Bug 967186 - Selinux crashes epm/beam for ejabberd
Summary: Selinux crashes epm/beam for ejabberd
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 19
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 968158
TreeView+ depends on / blocked
 
Reported: 2013-05-25 10:17 UTC by Grosswiler Roger
Modified: 2013-05-30 03:34 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.12.1-47.fc19
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 968158 (view as bug list)
Environment:
Last Closed: 2013-05-30 03:34:20 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Grosswiler Roger 2013-05-25 10:17:12 UTC
Description of problem:
Ejabberd won't start if selinux in enforcing mode. Works in permissive.


Version-Release number of selected component (if applicable):
guile-5:1.8.8-5.fc18.2

How reproducible:
Always. Have above policy installed in enforcing an boot


Steps to Reproduce:
1. Set selinux to enforcing
2. Start ejabberd.service
3. Get just beam working, but not ejabberd

Actual results:
Ejabberd not working


Expected results:
Ejabberd working


Additional info:

Excerpt from audit.log:

 setenforce notice (enforcing=1)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1369476952.154:534): avc:  denied  { write } for  pid=1896 comm="epmd" path="/run/lock/ejabberdctl/ejabberdctl-1" dev="tmpfs" ino=19001 scontext=system_u:system_r:rabbitmq_epmd_t:s0 tcontext=system_u:object_r:lvm_lock_t:s0 tclass=file
type=SYSCALL msg=audit(1369476952.154:534): arch=c000003e syscall=59 success=yes exit=0 a0=ac6be0 a1=ac6b70 a2=ac55d0 a3=7ffffdaf2380 items=0 ppid=1892 pid=1896 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="epmd" exe="/usr/lib64/erlang/erts-5.10.1/bin/epmd" subj=system_u:system_r:rabbitmq_epmd_t:s0 key=(null)
type=AVC msg=audit(1369476952.164:535): avc:  denied  { write } for  pid=1892 comm="beam.smp" path="/run/lock/ejabberdctl/ejabberdctl-1" dev="tmpfs" ino=19001 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:lvm_lock_t:s0 tclass=file
type=SYSCALL msg=audit(1369476952.164:535): arch=c000003e syscall=59 success=yes exit=0 a0=f5c050 a1=f5c2c0 a2=7fffac5e6ce0 a3=7fffac5e68e0 items=0 ppid=1890 pid=1892 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
type=AVC msg=audit(1369476952.298:536): avc:  denied  { node_bind } for  pid=1915 comm="beam.smp" scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1369476952.298:536): arch=c000003e syscall=49 success=no exit=-13 a0=7 a1=7f534e74cab0 a2=10 a3=7f534e74c500 items=0 ppid=1890 pid=1915 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
type=AVC msg=audit(1369476952.362:537): avc:  denied  { getattr } for  pid=1905 comm="beam.smp" path="/var/lib/ejabberd/spool/.erlang.cookie" dev="vda4" ino=3381 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1369476952.362:537): arch=c000003e syscall=4 success=no exit=-13 a0=7f5350600808 a1=7f534fc7dd90 a2=7f534fc7dd90 a3=0 items=0 ppid=1890 pid=1905 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
type=AVC msg=audit(1369476952.896:538): avc:  denied  { write } for  pid=1915 comm="beam.smp" name="ejabberd" dev="vda4" ino=3229 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1369476952.896:538): arch=c000003e syscall=2 success=no exit=-13 a0=7f534e74dbc0 a1=241 a2=1a0 a3=323530333130325f items=0 ppid=1890 pid=1915 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
type=SERVICE_STOP msg=audit(1369476952.932:539): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="ejabberd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
type=AVC msg=audit(1369476953.140:540): avc:  denied  { node_bind } for  pid=1956 comm="beam.smp" scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1369476953.140:540): arch=c000003e syscall=49 success=no exit=-13 a0=7 a1=7f9bf7b2eab0 a2=10 a3=7f9bf7b2e500 items=0 ppid=1933 pid=1956 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
type=AVC msg=audit(1369476953.206:541): avc:  denied  { getattr } for  pid=1950 comm="beam.smp" path="/var/lib/ejabberd/spool/.erlang.cookie" dev="vda4" ino=3381 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1369476953.206:541): arch=c000003e syscall=4 success=no exit=-13 a0=7f9bf99c0808 a1=7f9bf83b9d90 a2=7f9bf83b9d90 a3=0 items=0 ppid=1933 pid=1950 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
type=AVC msg=audit(1369476953.730:542): avc:  denied  { write } for  pid=1956 comm="beam.smp" name="ejabberd" dev="vda4" ino=3229 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1369476953.730:542): arch=c000003e syscall=2 success=no exit=-13 a0=7f9bf7b2fbc0 a1=241 a2=1a0 a3=323530333130325f items=0 ppid=1933 pid=1956 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
type=SERVICE_START msg=audit(1369476953.774:543): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="ejabberd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1369476953.904:544): avc:  denied  { node_bind } for  pid=1981 comm="beam.smp" scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1369476953.904:544): arch=c000003e syscall=49 success=no exit=-13 a0=8 a1=7fceb7c8cab0 a2=10 a3=7fceb7c8c500 items=0 ppid=1 pid=1981 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
type=AVC msg=audit(1369476953.965:545): avc:  denied  { getattr } for  pid=1975 comm="beam.smp" path="/var/lib/ejabberd/spool/.erlang.cookie" dev="vda4" ino=3381 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1369476953.965:545): arch=c000003e syscall=4 success=no exit=-13 a0=7fceb9b40808 a1=7fceb8517d90 a2=7fceb8517d90 a3=0 items=0 ppid=1 pid=1975 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)
type=AVC msg=audit(1369476954.488:546): avc:  denied  { write } for  pid=1981 comm="beam.smp" name="ejabberd" dev="vda4" ino=3229 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1369476954.488:546): arch=c000003e syscall=2 success=no exit=-13 a0=7fceb7c8dbc0 a1=241 a2=1a0 a3=323530333130325f items=0 ppid=1 pid=1981 auid=4294967295 uid=989 gid=987 euid=989 suid=989 fsuid=989 egid=987 sgid=987 fsgid=987 ses=4294967295 tty=(none) comm="beam.smp" exe="/usr/lib64/erlang/erts-5.10.1/bin/beam.smp" subj=system_u:system_r:rabbitmq_beam_t:s0 key=(null)

Comment 1 Miroslav Grepl 2013-05-28 08:11:53 UTC
We need to add a policy for 

ejabberd.service

Comment 2 Miroslav Grepl 2013-05-29 06:48:21 UTC
I added support for ejabberd for F19.

Comment 3 Fedora Update System 2013-05-29 14:20:22 UTC
selinux-policy-3.12.1-47.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-47.fc19

Comment 4 Fedora Update System 2013-05-29 17:47:19 UTC
Package selinux-policy-3.12.1-47.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-47.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-9565/selinux-policy-3.12.1-47.fc19
then log in and leave karma (feedback).

Comment 5 Fedora Update System 2013-05-30 03:34:20 UTC
selinux-policy-3.12.1-47.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.