Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1221291 - Add protocol support for MQTT to selinux policies [NEEDINFO]
Summary: Add protocol support for MQTT to selinux policies
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: IoT
TreeView+ depends on / blocked
 
Reported: 2015-05-13 15:45 UTC by Peter Robinson
Modified: 2022-09-06 08:47 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Embargoed:
nknazeko: needinfo? (pbrobinson)


Attachments (Terms of Use)

Description Peter Robinson 2015-05-13 15:45:22 UTC
It would be useful to have a selinux policy for MQTT (MQ Telemetry Transport) to enable to run a MQTT server/broker in enforcing mode.

From the broker side there are currently 3 message brokers that can support MQTT. ActiveMQ, RabbitMQ and mosquitto.

mqtt ports are as follows:
1883/tcp for non encrypted mqtt traffic
8883/tcp for mqtt over SSL/TLS

http://mqtt.org/faq

At least with mosquitto testing it doesn't work in enforcing mode, I couldn't find the port details. Possibly need to file system changes too but I'm not sure what I need to supply there, and presumably it's broker/server specific unlike the port?

Comment 1 Jan Kurik 2015-07-15 14:09:57 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle.
Changing version to '23'.

(As we did not run this process for some time, it could affect also pre-Fedora 23 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23

Comment 2 Jan Kurik 2016-02-24 13:24:07 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase

Comment 3 Fedora Admin XMLRPC Client 2016-09-27 15:04:33 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 4 Peter Robinson 2017-04-23 09:53:58 UTC
Any update?

Comment 5 Lukas Vrabec 2019-07-10 07:32:29 UTC
Hi All, 

Is this still actual? 

Thanks,
Lukas.

Comment 6 Peter Robinson 2019-07-10 12:12:03 UTC
> Is this still actual? 

What do you mean by actual? If you mean if it's still a requirement, yes.

Comment 7 Peter Robinson 2019-11-01 12:41:04 UTC
Why did you remove tracking?

Comment 8 Zdenek Pytela 2019-11-07 07:18:29 UTC
Peter,

This is how Tracking is described in bugzilla:

This bug is a tracking bug. That means that this bug is only used as a placeholder for a particular set of changes which are split over a number of different bugs. All those bugs can be set to block this Tracking bug, so we have an easy way to query the status of a larger project based on the dependency tree of the Tracking bug. Tracking bugs do not require a release flag or acks.

Did you really mean it this way?

Comment 9 Peter Robinson 2019-11-09 11:17:26 UTC
(In reply to Zdenek Pytela from comment #8)
> Peter,
> 
> This is how Tracking is described in bugzilla:
> 
> This bug is a tracking bug. That means that this bug is only used as a
> placeholder for a particular set of changes which are split over a number of
> different bugs. All those bugs can be set to block this Tracking bug, so we
> have an easy way to query the status of a larger project based on the
> dependency tree of the Tracking bug. Tracking bugs do not require a release
> flag or acks.
> 
> Did you really mean it this way?

It also means it's not closed or moved to a specific release when it's not been fixed and it's an RFE so yes, I meant to have it on tracking so it doens't get closed and i don't have to keep moving it until it's implemented.

Comment 10 Fedora Admin XMLRPC Client 2020-01-23 16:23:53 UTC
This package has changed maintainer in the Fedora.
Reassigning to the new maintainer of this component.

Comment 11 Nikola Knazekova 2022-09-06 08:38:28 UTC
Hi Peter,

Can you please reproduce it again and attach AVC messages?


Also before reproducing it is useful to have enabled full auditing:

Open /etc/audit/rules.d/audit.rules file in an editor.

 1. Remove following line if it exists:

-a task,never

 2. Add following line at the end of the file:

-w /etc/shadow -p w

 3. Restart the audit daemon:

 # service auditd restart

Thank you

Nikola

Comment 12 Milos Malik 2022-09-06 08:47:37 UTC
# rpm -qa selinux\* mosquitto\* | sort
mosquitto-2.0.15-1.fc36.x86_64
selinux-policy-36.14-1.fc36.noarch
selinux-policy-devel-36.14-1.fc36.noarch
selinux-policy-targeted-36.14-1.fc36.noarch
# rpm -V mosquitto
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
# service mosquitto status
Redirecting to /bin/systemctl status mosquitto.service
● mosquitto.service - Mosquitto MQTT Broker
     Loaded: loaded (/usr/lib/systemd/system/mosquitto.service; disabled; vendor preset: disabled)
     Active: active (running) since Tue 2022-09-06 10:34:46 CEST; 9min ago
       Docs: man:mosquitto.conf(5)
             man:mosquitto(8)
    Process: 1800 ExecStartPre=/bin/mkdir -m 740 -p /var/log/mosquitto (code=exited, status=0/SUCCESS)
    Process: 1801 ExecStartPre=/bin/chown mosquitto:mosquitto /var/log/mosquitto (code=exited, status=0/SUCCESS)
    Process: 1802 ExecStartPre=/bin/mkdir -m 740 -p /run/mosquitto (code=exited, status=0/SUCCESS)
    Process: 1803 ExecStartPre=/bin/chown mosquitto:mosquitto /run/mosquitto (code=exited, status=0/SUCCESS)
   Main PID: 1804 (mosquitto)
      Tasks: 1 (limit: 2317)
     Memory: 1.1M
        CPU: 357ms
     CGroup: /system.slice/mosquitto.service
             └─ 1804 /usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf

Sep 06 10:34:46 fedora systemd[1]: Starting mosquitto.service - Mosquitto MQTT Broker...
Sep 06 10:34:46 fedora mosquitto[1804]: 1662453286: mosquitto version 2.0.15 starting
Sep 06 10:34:46 fedora mosquitto[1804]: 1662453286: Config loaded from /etc/mosquitto/mosquitto.conf.
Sep 06 10:34:46 fedora mosquitto[1804]: 1662453286: Starting in local only mode. Connections will only be possible from clients running on this machine.
Sep 06 10:34:46 fedora mosquitto[1804]: 1662453286: Create a configuration file which defines a listener to allow remote access.
Sep 06 10:34:46 fedora mosquitto[1804]: 1662453286: For more details see https://mosquitto.org/documentation/authentication-methods/
Sep 06 10:34:46 fedora mosquitto[1804]: 1662453286: Opening ipv4 listen socket on port 1883.
Sep 06 10:34:46 fedora mosquitto[1804]: 1662453286: Opening ipv6 listen socket on port 1883.
Sep 06 10:34:46 fedora mosquitto[1804]: 1662453286: mosquitto version 2.0.15 running
Sep 06 10:34:46 fedora systemd[1]: Started mosquitto.service - Mosquitto MQTT Broker.
# ps -efZ | grep mosq
system_u:system_r:unconfined_service_t:s0 mosquit+ 1804 1  0 10:34 ?       00:00:00 /usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1971 1901  0 10:44 pts/0 00:00:00 grep --color=auto mosq
# ls -lZ /usr/sbin/mosquitto 
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 294008 Aug 17 17:15 /usr/sbin/mosquitto
# ausearch -m avc -m user_avc -m selinux_err -i -ts today
<no matches>
#

The mosquitto service seems to run successfully on my Fedora 36 VM. No configuration changes made.


Note You need to log in before you can comment on or make changes to this bug.