Uploaded image for project: 'CPE Infrastructure'
  1. CPE Infrastructure
  2. CPE-2395

Fix selinux denial on rabbitmq cluster

XMLWordPrintable

    • 1
    • False
    • Hide

      None

      Show
      None
    • False
    • None
    • Testable

      https://pagure.io/fedora-infrastructure/issue/12165

      When looking at other issues, I noticed that rabbitmq is hitting a selinux denial in logrotate.

      ```
      /etc/cron.daily/logrotate:

      04:02:03.270 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

      04:02:04.025 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

      04:02:04.026 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

      04:02:04.773 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

      04:02:04.774 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

      04:02:05.532 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

      04:02:05.533 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

      04:02:06.278 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

      04:02:06.279 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

      04:02:07.035 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

      04:02:07.036 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

      04:02:07.796 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

      04:02:07.797 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

      04:02:08.551 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

      04:02:08.552 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

      04:02:09.325 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

      04:02:09.326 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

      04:02:10.076 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

      04:02:10.076 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

      04:02:10.847 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces
      Distribution failed: {{:shutdown, {:failed_to_start_child, :auth, {'Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces', [{:auth, :init_cookie, 0, file: 'auth.erl', line: 286},
      {:auth, :init, 1, file: 'auth.erl', line: 140}, {:gen_server, :init_it, 2, file: 'gen_server.erl', line: 374}, {:gen_server, :init_it, 6, file: 'gen_server.erl', line: 342},
      {:proc_lib, :init_p_do_apply, 3, file: 'proc_lib.erl', line: 249}]}}}, {:child, :undefined, :net_sup_dynamic, {:erl_distribution, :start_link,
      [[:"rabbitmqcli-1262520-rabbit@rabbitmq01.stg.iad2.fedoraproject.org", :longnames, 15000], false]}, :permanent, 1000, :supervisor, [:erl_distribution]}}
      error: error running shared postrotate script for '/var/log/rabbitmq/*.log '
      ```

      ```
      type=AVC msg=audit(1725163332.122:204307): avc: denied

      { read }

      for pid=2389725 comm="5_dirty_io_sche" name=".erlang.cookie" dev="dm-0" ino=33814614 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rabbitmq_var_lib_t:s0 tclass=file permissive=0
      ```

              Unassigned Unassigned
              rh-ee-mkonecny Michal Konecny
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: