Allow rabbitmq to use systemd notify

[kajinamit]

... to address the following denials additionally found.

type=AVC msg=audit(1654884684.383:4434): avc: denied { getattr } for pid=40772 comm="10_dirty_io_sch" path="/run/systemd/notify" dev="tmpfs" ino=36 scontext=system_u:system_r:rabbitmq_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1654884684.383:4435): avc: denied { read } for pid=40772 comm="10_dirty_io_sch" name="notify" dev="tmpfs" ino=36 scontext=system_u:system_r:rabbitmq_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file permissive=1

Resolves: rhbz#2056565

[zpytela]

Unfortunately, using types from other modules is not possible. Probably init_stream_connect() can do the job, do you have a simple reproducer for your task?
Llater on I'd like to find a generic solution for using systemd-notify.

[kajinamit]

@zpytela Thanks for reviewing this. I've reproduced the problem in my local env and updated the patch to init_stream_connect, as suggested by you and audit2allow .

[vagrant@localhost ~]$ rpm -qa | grep selinux-policy
selinux-policy-34.1.34-1.el9.noarch
selinux-policy-targeted-34.1.34-1.el9.noarch
selinux-policy-devel-34.1.34-1.el9.noarch
[vagrant@localhost ~]$ sudo ausearch -m AVC -ts recent
----
time->Fri Jun 24 12:05:35 2022
type=PROCTITLE msg=audit(1656072335.757:785): proctitle=2F7573722F6C696236342F65726C616E672F657274732D31322E312E352F62696E2F6265616D2E736D70002D570077002D4D426173006167656666636266002D4D486173006167656666636266002D4D426C6D62637300353132002D4D486C6D62637300353132002D4D4D6D6373003330002D500031303438353736002D74
type=SYSCALL msg=audit(1656072335.757:785): arch=c000003e syscall=262 success=no exit=-13 a0=ffffff9c a1=7fb5c513b618 a2=7fb5c1a37b10 a3=0 items=0 ppid=1 pid=35965 auid=4294967295 uid=987 gid=987 euid=987 suid=987 fsuid=987 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm="10_dirty_io_sch" exe="/usr/lib64/erlang/erts-12.1.5/bin/beam.smp" subj=system_u:system_r:rabbitmq_t:s0 key=(null)
type=AVC msg=audit(1656072335.757:785): avc:  denied  { getattr } for  pid=35965 comm="10_dirty_io_sch" path="/run/systemd/notify" dev="tmpfs" ino=36 scontext=system_u:system_r:rabbitmq_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file permissive=0
[vagrant@localhost ~]$ sudo ausearch -m AVC -ts recent | audit2allow -R

require {
	type rabbitmq_t;
}

#============= rabbitmq_t ==============
init_stream_connect(rabbitmq_t)
[vagrant@localhost ~]$ grep -r init_stream_connect .

I've installed the above rule as a test module and confirmed now rabbitmq-server can start.

[zpytela]

Merging, thank you for the contribution.