Bug 1158115

Summary: Create /usr/libexec/keepalived for scripts
Product: Red Hat Enterprise Linux 6 Reporter: Ryan O'Hara <rohara>
Component: keepalivedAssignee: Ryan O'Hara <rohara>
Status: CLOSED CURRENTRELEASE QA Contact: Brandon Perkins <bperkins>
Severity: high Docs Contact:
Priority: high    
Version: 6.6CC: cluster-maint, fdinitto, gfidente, john.horne, jprovazn, rohara, salmy
Target Milestone: rcKeywords: FutureFeature, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: keepalived-1.2.13-5.el6 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 1158113
: 1198432 (view as bug list) Environment:
Last Closed: 2015-08-25 18:55:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1198432    

Description Ryan O'Hara 2014-10-28 15:30:51 UTC 
+++ This bug was initially created as a clone of Bug #1158113 +++

The keepalived service lacks SELinux privleges to exec scripts, including tracking cripts and notification scripts. Proposed solution is to create a directory (/usr/libexec/keepalived) where scripts can be stored. This directory will then be labelled such that scipts installed here will have sufficient SELinux privileges.

Note that we will not be installing any scripts in this directory as part of keepalived package itself. User will need to create desired scripts in this directory to avoid AVCs.
Comment 4 John Horne 2014-12-04 13:24:04 UTC 
Can I ask what is happening with this?
It says it is a clone of bug #1158113 but that one says it is now closed and Fedora (21/22) has been updated. This specific request is for RHEL 6 (and I see the same problem with 7 as well).
So are RHEL 6/7 going to be updated as well?
Comment 6 Ryan O'Hara 2015-03-03 20:09:55 UTC 
Jan, does this still affect TripleO HA deployments? I think you brought this to my attention originally. Thanks.
Comment 9 Giulio Fidente 2015-03-04 09:56:51 UTC 
hi Ryan, the request comes from https://bugzilla.redhat.com/show_bug.cgi?id=1145886

It's not a problem related to tripleo in particular, it is a more general issue we're trying to solve I think where keepalived needs to have permissions to run scripts so we set in the policy a special location where the scripts should go.
Comment 11 Ryan O'Hara 2015-03-04 14:21:21 UTC 
(In reply to Giulio Fidente from comment #9)
> hi Ryan, the request comes from
> https://bugzilla.redhat.com/show_bug.cgi?id=1145886
> 
> It's not a problem related to tripleo in particular, it is a more general
> issue we're trying to solve I think where keepalived needs to have
> permissions to run scripts so we set in the policy a special location where
> the scripts should go.

I completely agree.