Description of problem: Ejabberd won't start if selinux in enforcing mode. Works in permissive. Version-Release number of selected component (if applicable): guile-5:1.8.8-5.fc18.2 How reproducible: Always. Have above policy installed in enforcing an boot Steps to Reproduce: 1. Set selinux to enforcing 2. Start ejabberd.service 3. Get just beam working, but not ejabberd Actual results: Ejabberd not working Expected results: Ejabberd working Additional info: Excerpt from audit.log: setenforce notice (enforcing=1) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1369476952.154:534): avc: denied { write } for pid=1896 comm="epmd" path="/run/lock/ejabberdctl/ejabberdctl-1" dev="tmpfs" ino=19001 scontext=system_u:system_r:rabbitmq_epmd_t:s0 tcontext=system_u:object_r:lvm_lock_t:s0 tclass=file type=SYSCALL msg=audit(1369476952.154:534): arch=c000003e syscall=59 success=yes exit=0 a0=ac6be0 a1=ac6b70 a2=ac55d0 a3=7ffffdaf2380 items=0 ppid=1892 pid=1896 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="epmd" exe="/usr/lib64/erlang/erts-5.10.1/bin/epmd" subj=system_u:system_r:rabbitmq_epmd_t:s0 key=(null) type=AVC msg=audit(1369476952.164:535): avc: denied { write } for pid=1892 comm="beam.smp" path="/run/lock/ejabberdctl/ejabberdctl-1" dev="tmpfs" ino=19001 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:lvm_lock_t:s0 tclass=file type=SYSCALL msg=audit(1369476952.164:535): arch=c000003e syscall=59 success=yes exit=0 a0=f5c050 a1=f5c2c0 a2=7fffac5e6ce0 a3=7fffac5e68e0 items=0 ppid=1890 pid=1892 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null) type=AVC msg=audit(1369476952.298:536): avc: denied { node_bind } for pid=1915 comm="beam.smp" scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket type=SYSCALL msg=audit(1369476952.298:536): arch=c000003e syscall=49 success=no exit=-13 a0=7 a1=7f534e74cab0 a2=10 a3=7f534e74c500 items=0 ppid=1890 pid=1915 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null) type=AVC msg=audit(1369476952.362:537): avc: denied { getattr } for pid=1905 comm="beam.smp" path="/var/lib/ejabberd/spool/.erlang.cookie" dev="vda4" ino=3381 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1369476952.362:537): arch=c000003e syscall=4 success=no exit=-13 a0=7f5350600808 a1=7f534fc7dd90 a2=7f534fc7dd90 a3=0 items=0 ppid=1890 pid=1905 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null) type=AVC msg=audit(1369476952.896:538): avc: denied { write } for pid=1915 comm="beam.smp" name="ejabberd" dev="vda4" ino=3229 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir type=SYSCALL msg=audit(1369476952.896:538): arch=c000003e syscall=2 success=no exit=-13 a0=7f534e74dbc0 a1=241 a2=1a0 a3=323530333130325f items=0 ppid=1890 pid=1915 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null) type=SERVICE_STOP msg=audit(1369476952.932:539): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="ejabberd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' type=AVC msg=audit(1369476953.140:540): avc: denied { node_bind } for pid=1956 comm="beam.smp" scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket type=SYSCALL msg=audit(1369476953.140:540): arch=c000003e syscall=49 success=no exit=-13 a0=7 a1=7f9bf7b2eab0 a2=10 a3=7f9bf7b2e500 items=0 ppid=1933 pid=1956 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null) type=AVC msg=audit(1369476953.206:541): avc: denied { getattr } for pid=1950 comm="beam.smp" path="/var/lib/ejabberd/spool/.erlang.cookie" dev="vda4" ino=3381 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1369476953.206:541): arch=c000003e syscall=4 success=no exit=-13 a0=7f9bf99c0808 a1=7f9bf83b9d90 a2=7f9bf83b9d90 a3=0 items=0 ppid=1933 pid=1950 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null) type=AVC msg=audit(1369476953.730:542): avc: denied { write } for pid=1956 comm="beam.smp" name="ejabberd" dev="vda4" ino=3229 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir type=SYSCALL msg=audit(1369476953.730:542): arch=c000003e syscall=2 success=no exit=-13 a0=7f9bf7b2fbc0 a1=241 a2=1a0 a3=323530333130325f items=0 ppid=1933 pid=1956 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null) type=SERVICE_START msg=audit(1369476953.774:543): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="ejabberd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1369476953.904:544): avc: denied { node_bind } for pid=1981 comm="beam.smp" scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket type=SYSCALL msg=audit(1369476953.904:544): arch=c000003e syscall=49 success=no exit=-13 a0=8 a1=7fceb7c8cab0 a2=10 a3=7fceb7c8c500 items=0 ppid=1 pid=1981 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null) type=AVC msg=audit(1369476953.965:545): avc: denied { getattr } for pid=1975 comm="beam.smp" path="/var/lib/ejabberd/spool/.erlang.cookie" dev="vda4" ino=3381 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1369476953.965:545): arch=c000003e syscall=4 success=no exit=-13 a0=7fceb9b40808 a1=7fceb8517d90 a2=7fceb8517d90 a3=0 items=0 ppid=1 pid=1975 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null) type=AVC msg=audit(1369476954.488:546): avc: denied { write } for pid=1981 comm="beam.smp" name="ejabberd" dev="vda4" ino=3229 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir type=SYSCALL msg=audit(1369476954.488:546): arch=c000003e syscall=2 success=no exit=-13 a0=7fceb7c8dbc0 a1=241 a2=1a0 a3=323530333130325f items=0 ppid=1 pid=1981 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
We need to add a policy for ejabberd.service
I added support for ejabberd for F19.
selinux-policy-3.12.1-47.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-47.fc19
Package selinux-policy-3.12.1-47.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-47.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-9565/selinux-policy-3.12.1-47.fc19 then log in and leave karma (feedback).
selinux-policy-3.12.1-47.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.