Bug 757055 - qpidd broker triggers SELinux AVCs avc: denied { name_connect } for pid=2088 comm="qpidd" dest=5672 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket
Summary: qpidd broker triggers SELinux AVCs avc: denied { name_connect } for pid=208...
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: qpid-cpp
Version: 2.1
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: ---
Assignee: Kim van der Riet
QA Contact: Frantisek Reznicek
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-11-25 11:23 UTC by Stanislav Graf
Modified: 2015-11-16 01:13 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-03-15 19:10:37 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 691654 0 high CLOSED qpidd broker triggers SELinux AVCs avc: denied { search } for pid=27642 comm="qpidd" name="/" dev=sysfs ino=1 scontex... 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 756939 0 medium CLOSED Remove broker link causes qpidd error on RHEL5 2025-02-10 03:14:26 UTC

Internal Links: 691654 756939

Description Stanislav Graf 2011-11-25 11:23:58 UTC 
Description of problem:
Use scenario from Bug 691654 on RHEL6 and you get following entry into audit.log:
type=AVC msg=audit(1322219322.363:157): avc:  denied  { name_connect } for  pid=2088 comm="qpidd" dest=5672 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1322219322.363:157): arch=c000003e syscall=42 success=no exit=-13 a0=20 a1=7f7014011b80 a2=10 a3=ff00 items=0 ppid=1 pid=2088 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=2 comm="qpidd" exe="/usr/sbin/qpidd" subj=unconfined_u:system_r:qpidd_t:s0 key=(null)

# ps -eLf | grep 2088
qpidd     2087     1  2088  0    4 11:27 ?        00:00:06 /usr/sbin/qpidd --data-dir /var/lib/qpidd --daemon


Cumin web shows for broker link:
State: Waiting
Last error: Permission denied: localhost:5672 (qpid/sys/posix/Socket.cpp:173)

There is similar (?) selinux bug: Bug 691654

Version-Release number of selected component (if applicable):
only RHEL6

MRG 2.0, RHEL 6.0
cumin-0.1.4916-1.el6.noarch
qpid-cpp-server-0.10-8.el6_1.x86_64
selinux-policy-3.7.19-93.el6_1.7.noarch

MRG 2.1, RHEL 6.1
cumin-0.1.5098-2.el6.noarch
qpid-cpp-server-0.12-6.el6.i686
selinux-policy-3.7.19-124.el6.noarch


How reproducible:
100%

Steps to Reproduce:
1. Bug 691654
2. See audit.log
  
Actual results:
Selinux blocks connection from cumin into qpidd

Expected results:
Selinux allows connection from cumin into qpidd

Additional info:
Comment 1 Stanislav Graf 2011-11-25 11:25:44 UTC 
The steps to reproduce are from Bug 756939. I mistyped.
Comment 3 Stanislav Graf 2011-12-06 09:31:40 UTC 
I was able to reproduce this one using qpid-route:

<dest-broker># qpid-route link add <dest-broker> <src-broker>
[10:29:22] ecode=0

<dest-broker># cat /var/log/audit/audit.log | grep type=AVC 
type=AVC msg=audit(1323163763.507:42319): avc:  denied  { name_connect } for  pid=1719 comm="qpidd" dest=5672 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket
Comment 4 Stanislav Graf 2012-01-31 13:41:02 UTC 
# sealert -l bc54ba02-f12b-455b-886c-2c21d0a346ef
SELinux is preventing qpidd from name_connect access on the tcp_socket port 5672.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that qpidd should be allowed name_connect access on the port 5672 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qpidd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Comment 13 Frantisek Reznicek 2012-03-12 13:00:59 UTC 
The issue has been resolved.
See bug 791294 comment 8 and bug 786467 comment 15.

-> VERIFIED
Note You need to log in before you can comment on or make changes to this bug.