3

I'm trying to install RabbitMQ on Redhat Linux 7 (RHEL7). I followed the instructions on the RabbitMQ site, and it installed fine. However, it won't run because SELinux is preventing Erlang from binding to port 25672.

I've found the SELinux policy files in the SELinux repository on github, but I don't know how to build them and apply them.

My google-searching has been unsuccessful as I keep coming up with references to other linux distributions, or the use of audit2allow.

How do I apply the rabbitmq policy files from https://github.com/selinux-policy/selinux-policy/tree/f21-contrib to my RHEL7 box?

xhienne
  • 17,075
  • 2
  • 52
  • 68
Derick Bailey
  • 131
  • 1
  • 4

2 Answers2

3

These are the instructions to apply a custom policy for Splunk in RHEL7. It should be pretty much the same for your app, just follow the instructions and use the policy files from the fedora repository. Obviously, do this in a dev environment first to verify it works for your application.

Here are the core instructions copied verbatim:

  1. Download/upload this policy to your server (and extract the zip - if not using a git clone), then cd into the directory
  2. yum install policycoreutils-python setools-console selinux-policy-devel

  3. cp splunk.if /usr/share/selinux/devel/include/services/

  4. make -f /usr/share/selinux/devel/Makefile DISTRO=rhel7

  5. semodule -i splunk.pp

  6. semanage permissive -a splunk_t

  7. restorecon -R /opt/splunk

  8. restorecon /etc/init.d/splunk

  9. /etc/init.d/splunk restart
HalosGhost
  • 4,732
  • 10
  • 33
  • 41
nick fox
  • 141
  • 4
  • There's no need to copy stuff to `/usr/share/selinux/…`, you can build it anywhere you want. Just `make -f … splunk.pp` and you're done. – TooTea Mar 22 '19 at 09:00
0

Took a look to see what context your port uses:

# seinfo --portcon=25672
    portcon tcp 25672 system_u:object_r:rabbitmq_port_t:s0
    portcon tcp 1024-32767 system_u:object_r:unreserved_port_t:s0
    portcon udp 1024-32767 system_u:object_r:unreserved_port_t:s0

So I looked to see what could run that:

# sesearch -A -s rabbitmq_t -t rabbitmq_port_t
Found 5 semantic av rules:
   allow rabbitmq_t rabbitmq_port_t : tcp_socket { name_bind name_connect } ; 
   allow nsswitch_domain port_type : tcp_socket { recv_msg send_msg } ; 
   allow nsswitch_domain port_type : udp_socket { recv_msg send_msg } ; 
   allow rabbitmq_t port_type : tcp_socket { recv_msg send_msg } ; 
   allow rabbitmq_t port_type : udp_socket { recv_msg send_msg } ;

So I suspect you need to relabel your rabbitmq executable as rabbitmq_exec_t so it can bind to the port. Its part of the base policy in RHEL7. (This is why you should use packages instead of compiling from scratch)

jsbillings
  • 24,006
  • 6
  • 56
  • 58