https://bugzilla.redhat.com/show_bug.cgi?id=1393587
--- Comment #3 from Randy Barlow <[email protected]> --- gholms pointed out that the "NoNewPrivileges=true" line in the unit file causes processes to be disallowed to transition SELinux contexts: https://github.com/systemd/systemd/issues/3845 I dropped that line and now things work again. However, it was noted that the unit file was also launching ejabberd with /usr/bin/bash which gets a very permissive context. I attempted to drop bash and run ejabberdctl directly with the unit file and that resulted in these denials: type=SERVICE_START msg=audit(1478751169.449:647): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ejabberd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1478751171.862:648): avc: denied { write } for pid=2989 comm="async_2" name="ejabberd.pem" dev="dm-1" ino=44546 scontext=system_u:system_r:rabbitmq_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0 type=AVC msg=audit(1478751171.863:649): avc: denied { write } for pid=2989 comm="async_2" name="ejabberd.pem" dev="dm-1" ino=44546 scontext=system_u:system_r:rabbitmq_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0 type=AVC msg=audit(1478751171.865:650): avc: denied { name_bind } for pid=2986 comm="beam" src=5349 scontext=system_u:system_r:rabbitmq_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0 The ejabberd.pem file looks like this, and a restorecon does not alter it: -rw-------. 1 ejabberd ejabberd unconfined_u:object_r:etc_t:s0 9.8K Oct 15 11:33 /etc/ejabberd/ejabberd.pem That last denial is about a failure to open port 5349, which is used by ejabberd's built-in STUN server. -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ erlang mailing list -- [email protected] To unsubscribe send an email to [email protected]
