-
Bug
-
Resolution: Done
-
Normal
-
rhel-9.3.0
-
None
-
None
-
High
-
sst_security_selinux
-
ssg_security
-
None
-
False
-
-
No
-
CentOS Stream, Red Hat Enterprise Linux
-
None
-
None
-
None
-
Unspecified Release Note Type - Unknown
-
x86_64
-
None
What were you trying to do that didn't work?
Keepalived configuration in /etc/keepalived/keepalived.conf, which contains:
# … vrrp_sync_group vrrp_group { group { vrrp_ipv4 vrrp_ipv6 } notify_master "/usr/libexec/keepalived/primary-backup.sh primary" notify_backup "/usr/libexec/keepalived/primary-backup.sh backup" notify_fault "/usr/libexec/keepalived/primary-backup.sh fault" } # …
/usr/libexec/keepalived/primary-backup.sh is actually an unmodified copy of /usr/share/doc/conntrack-tools/doc/sync/primary-backup.sh from conntrack-tools, because that's how it works for some reasons.
$ ls -lZ /usr/libexec/keepalived/primary-backup.sh -rwxr-xr-x. 1 root root unconfined_u:object_r:keepalived_unconfined_script_exec_t:s0 3202 Oct 6 2022 /usr/libexec/keepalived/primary-backup.sh $
Running systemctl restart keepalived.service leads however to AVC denied messages, which should not happen from my point of view:
type=SERVICE_STOP msg=audit(1708029237.958:137): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=keepalived comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=AVC msg=audit(1708029237.979:138): avc: denied { setattr } for pid=3678 comm="keepalived" name="primary-backup.sh" dev="sda4" ino=2360419 scontext=system_u:system_r:keepalived_t:s0 tcontext=unconfined_u:object_r:keepalived_unconfined_script_exec_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1708029237.979:138): arch=c000003e syscall=280 success=no exit=-13 a0=ffffff9c a1=562b1e37ec98 a2=7fffeebebe50 a3=0 items=0 ppid=3675 pid=3678 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="keepalived" exe="/usr/sbin/keepalived" subj=system_u:system_r:keepalived_t:s0 key=(null)ARCH=x86_64 SYSCALL=utimensat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=PROCTITLE msg=audit(1708029237.979:138): proctitle=2F7573722F7362696E2F6B656570616C69766564002D2D646F6E742D666F726B002D44 type=AVC msg=audit(1708029237.979:139): avc: denied { setattr } for pid=3678 comm="keepalived" name="primary-backup.sh" dev="sda4" ino=2360419 scontext=system_u:system_r:keepalived_t:s0 tcontext=unconfined_u:object_r:keepalived_unconfined_script_exec_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1708029237.979:139): arch=c000003e syscall=280 success=no exit=-13 a0=ffffff9c a1=562b1e37ec18 a2=7fffeebebe50 a3=0 items=0 ppid=3675 pid=3678 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="keepalived" exe="/usr/sbin/keepalived" subj=system_u:system_r:keepalived_t:s0 key=(null)ARCH=x86_64 SYSCALL=utimensat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=PROCTITLE msg=audit(1708029237.979:139): proctitle=2F7573722F7362696E2F6B656570616C69766564002D2D646F6E742D666F726B002D44 type=AVC msg=audit(1708029237.980:140): avc: denied { setattr } for pid=3678 comm="keepalived" name="primary-backup.sh" dev="sda4" ino=2360419 scontext=system_u:system_r:keepalived_t:s0 tcontext=unconfined_u:object_r:keepalived_unconfined_script_exec_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1708029237.980:140): arch=c000003e syscall=280 success=no exit=-13 a0=ffffff9c a1=562b1e37ed18 a2=7fffeebebe50 a3=0 items=0 ppid=3675 pid=3678 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="keepalived" exe="/usr/sbin/keepalived" subj=system_u:system_r:keepalived_t:s0 key=(null)ARCH=x86_64 SYSCALL=utimensat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=PROCTITLE msg=audit(1708029237.980:140): proctitle=2F7573722F7362696E2F6B656570616C69766564002D2D646F6E742D666F726B002D44 type=SERVICE_START msg=audit(1708029237.980:141): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=keepalived comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
As of writing it's unfortunately unclear if there is any impact due to these AVC denied messages and if so, which one (where does the setattr actually come from, why isn't it allowed by keepalived_unconfined_script_exec_t?).
Please provide the package NVR for which bug is seen:
- selinux-policy-38.1.23-1.el9_3.2.noarch
- selinux-policy-targeted-38.1.23-1.el9_3.2.noarch
- conntrack-tools-1.4.7-2.el9.x86_64
- keepalived-2.2.8-3.el9.x86_64
How reproducible: Every time, see steps above.
Expected results: No AVC denied messages.
Actual results: AVC denied messages with unclear impact.
- is duplicated by
-
RHEL-14029 AVC "setattr" on keepalived script gets generated when keepalived starts
- Closed