-
Bug
-
Resolution: Done
-
Normal
-
rhel-8.8.0
-
None
-
Moderate
-
rhel-sst-security-selinux
-
ssg_security
-
None
-
False
-
-
No
-
Red Hat Enterprise Linux
-
None
-
-
None
-
None
-
Unspecified Release Note Type - Unknown
-
-
All
-
None
What were you trying to do that didn't work?
Customer is seeing AVC with keepalived service when they sent SIGUSR1 signal to the services PID(s)
When we sent SIGUSR1 signal to keepalived it dump diagnostic information about process to /tmp
The contexts of these files are "keepalived_tmp_t" from the below transition rules.
sesearch -T -s keepalived_t | grep keepalived_tmp_t type_transition keepalived_t tmp_t:file keepalived_tmp_t;
Now when this happens it generates a few AVC's along the way.
I was able to reproduce this issue.
AVC form my system.
type=PROCTITLE msg=audit(09/27/2023 18:34:28.799:899) : proctitle=/usr/sbin/keepalived -D
type=PATH msg=audit(09/27/2023 18:34:28.799:899) : item=0 name=(null) inode=8454033 dev=fd:00 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:keepalived_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(09/27/2023 18:34:28.799:899) : cwd=/
type=SYSCALL msg=audit(09/27/2023 18:34:28.799:899) : arch=x86_64 syscall=fchmod success=yes exit=0 a0=0xd a1=0600 a2=0x800c2 a3=0x180 items=1 ppid=13534 pid=13535 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null)
type=AVC msg=audit(09/27/2023 18:34:28.799:899) : avc: denied
{ setattr } for pid=13535 comm=keepalived name=keepalived.data8s9c0D dev="dm-0" ino=8454033 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:keepalived_tmp_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(09/27/2023 18:34:28.799:900) : proctitle=/usr/sbin/keepalived -D
type=PATH msg=audit(09/27/2023 18:34:28.799:900) : item=4 name=/tmp/keepalived.data inode=8454033 dev=fd:00 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:keepalived_tmp_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(09/27/2023 18:34:28.799:900) : item=3 name=/tmp/keepalived.data inode=8607410 dev=fd:00 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:keepalived_tmp_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(09/27/2023 18:34:28.799:900) : item=2 name=/tmp/keepalived.data8s9c0D inode=8454033 dev=fd:00 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:keepalived_tmp_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(09/27/2023 18:34:28.799:900) : item=1 name=/tmp/ inode=8413040 dev=fd:00 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(09/27/2023 18:34:28.799:900) : item=0 name=/tmp/ inode=8413040 dev=fd:00 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(09/27/2023 18:34:28.799:900) : cwd=/
type=SYSCALL msg=audit(09/27/2023 18:34:28.799:900) : arch=x86_64 syscall=rename success=yes exit=0 a0=0x7ffc11d02f70 a1=0x5651e5138f9d a2=0x800c2 a3=0x180 items=5 ppid=13534 pid=13535 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null)
type=AVC msg=audit(09/27/2023 18:34:28.799:900) : avc: denied { unlink } for pid=13535 comm=keepalived name=keepalived.data dev="dm-0" ino=8607410 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:keepalived_tmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(09/27/2023 18:34:28.799:900) : avc: denied { rename } for pid=13535 comm=keepalived name=keepalived.data8s9c0D dev="dm-0" ino=8454033 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:keepalived_tmp_t:s0 tclass=file permissive=1
- Firstly it produces the { setattr } AVC because the keepalived process tries to run the systemcall fchmod 600 over these files its trying to dump in /tmp
- Then it produces { rename } because it first create these file with random name extensions and are later renamed to "keepalived.data" and "keepalived_parent.data"
- There is also { unlink } in case there is already existing file present in /tmp with same name , which it tries to delete.
On my system we see these action under strace when collected in permissive mode.
