Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-1538

selinux denial appears for keepalived when using MISC_CHECK

XMLWordPrintable

    • None
    • Moderate
    • rhel-sst-high-availability
    • ssg_filesystems_storage_and_HA
    • 5
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • If docs needed, set a value
    • None

      Description of problem:
      Misconfigured selinux policy for keepalived triggers AVC denial when using MISC_CHECK in keepalived.conf

      Version-Release number of selected component (if applicable):
      keepalived-2.2.4-6.el9.x86_64
      selinux-policy-38.1.14-1.el9.noarch

      How reproducible:
      always

      Steps to Reproduce:
      1.Find location for keepalived scripts:
      $ semanage fcontext -l | grep keepalived_unconfined_script
      /usr/libexec/keepalived(/.*)? all files system_u:object_r:keepalived_unconfined_script_exec_t:s0

      2.Create a script in this location:
      $ cat /usr/libexec/keepalived/misc_checker
      #!/usr/bin/bash
      true

      3.Create a keepalived.conf file with MISC_CHECK:
      $ cat /etc/keepalived/keepalived.conf
      vrrp_instance VRRP_INSTANCE {
      state MASTER
      priority 128
      advert_int 1
      virtual_router_id 1
      interface ens3
      virtual_ipaddress

      {10.37.165.105}

      }
      virtual_server 10.37.165.105 80 {
      real_server 10.37.167.2 80 {
      weight 1
      MISC_CHECK

      { misc_path /usr/libexec/keepalived/misc_checker retry 1 }

      }
      }

      4.Start keepalived

      Actual results:
      Keepalived works but a selinux denial appears

      $ ausearch -m AVC,USER_AVC

      time->Wed Jun 7 16:56:46 2023
      type=PROCTITLE msg=audit(1686149806.955:980): proctitle=2F7573722F7362696E2F6B656570616C69766564002D2D646F6E742D666F726B002D44002D2D636F6E6669672D6964006D61696E
      type=SYSCALL msg=audit(1686149806.955:980): arch=c000003e syscall=280 success=no exit=-13 a0=ffffff9c a1=55df7dcb4c30 a2=7ffff3502c80 a3=0 items=0 ppid=63215 pid=63216 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="keepalived" exe="/usr/sbin/keepalived" subj=system_u:system_r:keepalived_t:s0 key=(null)
      type=AVC msg=audit(1686149806.955:980): avc: denied

      { setattr }

      for pid=63216 comm="keepalived" name="misc_checker" dev="dm-0" ino=9451029 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:keepalived_unconfined_script_exec_t:s0 tclass=file permissive=0

      Expected results:
      No denial

              rhn-engineering-rohara Ryan O'Hara
              jhrdlica Juraj Hrdlica
              inactive-user inactive-user
              Cluster QE Cluster QE
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: