rabbitmq-server can't be started when selinux is enforcing on redhat 7

[shalq]

rabbitmq-server can't be started when selinux is enforcing on Rhel7. If selinux is disabled or permissive, rabbitmq-server can be started. The error log is as below:

Recipe: rabbitmq::default

• package[rabbitmq-server] action install (up to date)
• service[rabbitmq-server] action enable
  • enable service service[rabbitmq-server]

* service[rabbitmq-server] action start

Error executing action start on resource 'service[rabbitmq-server]'

Mixlib::ShellOut::ShellCommandFailed

Expected process to exit with [0], but received '1'
---- Begin output of /sbin/service rabbitmq-server start ----
STDOUT:
STDERR: Redirecting to /bin/systemctl start rabbitmq-server.service
Job for rabbitmq-server.service failed. See 'systemctl status rabbitmq-server.service' and 'journalctl -xn' for details.
---- End output of /sbin/service rabbitmq-server start ----
Ran /sbin/service rabbitmq-server start returned 1

Resource Declaration:

In /var/chef/cache/cookbooks/rabbitmq/recipes/default.rb

107: service node['rabbitmq']['service_name'] do
108: action [:enable, :start]
109: end
110:

Compiled Resource:

Declared in /var/chef/cache/cookbooks/rabbitmq/recipes/default.rb:107:in `from_file'

service("rabbitmq-server") do
action [:enable, :start]
updated true
supports {:restart=>false, :reload=>false, :status=>true}
retries 0

---

[shalq]

On my environment, I can see selinux prevent beam to bind to port 25672.

-------------journalctl message----------------
Jan 12 04:26:43 vm139.cn.ibm.com setroubleshoot[30030]: SELinux is preventing /usr/lib64/erlang/erts-6.2.1/bin/beam.smp from name_bind access on the tcp_socket . For complete SELinux messages. run sealert -l 39809957-d238-49df-9286-b3f8d94e463d

----Raw Audit Messages---------------------
type=AVC msg=audit(1421054802.667:10652): avc: denied { name_bind } for pid=30017 comm="beam.smp" src=25672 scontext=system_u:system_r:rabbitmq_beam_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket

Should rabbitmq-server have a selinux policy to handle it ? It seems port 25672 is unreserved on redhat 7. It could be done by selinux rpm or rabbitmq package.

"semanage permissive -a rabbitmq_beam_t" can be used to make the process type rabbitmq_beam_t permissive, then rabbitmq can start even though system selinux is enforcing.

As for rabbitmq cookbook, can we set rabbitmq_beam_t to permissive to handle this issue ?

[shalq]

25672 is the port for clustering. Its default value is RABBITMQ_NODE_PORT (default 5672)+ 20000, it can be specified in rabbitmq environment file. In redhat7, all unreserved ports are using a context named "unreservered_port_t", that is different from redhat 6. That is the reason why rabbitmq-server
can't start on redhat 7.

To solve this issue, we can create a selinux rule to allow rabbitmq to bind/connect unreserved port.
I wrote a selinux rule and test it on redhat 7, it works fine.

[cmluciano]

@shalq I'm not sure if this has been fixed, but please try a git pull on the latest release. Centos-7 support has recently been added and I'm interested to see if this may fix your errors.

[shalq]

I wrote a selinux rule to fix it in my rabbitmq recipe. Not only rabbitmq, I heard someone also hit selinux issue in keystone when deploying on redhat7. I think there should be a fix in openstack-selinux rpm or its dependency : selinux-policy-targeted rpm.