# cat /tmp/keepalive.strace | grep -e 583[12][09] | grep -i -e kill -e rename -e openat -e fchmod 58319 [keepalived_t] 16:55:14.259044 kill(58320, SIGUSR1) = 0 <0.000151> 58319 [keepalived_t] 16:55:14.261864 openat(AT_FDCWD</>, "/tmp/keepalived_parent.data9ISdbQ", O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, 0600 <unfinished ...> 58320 [keepalived_t] 16:55:14.262775 openat(AT_FDCWD</>, "/tmp/keepalived.datahC9SaI", O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, 0600 <unfinished ...> 58319 [keepalived_t] 16:55:14.262862 <... openat resumed>) = 8</tmp/keepalived_parent.data9ISdbQ> [keepalived_tmp_t] <0.000849> 58320 [keepalived_t] 16:55:14.262898 <... openat resumed>) = 13</tmp/keepalived.datahC9SaI> [keepalived_tmp_t] <0.000053> 58319 [keepalived_t] 16:55:14.262943 fchmod(8</tmp/keepalived_parent.data9ISdbQ> [keepalived_tmp_t], 0600 <unfinished ...> 58320 [keepalived_t] 16:55:14.262974 fchmod(13</tmp/keepalived.datahC9SaI> [keepalived_tmp_t], 0600) = 0 <0.000057> 58320 [keepalived_t] 16:55:14.263089 rename("/tmp/keepalived.datahC9SaI" [keepalived_tmp_t], "/tmp/keepalived.data") = 0 <0.000099> 58320 [keepalived_t] 16:55:14.263513 openat(AT_FDCWD</>, "/etc/iproute2/rt_scopes" [etc_t], O_RDONLY) = 14</etc/iproute2/rt_scopes> [etc_t] <0.000060> 58319 [keepalived_t] 16:55:14.264062 <... fchmod resumed>) = 0 <0.001087> 58319 [keepalived_t] 16:55:14.264089 rename("/tmp/keepalived_parent.data9ISdbQ" [keepalived_tmp_t], "/tmp/keepalived_parent.data" <unfinished ...> 58319 [keepalived_t] 16:55:14.264221 <... rename resumed>) = 0 <0.000098>
And customer said that they has created this policy module to allow these three AVC(s) in the SELinux policy.
module ka 1.0;
require {
type keepalived_t;
type keepalived_tmp_t;
class file
{ setattr rename unlink };
}
#============= keepalived_t ==============
allow keepalived_t keepalived_tmp_t:file { setattr rename unlink };
Hi rhn-support-zpytela , I am also adding you to this Bug for more visibility and awareness from SELinux perspective.
Please provide the package NVR for which bug is seen:
keepalived-2.1.5-9.el8.x86_64
selinux-policy-3.14.3-117.el8_8.3.noarch
selinux-policy-targeted-3.14.3-117.el8_8.3.noarch
How reproducible:
Everytime
Steps to reproduce
1. Create some dummy configuration as below.
# cat /etc/keepalived/keepalived.conf | grep -v ^# ! Configuration File for keepalived global_defs { notification_email { acassen@firewall.loc failover@firewall.loc sysadmin@firewall.loc } notification_email_from Alexandre.Cassen@firewall.loc smtp_server 192.168.200.1 smtp_connect_timeout 30 router_id LVS_DEVEL vrrp_skip_check_adv_addr vrrp_strict #vrrp_garp_interval 0 #vrrp_gna_interval 0 } vrrp_instance VI_1 { state MASTER interface enp1s0 virtual_router_id 51 priority 100 advert_int 1 virtual_ipaddress { 192.168.200.16 } }
2. Start keepalived service
# systemctl start keepalived # systemctl status keepalived
3. Send SIGUSR1 signal to both keepalived parent process.
# systemctl show keepalived -p MainPID MainPID=123954 # kill -s SIGUSR1 123954
4. Check for AVC which get generated while keepalived is trying to dump files in /tmp
# ausearch-m AVC,USER_AVC -i -ts recent
Expected results
Sending SIGUSR1 to keepalived should not cause SELinux AVC.
Actual results
Sending SIGUSR1 to keepalived causes SELinux AVC.