Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1516502 - Installing qpid-cpp-server-linearstore leads to failure in qpidd startup
Summary: Installing qpid-cpp-server-linearstore leads to failure in qpidd startup
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-22 18:56 UTC by Alex Wood
Modified: 2018-03-23 09:58 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-03-23 09:58:42 UTC


Attachments (Terms of Use)
SELinux errors during qpidd start from systemd (deleted)
2018-01-17 16:55 UTC, Alex Wood
no flags Details

Description Alex Wood 2017-11-22 18:56:12 UTC
Description of problem:
Installing the qpid-cpp-server-linearstore package prevents qpidd from starting correctly.

Version-Release number of selected component (if applicable): Fedora 27, qpid-cpp-server-linearstore 1.36.0-7.fc27

How reproducible: Always

Steps to Reproduce:
0. Install qpid-cpp-server and start it.  It will run.
1. Install qpid-cpp-server-linearstore
2. $ sudo systemctl restart qpidd

Actual results: qpidd fails to start

Expected results: qpidd starts

Additional info: The salient error messages are

qpidd[24504]: linearstore: mmap: Permission denied
qpidd[24504]: 2017-11-22 13:51:36 [Store] error Linear Store: BDB exception occurred while initializing store: DbEnv::open: Permission denied

I looked and followed the instructions at https://access.redhat.com/solutions/874683 but it did not make a difference.

Comment 1 Irina Boverman 2017-11-28 15:54:41 UTC
This is what I did to try to reproduce it:

sudo docker pull:fedora:latest
sudo docker run -it fedora:latest bash

dnf update
dnf install qpid-cpp-server
/usr/sbin/qpidd
--
2017-11-28 15:48:53 [Broker] notice Broker (pid=308) start-up
2017-11-28 15:48:53 [Security] notice SSL plugin not enabled, you must set --ssl-cert-db to enable it.
2017-11-28 15:48:53 [Network] notice Listening on TCP/TCP6 port 5672
^C2017-11-28 15:48:59 [Broker] notice Broker (pid=308) shut-down
--
dnf install qpid-cpp-server-linearstore
/usr/sbin/qpidd
--
2017-11-28 15:49:26 [Broker] notice Broker (pid=323) start-up
2017-11-28 15:49:26 [Security] notice SSL plugin not enabled, you must set --ssl-cert-db to enable it.
2017-11-28 15:49:26 [Store] notice Linear Store: Store module initialized; store-dir=/root/.qpidd
2017-11-28 15:49:26 [Network] notice Listening on TCP/TCP6 port 5672
^C2017-11-28 15:50:03 [Broker] notice Broker (pid=323) shut-down
--

I am not able to reproduce this issue in the docker container.

Comment 2 Irina Boverman 2017-11-28 15:55:56 UTC
# rpm -q qpid-cpp-server-linearstore qpid-cpp-server
qpid-cpp-server-linearstore-1.36.0-7.fc27.x86_64
qpid-cpp-server-1.36.0-7.fc27.x86_64

Comment 3 Alex Wood 2017-11-28 20:09:34 UTC
Irina,

Would you mind trying it not in a container and starting it using SystemD?  I can also gather any log files that might be helpful.

Comment 4 Alex Wood 2018-01-17 16:55:02 UTC
Created attachment 1382567 [details]
SELinux errors during qpidd start from systemd

Comment 5 Alex Wood 2018-01-17 16:55:32 UTC
Irina,

I've confirmed that starting via `/usr/sbin/qpidd` works just fine for me also.  I'm guessing that the issue is some interaction between qpidd, systemd, and SELinux.

I've attached the output of audit.log when I try to start qpidd via systemd.  I see a lot of errors.

Comment 6 Alex Wood 2018-01-17 17:05:07 UTC
Here's the policy I generated using audit2allow just for reference.

module qpidd_local 1.0;

require {
        type qpidd_t;
        type qpidd_var_lib_t;
        class file map;
}

#============= qpidd_t ==============
allow qpidd_t qpidd_var_lib_t:file map;

Installing that policy fixes the issue, so this bug lives at the intersection of Qpidd, SystemD, and SELinux.  I'm not really sure which group is the right one to fix it though.

Comment 7 Irina Boverman 2018-03-14 16:00:22 UTC
I am changing component to selinux-policy.

Comment 8 Lukas Vrabec 2018-03-23 09:58:42 UTC
Issue is already fixed. Please update selinux-policy package.

#sesearch -A -s qpidd_t -t qpidd_var_lib_t -c file -p map 
allow qpidd_t qpidd_var_lib_t:file { append create getattr ioctl link lock map open read rename setattr unlink write };

# rpm -q selinux-policy                                    
selinux-policy-3.13.1-283.28.fc27.noarch


Note You need to log in before you can comment on or make changes to this bug.