp-27-49 ~]# foo 0 Permissive Stopping auditd: [ OK ] Starting auditd: [ OK ] Stopping Qpid AMQP daemon: [ OK ] Starting Qpid AMQP daemon: [ OK ] 3275 tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 3275/qpidd tcp 0 0 :::5672 :::* LISTEN 3275/qpidd [root@dhcp-27-49 ~]# foo 0 Permissive Stopping auditd: [ OK ] Starting auditd: [ OK ] Stopping Qpid AMQP daemon: [ OK ] Starting Qpid AMQP daemon: [ OK ] 3355 tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 3355/qpidd tcp 0 0 :::5672 :::* LISTEN 3355/qpidd [root@dhcp-27-49 ~]# foo 0 Permissive Stopping auditd: [ OK ] Starting auditd: [ OK ] Stopping Qpid AMQP daemon: [ OK ] Starting Qpid AMQP daemon: [ OK ] 3435 tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 3435/qpidd tcp 0 0 :::5672 :::* LISTEN 3435/qpidd [root@dhcp-27-49 ~]# foo 0 Permissive Stopping auditd: [ OK ] Starting auditd: [ OK ] Stopping Qpid AMQP daemon: [ OK ] Starting Qpid AMQP daemon: [ OK ] 3515 tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 3515/qpidd tcp 0 0 :::5672 :::* LISTEN 3515/qpidd [root@dhcp-27-49 ~]# foo 0 Permissive Stopping auditd: [ OK ] Starting auditd: [ OK ] Stopping Qpid AMQP daemon: [ OK ] Starting Qpid AMQP daemon: [ OK ] 3595 tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 3595/qpidd tcp 0 0 :::5672 :::* LISTEN 3595/qpidd [root@dhcp-27-49 ~]# foo 1 Enforcing Stopping auditd: [ OK ] Starting auditd: [ OK ] Stopping Qpid AMQP daemon: [ OK ] Starting Qpid AMQP daemon: [ OK ] type=AVC msg=audit(1324377039.684:490): avc: denied { search } for pid=3675 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir 3675 tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 3675/qpidd tcp 0 0 :::5672 :::* LISTEN 3675/qpidd [root@dhcp-27-49 ~]# [root@dhcp-27-49 ~]# foo 1 Enforcing Stopping auditd: [ OK ] Starting auditd: [ OK ] Stopping Qpid AMQP daemon: [ OK ] Starting Qpid AMQP daemon: [ OK ] type=AVC msg=audit(1324377060.632:506): avc: denied { search } for pid=3755 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir 3755 tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 3755/qpidd tcp 0 0 :::5672 :::* LISTEN 3755/qpidd [root@dhcp-27-49 ~]# foo 0 Permissive Stopping auditd: [ OK ] Starting auditd: [ OK ] Stopping Qpid AMQP daemon: [ OK ] Starting Qpid AMQP daemon: [ OK ] type=AVC msg=audit(1324377064.806:523): avc: denied { search } for pid=3835 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir 3835 tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 3835/qpidd tcp 0 0 :::5672 :::* LISTEN 3835/qpidd [root@dhcp-27-49 ~]# foo 0 Permissive Stopping auditd: [ OK ] Starting auditd: [ OK ] Stopping Qpid AMQP daemon: [ OK ] Starting Qpid AMQP daemon: [ OK ] 3915 tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 3915/qpidd tcp 0 0 :::5672 :::* LISTEN 3915/qpidd [root@dhcp-27-49 ~]# foo 1 Enforcing Stopping auditd: [ OK ] Starting auditd: [ OK ] Stopping Qpid AMQP daemon: [ OK ] Starting Qpid AMQP daemon: [ OK ] type=AVC msg=audit(1324377072.234:555): avc: denied { search } for pid=3995 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir 3995 tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 3995/qpidd tcp 0 0 :::5672 :::* LISTEN 3995/qpidd [root@dhcp-27-49 ~]# foo 0 Permissive Stopping auditd: [ OK ] Starting auditd: [ OK ] Stopping Qpid AMQP daemon: [ OK ] Starting Qpid AMQP daemon: [ OK ] type=AVC msg=audit(1324377075.718:572): avc: denied { search } for pid=4075 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir 4075 tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 4075/qpidd tcp 0 0 :::5672 :::* LISTEN 4075/qpidd [root@dhcp-27-49 ~]# [root@dhcp-27-49 ~]# [root@dhcp-27-49 ~]# foo 0 Permissive Stopping auditd: [ OK ] Starting auditd: [ OK ] Stopping Qpid AMQP daemon: [ OK ] Starting Qpid AMQP daemon: [ OK ] 4155 tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 4155/qpidd tcp 0 0 :::5672 :::* LISTEN 4155/qpidd [root@dhcp-27-49 ~]# # TEST qpidd with clustering (corosync) # Results: AVC detected and dependent on Selinux mode... # Special set of AVCs detected during first cluster node start # Note: just one cluster member [root@dhcp-27-49 ~]# vi /etc/qpidd.conf [root@dhcp-27-49 ~]# cat /etc/qpidd.conf log-enable=info+ mgmt-pub-interval=5 log-to-file=/var/lib/qpidd/qpidd.log cluster-name=mycluster auth=no [root@dhcp-27-49 ~]# rm -rf /var/lib/qpidd/*cluster* /var/lib/qpidd/rhm/ /var/lib/qpidd/.qpidd/ /var/lib/qpidd/lock [root@dhcp-27-49 ~]# service qpidd stop Stopping Qpid AMQP daemon: [FAILED] [root@dhcp-27-49 ~]# function foo () { > setenforce $1 > getenforce > rm -f /var/log/audit/audit.log > service auditd restart > grep AVC /var/log/audit/audit.log > > if [ -n "$2" ]; then > service corosync restart > grep AVC /var/log/audit/audit.log > fi > > service qpidd restart > grep AVC /var/log/audit/audit.log > pidof qpidd > netstat -nlp | grep qpidd > } [root@dhcp-27-49 ~]# [root@dhcp-27-49 ~]# foo 0 1 Permissive Stopping auditd: [ OK ] Starting auditd: [ OK ] Signaling Corosync Cluster Engine (corosync) to terminate: [ OK ] Waiting for corosync services to unload:. [ OK ] Starting Corosync Cluster Engine (corosync): [ OK ] Stopping Qpid AMQP daemon: [FAILED] Starting Qpid AMQP daemon: [ OK ] type=AVC msg=audit(1324377453.392:690): avc: denied { search } for pid=4717 comm="qpidd" name="/" dev=tmpfs ino=5384 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=AVC msg=audit(1324377453.392:690): avc: denied { write } for pid=4717 comm="qpidd" name="/" dev=tmpfs ino=5384 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=AVC msg=audit(1324377453.392:690): avc: denied { add_name } for pid=4717 comm="qpidd" name="control_buffer-ZHFGex" scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=AVC msg=audit(1324377453.392:690): avc: denied { create } for pid=4717 comm="qpidd" name="control_buffer-ZHFGex" scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file type=AVC msg=audit(1324377453.392:690): avc: denied { read write open } for pid=4717 comm="qpidd" name="control_buffer-ZHFGex" dev=tmpfs ino=21998 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file type=AVC msg=audit(1324377453.405:691): avc: denied { search } for pid=4717 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir 4717 tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 4717/qpidd tcp 0 0 :::5672 :::* LISTEN 4717/qpidd [root@dhcp-27-49 ~]# foo 0 1 Permissive Stopping auditd: [ OK ] Starting auditd: [ OK ] Signaling Corosync Cluster Engine (corosync) to terminate: [ OK ] Waiting for corosync services to unload:. [ OK ] Starting Corosync Cluster Engine (corosync): [ OK ] Stopping Qpid AMQP daemon: [FAILED] Starting Qpid AMQP daemon: [ OK ] 4827 tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 4827/qpidd tcp 0 0 :::5672 :::* LISTEN 4827/qpidd [root@dhcp-27-49 ~]# [root@dhcp-27-49 ~]# foo 0 1 Permissive Stopping auditd: [ OK ] Starting auditd: [ OK ] Signaling Corosync Cluster Engine (corosync) to terminate: [ OK ] Waiting for corosync services to unload:. [ OK ] Starting Corosync Cluster Engine (corosync): [ OK ] Stopping Qpid AMQP daemon: [FAILED] Starting Qpid AMQP daemon: [ OK ] 4937 tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 4937/qpidd tcp 0 0 :::5672 :::* LISTEN 4937/qpidd [root@dhcp-27-49 ~]# foo 1 1 Enforcing Stopping auditd: [ OK ] Starting auditd: [ OK ] Signaling Corosync Cluster Engine (corosync) to terminate: [ OK ] Waiting for corosync services to unload:. [ OK ] Starting Corosync Cluster Engine (corosync): [ OK ] Stopping Qpid AMQP daemon: [FAILED] Starting Qpid AMQP daemon: Daemon startup failed: Failed to initialize CPG.: library (2) 2011-12-20 11:38:07 critical Unexpected error: Daemon startup failed: Failed to initialize CPG.: library (2) [FAILED] type=AVC msg=audit(1324377487.007:738): avc: denied { search } for pid=5047 comm="qpidd" name="/" dev=tmpfs ino=5384 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
Similar results are seen on RHEL 6.2 x86_64. Below data show that selinux policy is not reliably fixed (3rd run) # Installed packages [root@dhcp-27-50 ~]# rpm -q selinux-policy selinux-policy-3.7.19-126.el6.noarch [root@dhcp-27-50 ~]# rpm -qa | egrep 'qpid|sesame|corosync' | sort corosync-1.4.1-4.el6.x86_64 corosynclib-1.4.1-4.el6.x86_64 python-qpid-0.14-1.el6.noarch python-qpid-qmf-0.14-2.el6.x86_64 qpid-cpp-client-0.14-1.el6.x86_64 qpid-cpp-client-devel-0.14-1.el6.x86_64 qpid-cpp-client-rdma-0.14-1.el6.x86_64 qpid-cpp-client-ssl-0.14-1.el6.x86_64 qpid-cpp-debuginfo-0.14-1.el6.x86_64 qpid-cpp-server-0.14-1.el6.x86_64 qpid-cpp-server-cluster-0.14-1.el6.x86_64 qpid-cpp-server-devel-0.14-1.el6.x86_64 qpid-cpp-server-rdma-0.14-1.el6.x86_64 qpid-cpp-server-ssl-0.14-1.el6.x86_64 qpid-cpp-server-store-0.14-1.el6.x86_64 qpid-cpp-server-xml-0.14-1.el6.x86_64 qpid-java-client-0.14-1.el6.noarch qpid-java-common-0.14-1.el6.noarch qpid-java-example-0.14-1.el6.noarch qpid-java-jca-0.10-11.el6.noarch qpid-java-jca-zip-0.10-11.el6.noarch qpid-qmf-0.14-2.el6.x86_64 qpid-qmf-debuginfo-0.14-2.el6.x86_64 qpid-qmf-devel-0.14-2.el6.x86_64 qpid-tests-0.14-1.el6.noarch qpid-tools-0.14-1.el6.noarch rh-qpid-cpp-tests-0.14-1.el6.x86_64 ruby-qpid-qmf-0.14-2.el6.x86_64 sesame-1.0-2.el6.x86_64 sesame-debuginfo-1.0-2.el6.x86_64 [root@dhcp-27-50 ~]# uname -a Linux dhcp-27-50.brq.redhat.com 2.6.32-220.el6.x86_64 #1 SMP Wed Nov 9 08:03:13 EST 2011 x86_64 x86_64 x86_64 GNU/Linux # TEST qpidd with clustering (corosync) # Results: AVC detected and dependent on Selinux mode... # Special set of AVCs detected during first cluster node start # Different behavior during repetitive operations foo 0 1 (i.e. permissive with corosync restart) # Note: just one cluster member [root@dhcp-27-50 ~]# cat /etc/qpidd.conf log-enable=info+ mgmt-pub-interval=5 log-to-file=/var/lib/qpidd/qpidd.log cluster-name=mycluster auth=no [root@dhcp-27-50 ~]# function foo () { > setenforce $1 > getenforce > rm -f /var/log/audit/audit.log > service auditd restart > grep AVC /var/log/audit/audit.log > > if [ -n "$2" ]; then > service corosync restart > grep AVC /var/log/audit/audit.log > fi > > service qpidd restart > grep AVC /var/log/audit/audit.log > pidof qpidd > netstat -nlp | grep qpidd > } [root@dhcp-27-50 ~]# rm -rf /var/lib/qpidd/*cluster* /var/lib/qpidd/rhm/ /var/lib/qpidd/.qpidd/ /var/lib/qpidd/lock [root@dhcp-27-50 ~]# foo 0 1 Permissive Stopping auditd: [ OK ] Starting auditd: [ OK ] Signaling Corosync Cluster Engine (corosync) to terminate: [ OK ] Waiting for corosync services to unload: [ OK ] Starting Corosync Cluster Engine (corosync): [ OK ] Stopping Qpid AMQP daemon: [FAILED] Starting Qpid AMQP daemon: [ OK ] type=AVC msg=audit(1324378256.380:111): avc: denied { search } for pid=1731 comm="qpidd" name="/" dev=tmpfs ino=5271 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=AVC msg=audit(1324378256.380:111): avc: denied { write } for pid=1731 comm="qpidd" name="/" dev=tmpfs ino=5271 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=AVC msg=audit(1324378256.380:111): avc: denied { add_name } for pid=1731 