#12165 Fix selinux denial on rabbitmq cluster
Closed: Fixed 15 days ago by zlopez. Opened a month ago by kevin.

When looking at other issues, I noticed that rabbitmq is hitting a selinux denial in logrotate.

/etc/cron.daily/logrotate:


04:02:03.270 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

04:02:04.025 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

04:02:04.026 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

04:02:04.773 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

04:02:04.774 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

04:02:05.532 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

04:02:05.533 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

04:02:06.278 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

04:02:06.279 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

04:02:07.035 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

04:02:07.036 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

04:02:07.796 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

04:02:07.797 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

04:02:08.551 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

04:02:08.552 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

04:02:09.325 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

04:02:09.326 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

04:02:10.076 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

04:02:10.076 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces

04:02:10.847 [error] Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces
Distribution failed: {{:shutdown, {:failed_to_start_child, :auth, {'Error when reading /var/lib/rabbitmq/.erlang.cookie: eacces', [{:auth, :init_cookie, 0, [file: 'auth.erl', line: 286]},
{:auth, :init, 1, [file: 'auth.erl', line: 140]}, {:gen_server, :init_it, 2, [file: 'gen_server.erl', line: 374]}, {:gen_server, :init_it, 6, [file: 'gen_server.erl', line: 342]},
{:proc_lib, :init_p_do_apply, 3, [file: 'proc_lib.erl', line: 249]}]}}}, {:child, :undefined, :net_sup_dynamic, {:erl_distribution, :start_link,
[[:"rabbitmqcli-1262520-rabbit@rabbitmq01.stg.iad2.fedoraproject.org", :longnames, 15000], false]}, :permanent, 1000, :supervisor, [:erl_distribution]}}
error: error running shared postrotate script for '/var/log/rabbitmq/*.log '
type=AVC msg=audit(1725163332.122:204307): avc:  denied  { read } for  pid=2389725 comm="5_dirty_io_sche" name=".erlang.cookie" dev="dm-0" ino=33814614 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rabbitmq_var_lib_t:s0 tclass=file permissive=0

Metadata Update from @phsmoura:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: low-gain, low-trouble, ops

a month ago

How we can achieve this task ? by adding task in rabbitMQ ansible role to set logrotate rule on SELINUX ?

semanage fcontext -a -t var_log_t  /var/log/rabbitmq(/.*)?

@seddik That sounds like a good solution.

I don't see any more errors when trying to run logrotate script on rabbitmq01 and nothing in /var/log/audit/audit.log as well.

I can confirm that this issue is now fixed.

Metadata Update from @zlopez:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

15 days ago

Log in to comment on this ticket.

Metadata
Boards 1
ops Status: Backlog