Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-25762

conntrackd's primary-backup.sh leads to setattr AVC denied

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Normal Normal
    • rhel-9.4
    • rhel-9.3.0
    • selinux-policy
    • None
    • None
    • High
    • sst_security_selinux
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • No
    • CentOS Stream, Red Hat Enterprise Linux
    • None
    • None
    • None
    • Unspecified Release Note Type - Unknown
    • x86_64
    • None

      What were you trying to do that didn't work?

      Keepalived configuration in /etc/keepalived/keepalived.conf, which contains:

      # …
vrrp_sync_group vrrp_group {
    group {
        vrrp_ipv4
        vrrp_ipv6
    }
    notify_master "/usr/libexec/keepalived/primary-backup.sh primary"
    notify_backup "/usr/libexec/keepalived/primary-backup.sh backup"
    notify_fault "/usr/libexec/keepalived/primary-backup.sh fault"
}
# …

      /usr/libexec/keepalived/primary-backup.sh is actually an unmodified copy of /usr/share/doc/conntrack-tools/doc/sync/primary-backup.sh from conntrack-tools, because that's how it works for some reasons.

       

      $ ls -lZ /usr/libexec/keepalived/primary-backup.sh 
-rwxr-xr-x. 1 root root unconfined_u:object_r:keepalived_unconfined_script_exec_t:s0 3202 Oct  6  2022 /usr/libexec/keepalived/primary-backup.sh
$

      Running systemctl restart keepalived.service leads however to AVC denied messages, which should not happen from my point of view:

       

       

      type=SERVICE_STOP msg=audit(1708029237.958:137): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=keepalived comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=AVC msg=audit(1708029237.979:138): avc:  denied  { setattr } for  pid=3678 comm="keepalived" name="primary-backup.sh" dev="sda4" ino=2360419 scontext=system_u:system_r:keepalived_t:s0 tcontext=unconfined_u:object_r:keepalived_unconfined_script_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1708029237.979:138): arch=c000003e syscall=280 success=no exit=-13 a0=ffffff9c a1=562b1e37ec98 a2=7fffeebebe50 a3=0 items=0 ppid=3675 pid=3678 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="keepalived" exe="/usr/sbin/keepalived" subj=system_u:system_r:keepalived_t:s0 key=(null)ARCH=x86_64 SYSCALL=utimensat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1708029237.979:138): proctitle=2F7573722F7362696E2F6B656570616C69766564002D2D646F6E742D666F726B002D44
type=AVC msg=audit(1708029237.979:139): avc:  denied  { setattr } for  pid=3678 comm="keepalived" name="primary-backup.sh" dev="sda4" ino=2360419 scontext=system_u:system_r:keepalived_t:s0 tcontext=unconfined_u:object_r:keepalived_unconfined_script_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1708029237.979:139): arch=c000003e syscall=280 success=no exit=-13 a0=ffffff9c a1=562b1e37ec18 a2=7fffeebebe50 a3=0 items=0 ppid=3675 pid=3678 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="keepalived" exe="/usr/sbin/keepalived" subj=system_u:system_r:keepalived_t:s0 key=(null)ARCH=x86_64 SYSCALL=utimensat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1708029237.979:139): proctitle=2F7573722F7362696E2F6B656570616C69766564002D2D646F6E742D666F726B002D44
type=AVC msg=audit(1708029237.980:140): avc:  denied  { setattr } for  pid=3678 comm="keepalived" name="primary-backup.sh" dev="sda4" ino=2360419 scontext=system_u:system_r:keepalived_t:s0 tcontext=unconfined_u:object_r:keepalived_unconfined_script_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1708029237.980:140): arch=c000003e syscall=280 success=no exit=-13 a0=ffffff9c a1=562b1e37ed18 a2=7fffeebebe50 a3=0 items=0 ppid=3675 pid=3678 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="keepalived" exe="/usr/sbin/keepalived" subj=system_u:system_r:keepalived_t:s0 key=(null)ARCH=x86_64 SYSCALL=utimensat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1708029237.980:140): proctitle=2F7573722F7362696E2F6B656570616C69766564002D2D646F6E742D666F726B002D44
type=SERVICE_START msg=audit(1708029237.980:141): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=keepalived comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"

      As of writing it's unfortunately unclear if there is any impact due to these AVC denied messages and if so, which one (where does the setattr actually come from, why isn't it allowed by keepalived_unconfined_script_exec_t?).

       

      Please provide the package NVR for which bug is seen:

      • selinux-policy-38.1.23-1.el9_3.2.noarch
      • selinux-policy-targeted-38.1.23-1.el9_3.2.noarch
      • conntrack-tools-1.4.7-2.el9.x86_64
      • keepalived-2.2.8-3.el9.x86_64

      How reproducible: Every time, see steps above.

      Expected results: No AVC denied messages.

      Actual results: AVC denied messages with unclear impact.

            rhn-support-zpytela Zdenek Pytela
            robertscheck Robert Scheck (Inactive)
            Zdenek Pytela Zdenek Pytela
            SSG Security QE SSG Security QE
            Votes:
            1 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: