Description of problem: Qpidd broker refuses to start if user sets log-to-file parameter specified in the config file to /etc/qpidd.conf: [root@mrg-qe-10 ~]# service qpidd restart Stopping Qpid AMQP daemon: [ OK ] Starting Qpid AMQP daemon: Unexpected error: Can't open log file: /tmp/qpidd.log [FAILED] Looking to audit.log I was able to see reason: type=AVC msg=audit(1302170230.481:48522): avc: denied { write } for pid=31622 comm="qpidd" name="tmp" dev=dm-0 ino=1441793 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir It is understandable, that broker cannot start if it's not able to write a file due to permission. In this case (file does not exist) qpidd should be able to create log file and set correct SELinux context. Version-Release number of selected component (if applicable): python-qpid-0.10-1.el6.noarch python-qpid-qmf-0.10-6.el6.x86_64 qpid-cpp-client-0.10-3.el6.x86_64 qpid-cpp-client-devel-0.10-3.el6.x86_64 qpid-cpp-client-devel-docs-0.10-3.el6.noarch qpid-cpp-client-rdma-0.10-3.el6.x86_64 qpid-cpp-client-ssl-0.10-3.el6.x86_64 qpid-cpp-debuginfo-0.10-3.el6.x86_64 qpid-cpp-server-0.10-3.el6.x86_64 qpid-cpp-server-cluster-0.10-3.el6.x86_64 qpid-cpp-server-devel-0.10-3.el6.x86_64 qpid-cpp-server-rdma-0.10-3.el6.x86_64 qpid-cpp-server-ssl-0.10-3.el6.x86_64 qpid-cpp-server-store-0.10-3.el6.x86_64 qpid-cpp-server-xml-0.10-3.el6.x86_64 qpid-java-client-0.10-1.el6.noarch qpid-java-common-0.10-1.el6.noarch qpid-java-example-0.10-1.el6.noarch qpid-java-jca-0.10-1.el6.noarch qpid-qmf-0.10-6.el6.x86_64 qpid-qmf-debuginfo-0.10-6.el6.x86_64 qpid-qmf-devel-0.10-6.el6.x86_64 qpid-tests-0.10-1.el6.noarch qpid-tools-0.10-2.el6.noarch rh-qpid-cpp-tests-0.10-3.el6.x86_64 ruby-qpid-0.7.946106-2.el6.x86_64 ruby-qpid-qmf-0.10-6.el6.x86_64 How reproducible: 100% Steps to Reproduce: 1. install messaging 2. echo "log-to-file=/tmp/qpidd.log" >> /etc/qpidd.conf 3. service qpidd [re]start ; echo $? Actual results: Qpidd broker fails to start. Expected results: Qpidd broker should start well if specified log file does not exist. Additional info: [root@mrg-qe-10 ~]# getenforce Enforcing [root@mrg-qe-10 ~]# :>/var/log/audit/audit.log [root@mrg-qe-10 ~]# service qpidd start Starting Qpid AMQP daemon: [ OK ] [root@mrg-qe-10 ~]# grep type=AVC /var/log/audit/audit.log type=AVC msg=audit(1302170138.617:48509): avc: denied { search } for pid=31539 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir [root@mrg-qe-10 ~]# echo "log-to-file=/tmp/qpidd.log" >> /etc/qpidd.conf [root@mrg-qe-10 ~]# tail /etc/qpidd.conf # # Configuration file for qpidd. Entries are of the form: # name=value # # (Note: no spaces on either side of '='). Using default settings: # "qpidd --help" or "man qpidd" for more details. cluster-mechanism=ANONYMOUS #auth=yes auth=no log-to-file=/tmp/qpidd.log [root@mrg-qe-10 ~]# ll /tmp/qpidd.log -rw-r--r--. 1 root root 88773674 Apr 6 02:48 /tmp/qpidd.log [root@mrg-qe-10 ~]# rm -f /tmp/qpidd.log [root@mrg-qe-10 ~]# ll /tmp/qpidd.log ls: cannot access /tmp/qpidd.log: No such file or directory [root@mrg-qe-10 ~]# service qpidd restart Stopping Qpid AMQP daemon: [ OK ] Starting Qpid AMQP daemon: Unexpected error: Can't open log file: /tmp/qpidd.log [FAILED] [root@mrg-qe-10 ~]# grep type=AVC /var/log/audit/audit.log type=AVC msg=audit(1302170138.617:48509): avc: denied { search } for pid=31539 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir type=AVC msg=audit(1302170230.481:48522): avc: denied { write } for pid=31622 comm="qpidd" name="tmp" dev=dm-0 ino=1441793 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
