Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
rabbitmq-server can't be started when selinux is enforcing on redhat 7 #200
rabbitmq-server can't be started when selinux is enforcing on Rhel7. If selinux is disabled or permissive, rabbitmq-server can be started. The error log is as below:
* service[rabbitmq-server] action start
Error executing action
On my environment, I can see selinux prevent beam to bind to port 25672.
----Raw Audit Messages---------------------
Should rabbitmq-server have a selinux policy to handle it ? It seems port 25672 is unreserved on redhat 7. It could be done by selinux rpm or rabbitmq package.
"semanage permissive -a rabbitmq_beam_t" can be used to make the process type rabbitmq_beam_t permissive, then rabbitmq can start even though system selinux is enforcing.
As for rabbitmq cookbook, can we set rabbitmq_beam_t to permissive to handle this issue ?
25672 is the port for clustering. Its default value is RABBITMQ_NODE_PORT (default 5672)+ 20000, it can be specified in rabbitmq environment file. In redhat7, all unreserved ports are using a context named "unreservered_port_t", that is different from redhat 6. That is the reason why rabbitmq-server
To solve this issue, we can create a selinux rule to allow rabbitmq to bind/connect unreserved port.
I wrote a selinux rule to fix it in my rabbitmq recipe. Not only rabbitmq, I heard someone also hit selinux issue in keystone when deploying on redhat7. I think there should be a fix in openstack-selinux rpm or its dependency : selinux-policy-targeted rpm.