Bug 967186 - Selinux crashes epm/beam for ejabberd
Selinux crashes epm/beam for ejabberd
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 968158
  Show dependency treegraph
 
Reported: 2013-05-25 06:17 EDT by Grosswiler Roger
Modified: 2013-05-29 23:34 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-47.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 968158 (view as bug list)
Environment:
Last Closed: 2013-05-29 23:34:20 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Grosswiler Roger 2013-05-25 06:17:12 EDT
Description of problem:
Ejabberd won't start if selinux in enforcing mode. Works in permissive.


Version-Release number of selected component (if applicable):
guile-5:1.8.8-5.fc18.2

How reproducible:
Always. Have above policy installed in enforcing an boot


Steps to Reproduce:
1. Set selinux to enforcing
2. Start ejabberd.service
3. Get just beam working, but not ejabberd

Actual results:
Ejabberd not working


Expected results:
Ejabberd working


Additional info:

Excerpt from audit.log:

 setenforce notice (enforcing=1)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1369476952.154:534): avc:  denied  { write } for  pid=1896 comm="epmd" path="/run/lock/ejabberdctl/ejabberdctl-1" dev="tmpfs" ino=19001 scontext=system_u:system_r:rabbitmq_epmd_t:s0 tcontext=system_u:object_r:lvm_lock_t:s0 tclass=file
type=SYSCALL msg=audit(1369476952.154:534): arch=c000003e syscall=59 success=yes exit=0 a0=ac6be0 a1=ac6b70 a2=ac55d0 a3=7ffffdaf2380 items=0 ppid=1892 pid=1896 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="epmd" exe="/usr/lib64/erlang/erts-5.10.1/bin/epmd" subj=system_u:system_r:rabbitmq_epmd_t:s0 key=(null)
type=AVC msg=audit(1369476952.164:535): avc:  denied  { write } for  pid=1892 comm="beam.smp" path="/run/lock/ejabberdctl/ejabberdctl-1" dev="tmpfs" ino=19001 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:lvm_lock_t:s0 tclass=file
type=SYSCALL msg=audit(1369476952.164:535): arch=c000003e syscall=59 success=yes exit=0 a0=f5c050 a1=f5c2c0 a2=7fffac5e6ce0 a3=7fffac5e68e0 items=0 ppid=1890 pid=1892 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
type=AVC msg=audit(1369476952.298:536): avc:  denied  { node_bind } for  pid=1915 comm="beam.smp" scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1369476952.298:536): arch=c000003e syscall=49 success=no exit=-13 a0=7 a1=7f534e74cab0 a2=10 a3=7f534e74c500 items=0 ppid=1890 pid=1915 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
type=AVC msg=audit(1369476952.362:537): avc:  denied  { getattr } for  pid=1905 comm="beam.smp" path="/var/lib/ejabberd/spool/.erlang.cookie" dev="vda4" ino=3381 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1369476952.362:537): arch=c000003e syscall=4 success=no exit=-13 a0=7f5350600808 a1=7f534fc7dd90 a2=7f534fc7dd90 a3=0 items=0 ppid=1890 pid=1905 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
type=AVC msg=audit(1369476952.896:538): avc:  denied  { write } for  pid=1915 comm="beam.smp" name="ejabberd" dev="vda4" ino=3229 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1369476952.896:538): arch=c000003e syscall=2 success=no exit=-13 a0=7f534e74dbc0 a1=241 a2=1a0 a3=323530333130325f items=0 ppid=1890 pid=1915 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
type=SERVICE_STOP msg=audit(1369476952.932:539): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="ejabberd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
type=AVC msg=audit(1369476953.140:540): avc:  denied  { node_bind } for  pid=1956 comm="beam.smp" scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1369476953.140:540): arch=c000003e syscall=49 success=no exit=-13 a0=7 a1=7f9bf7b2eab0 a2=10 a3=7f9bf7b2e500 items=0 ppid=1933 pid=1956 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
type=AVC msg=audit(1369476953.206:541): avc:  denied  { getattr } for  pid=1950 comm="beam.smp" path="/var/lib/ejabberd/spool/.erlang.cookie" dev="vda4" ino=3381 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1369476953.206:541): arch=c000003e syscall=4 success=no exit=-13 a0=7f9bf99c0808 a1=7f9bf83b9d90 a2=7f9bf83b9d90 a3=0 items=0 ppid=1933 pid=1950 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
type=AVC msg=audit(1369476953.730:542): avc:  denied  { write } for  pid=1956 comm="beam.smp" name="ejabberd" dev="vda4" ino=3229 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1369476953.730:542): arch=c000003e syscall=2 success=no exit=-13 a0=7f9bf7b2fbc0 a1=241 a2=1a0 a3=323530333130325f items=0 ppid=1933 pid=1956 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
type=SERVICE_START msg=audit(1369476953.774:543): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="ejabberd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1369476953.904:544): avc:  denied  { node_bind } for  pid=1981 comm="beam.smp" scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1369476953.904:544): arch=c000003e syscall=49 success=no exit=-13 a0=8 a1=7fceb7c8cab0 a2=10 a3=7fceb7c8c500 items=0 ppid=1 pid=1981 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
type=AVC msg=audit(1369476953.965:545): avc:  denied  { getattr } for  pid=1975 comm="beam.smp" path="/var/lib/ejabberd/spool/.erlang.cookie" dev="vda4" ino=3381 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1369476953.965:545): arch=c000003e syscall=4 success=no exit=-13 a0=7fceb9b40808 a1=7fceb8517d90 a2=7fceb8517d90 a3=0 items=0 ppid=1 pid=1975 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
type=AVC msg=audit(1369476954.488:546): avc:  denied  { write } for  pid=1981 comm="beam.smp" name="ejabberd" dev="vda4" ino=3229 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1369476954.488:546): arch=c000003e syscall=2 success=no exit=-13 a0=7fceb7c8dbc0 a1=241 a2=1a0 a3=323530333130325f items=0 ppid=1 pid=1981 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
Comment 1 Miroslav Grepl 2013-05-28 04:11:53 EDT
We need to add a policy for 

ejabberd.service
Comment 2 Miroslav Grepl 2013-05-29 02:48:21 EDT
I added support for ejabberd for F19.
Comment 3 Fedora Update System 2013-05-29 10:20:22 EDT
selinux-policy-3.12.1-47.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-47.fc19
Comment 4 Fedora Update System 2013-05-29 13:47:19 EDT
Package selinux-policy-3.12.1-47.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-47.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-9565/selinux-policy-3.12.1-47.fc19
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2013-05-29 23:34:20 EDT
selinux-policy-3.12.1-47.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.