Bug 1180881
| Summary: | different AVCs while using Keepalived on HA VRRP setup | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Ofer Blaut <oblaut> | ||||||
| Component: | openstack-selinux | Assignee: | Ryan Hallisey <rhallise> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Roey Dekel <rdekel> | ||||||
| Severity: | urgent | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 6.0 (Juno) | CC: | bperkins, dnavale, lhh, lpeer, mgrepl, nyechiel, oblaut, rhallise, yeylon | ||||||
| Target Milestone: | ga | Keywords: | Rebase | ||||||
| Target Release: | 6.0 (Juno) | Flags: | rhallise:
needinfo+
|
||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | openstack-selinux-0.6.17-1.el7ost | Doc Type: | Rebase: Bug Fixes and Enhancements | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2015-02-09 14:22:21 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | 1180679 | ||||||||
| Bug Blocks: | |||||||||
| Attachments: |
|
||||||||
Created attachment 978768 [details]
more info
The problem is /var/lib/neutron/ha_confs/e4bc9b4e-d540-4d91-8e3e-9a8bf66317fe/notify_backup.sh is created on the fly. Am I correct? Adding , ACK There was problem with vrrp, i didn't noticed if it is because of notify_backup.sh I can only control HA by removing HA ports Ofer tested openstack-selinux-0.6.17-1.el7ost.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2015-0144.html |
Created attachment 978754 [details] logs from audit.log Description of problem: While working on HA - VRRP, i got different AVCs errors [root@networker-64ceac62-aeea-4364-bd8c-b7f0d6fcaeac ~]# cat /var/log/audit/audit.log | audit2allow -r require { type neutron_t; type neutron_var_lib_t; type keepalived_t; class process { signal sigkill }; class capability dac_override; class file { write execute getattr read open ioctl execute_no_trans }; } #============= keepalived_t ============== allow keepalived_t neutron_t:process sigkill; allow keepalived_t neutron_var_lib_t:file { write execute ioctl read open getattr execute_no_trans }; allow keepalived_t self:capability dac_override; #============= neutron_t ============== allow neutron_t keepalived_t:process signal; [root@networker-5d12223d-d960-4803-a46c-d35d3ec18daa ~]# cat /var/log/audit/audit.log | audit2allow -r require { type kernel_t; type neutron_var_lib_t; type keepalived_t; class capability dac_override; class file { execute read create ioctl execute_no_trans write getattr unlink open }; class system module_request; class dir { write remove_name add_name }; } #============= keepalived_t ============== #!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules' allow keepalived_t kernel_t:system module_request; allow keepalived_t neutron_var_lib_t:dir { write remove_name add_name }; allow keepalived_t neutron_var_lib_t:file { execute read create getattr execute_no_trans write ioctl unlink open }; allow keepalived_t self:capability dac_override; