rabbitmq-server can't start when selinux is enforcing on redhat 7
391 views
Skip to first unread message
shalo...@gmail.com
Jan 14, 2015, 10:21:00 AM1/14/15
to rabbitm...@googlegroups.com
rabbitmq-server can't start when selinux is enforcing on redhat 7. It seems beam.smp attempted to bind to tcp port 25672 which is unreserved port. Is there is selinux policy for rabbitmq-server to use 25672 ?
# service rabbitmq-server start
Redirecting to /bin/systemctl start rabbitmq-server.service
Job for rabbitmq-server.service failed. See 'systemctl status rabbitmq-server.service' and 'journalctl -xn' for details.
------------journalctl message----------------
Jan 12 04:26:43 setroubleshoot[30030]: SELinux is preventing /usr/lib64/erlang/erts-6.2.1/bin/beam.smp from name_bind access on the tcp_socket . For complete SELinux messages. run sealert -l 39809957-d238-49df-9286-b3f8d94e463d
Jan 12 04:26:43 setroubleshoot[30030]: load_plugins() names=['allow_anon_write', 'allow_execheap', 'allow_execmod', 'allow_execstack', 'allow_ftpd_use_cifs', 'allow_ftpd_use_nfs', 'associate', 'automount_exec_config', 'bind_ports', 'catchall', 'catchall_boolean', 'catchall_labels', 'chrome', 'connect_ports', 'cvs_data', 'dac_override','device', 'disable_ipv6', 'file', 'filesystem_associate', 'httpd_can_sendmail', 'httpd_write_content','kernel_modules', 'leaks', 'mmap_zero', 'mounton', 'mozplugger', 'mozplugger_remove', 'openvpn', 'public_content', 'qemu_blk_image', 'qemu_file_image', 'restorecon', 'restorecon_source', 'rsync_data', 'samba_share', 'sandbox_connect', 'selinuxpolicy','setenforce', 'sshd_root', 'swapfile', 'sys_module', 'sys_resource', 'vbetool', 'wine', 'xen_image']
# sealert -l 39809957-d238-49df-9286-b3f8d94e463d
SELinux is preventing /usr/lib64/erlang/erts-6.2.1/bin/beam.smp from name_bind access on the tcp_socket .
***** Plugin bind_ports (92.2 confidence) suggests ************************
If you want to allow /usr/lib64/erlang/erts-6.2.1/bin/beam.smp to bind to network port 25672
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 25672
where PORT_TYPE is one of the following: amqp_port_t, certmaster_port_t, cluster_port_t, couchdb_port_t, cyphesis_port_t, ephemeral_port_t, gear_port_t, gluster_port_t, hadoop_datanode_port_t, hplip_port_t, jabber_client_port_t, jabber_interserver_port_t, keystone_port_t, matahari_port_t, postgrey_port_t, virt_migration_port_t.
Redirecting to /bin/systemctl start rabbitmq-server.service
Job for rabbitmq-server.service failed. See 'systemctl status rabbitmq-server.service' and 'journalctl -xn' for details.
------------journalctl message----------------
Jan 12 04:26:43 setroubleshoot[30030]: SELinux is preventing /usr/lib64/erlang/erts-6.2.1/bin/beam.smp from name_bind access on the tcp_socket . For complete SELinux messages. run sealert -l 39809957-d238-49df-9286-b3f8d94e463d
Jan 12 04:26:43 setroubleshoot[30030]: load_plugins() names=['allow_anon_write', 'allow_execheap', 'allow_execmod', 'allow_execstack', 'allow_ftpd_use_cifs', 'allow_ftpd_use_nfs', 'associate', 'automount_exec_config', 'bind_ports', 'catchall', 'catchall_boolean', 'catchall_labels', 'chrome', 'connect_ports', 'cvs_data', 'dac_override','device', 'disable_ipv6', 'file', 'filesystem_associate', 'httpd_can_sendmail', 'httpd_write_content','kernel_modules', 'leaks', 'mmap_zero', 'mounton', 'mozplugger', 'mozplugger_remove', 'openvpn', 'public_content', 'qemu_blk_image', 'qemu_file_image', 'restorecon', 'restorecon_source', 'rsync_data', 'samba_share', 'sandbox_connect', 'selinuxpolicy','setenforce', 'sshd_root', 'swapfile', 'sys_module', 'sys_resource', 'vbetool', 'wine', 'xen_image']
# sealert -l 39809957-d238-49df-9286-b3f8d94e463d
SELinux is preventing /usr/lib64/erlang/erts-6.2.1/bin/beam.smp from name_bind access on the tcp_socket .
***** Plugin bind_ports (92.2 confidence) suggests ************************
If you want to allow /usr/lib64/erlang/erts-6.2.1/bin/beam.smp to bind to network port 25672
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 25672
where PORT_TYPE is one of the following: amqp_port_t, certmaster_port_t, cluster_port_t, couchdb_port_t, cyphesis_port_t, ephemeral_port_t, gear_port_t, gluster_port_t, hadoop_datanode_port_t, hplip_port_t, jabber_client_port_t, jabber_interserver_port_t, keystone_port_t, matahari_port_t, postgrey_port_t, virt_migration_port_t.
shalo...@gmail.com
Jan 14, 2015, 10:35:28 AM1/14/15
to rabbitm...@googlegroups.com
Regarding "semanage port -a -t PORT_TYPE -p tcp 25672", which port type can I use to fix this issue ? I would not like to disable selinux on our system since it will expose security issue.
在 2015年1月14日星期三 UTC+8下午11:21:00,shalo...@gmail.com写道:
Reply all
Reply to author
Forward
0 new messages