I can't reproduce the problem, qpidd restarts correctly: [root@mrg32 etc]# getenforce Enforcing [root@mrg32 etc]# cat /etc/qpidd.conf cluster-mechanism=ANONYMOUS auth=no log-to-file=/tmp/qpidd.log [root@mrg32 etc]# service qpidd stop Stopping Qpid AMQP daemon: ^[[60G[^[[0;32m OK ^[[0;39m] [root@mrg32 etc]# rm -f /tmp/qpidd.log [root@mrg32 etc]# service qpidd start Starting Qpid AMQP daemon: ^[[60G[^[[0;32m OK ^[[0;39m] [root@mrg32 etc]# tail /tmp/qpidd.log 2011-07-21 08:49:56 notice Journal "TplStore": Created 2011-07-21 08:49:56 notice Store module initialized; store-dir=/var/lib/qpidd 2011-07-21 08:49:56 notice SASL disabled: No Authentication Performed 2011-07-21 08:49:56 notice Listening on TCP port 5672 2011-07-21 08:49:56 notice Broker running [root@mrg32 etc]# service qpidd restart Stopping Qpid AMQP daemon: ^[[60G[^[[0;32m OK ^[[0;39m] Starting Qpid AMQP daemon: ^[[60G[^[[0;32m OK ^[[0;39m] [root@mrg32 etc]# service qpidd restart Stopping Qpid AMQP daemon: ^[[60G[^[[0;32m OK ^[[0;39m] Starting Qpid AMQP daemon: ^[[60G[^[[0;32m OK ^[[0;39m] [root@mrg32 etc]# rpm -q qpid-cpp-server qpid-cpp-server-0.10-8.el5 [root@mrg32 etc]# uname -a Linux mrg32.lab.bos.redhat.com 2.6.18-238.12.1.el5 #1 SMP Sat May 7 20:18:50 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux [root@mrg32 etc]#
ad a] The behavior was seen on RHEL6 only (unique‑mrg‑rhel‑6‑bug+) Comment 1 is from rhel5 ad b] The behavior is correct, the RHEL6 qpidd SELinux policy is enhanced and does not allow to store log files to /tmp directory (as the most of daemons). Below transcript shows that log storage to /var/lib/qpidd/qpidd.log is just fine and thus I believe this behavior should be cloased as not-a-bug. Raising NEEDINFO to confirm that above point b] is correct. Transcript: [root@dhcp-26-168 ~]# vi /etc/qpidd.conf [root@dhcp-26-168 ~]# :> /var/log/audit/audit.log [root@dhcp-26-168 ~]# grep type=AVC /var/log/audit/audit.log [root@dhcp-26-168 ~]# service qpidd restart Stopping Qpid AMQP daemon: [ OK ] Starting Qpid AMQP daemon: Unexpected error: Can't open log file: /tmp/qpidd.log [FAILED] [root@dhcp-26-168 ~]# tail -6 /etc/qpidd.conf cluster-mechanism=ANONYMOUS #auth=no log-enable=debug+ log-to-file=/tmp/qpidd.log #cluster-name=X [root@dhcp-26-168 ~]# vi /etc/qpidd.conf [root@dhcp-26-168 ~]# tail -6 /etc/qpidd.conf cluster-mechanism=ANONYMOUS #auth=no log-enable=debug+ log-to-file=/var/lib/qpidd/qpidd.log #cluster-name=X [root@dhcp-26-168 ~]# grep type=AVC /var/log/audit/audit.log type=AVC msg=audit(1311758935.153:17730): avc: denied { write } for pid=1703 comm="qpidd" name="tmp" dev=dm-0 ino=130824 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir [root@dhcp-26-168 ~]# service qpidd restart Stopping Qpid AMQP daemon: [FAILED] Starting Qpid AMQP daemon: [ OK ] [root@dhcp-26-168 ~]# grep type=AVC /var/log/audit/audit.log type=AVC msg=audit(1311758935.153:17730): avc: denied { write } for pid=1703 comm="qpidd" name="tmp" dev=dm-0 ino=130824 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1311758976.579:17739): avc: denied { search } for pid=1732 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir [root@dhcp-26-168 ~]# service qpidd restart Stopping Qpid AMQP daemon: [ OK ] Starting Qpid AMQP daemon: [ OK ] [root@dhcp-26-168 ~]# grep type=AVC /var/log/audit/audit.log type=AVC msg=audit(1311758935.153:17730): avc: denied { write } for pid=1703 comm="qpidd" name="tmp" dev=dm-0 ino=130824 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1311758976.579:17739): avc: denied { search } for pid=1732 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir type=AVC msg=audit(1311758984.022:17752): avc: denied { search } for pid=1775 comm="qpidd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir Please note that the last of the AVC is raised as separate bug 691654.
comment 2 point b] sounds correct to me.
Behavior discussed and with the not-a-bug consensus. -> CLOSED / NOTABUG