Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rabbitmq-server can't be started when selinux is enforcing on redhat 7 #200

Closed
shalq opened this issue Jan 14, 2015 · 4 comments

Comments

Projects
None yet
2 participants
@shalq
Copy link
Contributor

commented Jan 14, 2015

rabbitmq-server can't be started when selinux is enforcing on Rhel7. If selinux is disabled or permissive, rabbitmq-server can be started. The error log is as below:

Recipe: rabbitmq::default

  • package[rabbitmq-server] action install (up to date)
  • service[rabbitmq-server] action enable
    • enable service service[rabbitmq-server]

* service[rabbitmq-server] action start

Error executing action start on resource 'service[rabbitmq-server]'

Mixlib::ShellOut::ShellCommandFailed

Expected process to exit with [0], but received '1'
---- Begin output of /sbin/service rabbitmq-server start ----
STDOUT:
STDERR: Redirecting to /bin/systemctl start rabbitmq-server.service
Job for rabbitmq-server.service failed. See 'systemctl status rabbitmq-server.service' and 'journalctl -xn' for details.
---- End output of /sbin/service rabbitmq-server start ----
Ran /sbin/service rabbitmq-server start returned 1

Resource Declaration:

In /var/chef/cache/cookbooks/rabbitmq/recipes/default.rb

107: service node['rabbitmq']['service_name'] do
108: action [:enable, :start]
109: end
110:

Compiled Resource:

Declared in /var/chef/cache/cookbooks/rabbitmq/recipes/default.rb:107:in `from_file'

service("rabbitmq-server") do
action [:enable, :start]
updated true
supports {:restart=>false, :reload=>false, :status=>true}
retries 0


@shalq

This comment has been minimized.

Copy link
Contributor Author

commented Jan 14, 2015

On my environment, I can see selinux prevent beam to bind to port 25672.

-------------journalctl message----------------
Jan 12 04:26:43 vm139.cn.ibm.com setroubleshoot[30030]: SELinux is preventing /usr/lib64/erlang/erts-6.2.1/bin/beam.smp from name_bind access on the tcp_socket . For complete SELinux messages. run sealert -l 39809957-d238-49df-9286-b3f8d94e463d

----Raw Audit Messages---------------------
type=AVC msg=audit(1421054802.667:10652): avc: denied { name_bind } for pid=30017 comm="beam.smp" src=25672 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket

Should rabbitmq-server have a selinux policy to handle it ? It seems port 25672 is unreserved on redhat 7. It could be done by selinux rpm or rabbitmq package.

"semanage permissive -a rabbitmq_beam_t" can be used to make the process type rabbitmq_beam_t permissive, then rabbitmq can start even though system selinux is enforcing.

As for rabbitmq cookbook, can we set rabbitmq_beam_t to permissive to handle this issue ?

@shalq

This comment has been minimized.

Copy link
Contributor Author

commented Jan 20, 2015

25672 is the port for clustering. Its default value is RABBITMQ_NODE_PORT (default 5672)+ 20000, it can be specified in rabbitmq environment file. In redhat7, all unreserved ports are using a context named "unreservered_port_t", that is different from redhat 6. That is the reason why rabbitmq-server
can't start on redhat 7.

To solve this issue, we can create a selinux rule to allow rabbitmq to bind/connect unreserved port.
I wrote a selinux rule and test it on redhat 7, it works fine.

@cmluciano

This comment has been minimized.

Copy link
Collaborator

commented Mar 2, 2015

@shalq I'm not sure if this has been fixed, but please try a git pull on the latest release. Centos-7 support has recently been added and I'm interested to see if this may fix your errors.

@shalq

This comment has been minimized.

Copy link
Contributor Author

commented Mar 3, 2015

I wrote a selinux rule to fix it in my rabbitmq recipe. Not only rabbitmq, I heard someone also hit selinux issue in keystone when deploying on redhat7. I think there should be a fix in openstack-selinux rpm or its dependency : selinux-policy-targeted rpm.

@shalq shalq closed this Mar 3, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.