comm="qpidd" name="control_buffer-VK2uPX" scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=AVC msg=audit(1324378256.380:111): avc: denied { create } for pid=1731 comm="qpidd" name="control_buffer-VK2uPX" scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file type=AVC msg=audit(1324378256.380:111): avc: denied { read write open } for pid=1731 comm="qpidd" name="control_buffer-VK2uPX" dev=tmpfs ino=13288 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file 1731 tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 1731/qpidd tcp 0 0 :::5672 :::* LISTEN 1731/qpidd [root@dhcp-27-50 ~]# [root@dhcp-27-50 ~]# foo 0 1 Permissive Stopping auditd: [ OK ] Starting auditd: [ OK ] Signaling Corosync Cluster Engine (corosync) to terminate: [ OK ] Waiting for corosync services to unload: [ OK ] Starting Corosync Cluster Engine (corosync): [ OK ] Stopping Qpid AMQP daemon: [FAILED] Starting Qpid AMQP daemon: [ OK ] 1839 tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 1839/qpidd tcp 0 0 :::5672 :::* LISTEN 1839/qpidd [root@dhcp-27-50 ~]# foo 0 1 Permissive Stopping auditd: [ OK ] Starting auditd: [ OK ] Signaling Corosync Cluster Engine (corosync) to terminate: [ OK ] Waiting for corosync services to unload: [ OK ] Starting Corosync Cluster Engine (corosync): [ OK ] Stopping Qpid AMQP daemon: [FAILED] Starting Qpid AMQP daemon: [ OK ] type=AVC msg=audit(1324378269.450:142): avc: denied { search } for pid=1947 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir 1947 tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 1947/qpidd tcp 0 0 :::5672 :::* LISTEN 1947/qpidd [root@dhcp-27-50 ~]# foo 0 1 Permissive Stopping auditd: [ OK ] Starting auditd: [ OK ] Signaling Corosync Cluster Engine (corosync) to terminate: [ OK ] Waiting for corosync services to unload: [ OK ] Starting Corosync Cluster Engine (corosync): [ OK ] Stopping Qpid AMQP daemon: [FAILED] Starting Qpid AMQP daemon: [ OK ] 2055 tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 2055/qpidd tcp 0 0 :::5672 :::* LISTEN 2055/qpidd [root@dhcp-27-50 ~]# foo 0 1 Permissive Stopping auditd: [ OK ] Starting auditd: [ OK ] Signaling Corosync Cluster Engine (corosync) to terminate: [ OK ] Waiting for corosync services to unload: [ OK ] Starting Corosync Cluster Engine (corosync): [ OK ] Stopping Qpid AMQP daemon: [FAILED] Starting Qpid AMQP daemon: [ OK ] 2163 tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 2163/qpidd tcp 0 0 :::5672 :::* LISTEN 2163/qpidd [root@dhcp-27-50 ~]# foo 0 1 Permissive Stopping auditd: [ OK ] Starting auditd: [ OK ] Signaling Corosync Cluster Engine (corosync) to terminate: [ OK ] Waiting for corosync services to unload: [ OK ] Starting Corosync Cluster Engine (corosync): [ OK ] Stopping Qpid AMQP daemon: [FAILED] Starting Qpid AMQP daemon: [ OK ] 2271 tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN 2271/qpidd tcp 0 0 :::5672 :::* LISTEN 2271/qpidd [root@dhcp-27-50 ~]# foo 1 1 Enforcing Stopping auditd: [ OK ] Starting auditd: [ OK ] Signaling Corosync Cluster Engine (corosync) to terminate: [ OK ] Waiting for corosync services to unload:. [ OK ] Starting Corosync Cluster Engine (corosync): [ OK ] Stopping Qpid AMQP daemon: [FAILED] Starting Qpid AMQP daemon: Daemon startup failed: Failed to initialize CPG.: library (2) 2011-12-20 11:51:41 critical Unexpected error: Daemon startup failed: Failed to initialize CPG.: library (2) [FAILED] type=AVC msg=audit(1324378301.934:204): avc: denied { search } for pid=2380 comm="qpidd" name="/" dev=tmpfs ino=5271 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
Could you clone this on selinux-policy component?
(In reply to comment #11) > Could you clone this on selinux-policy component? cloned as bug 769352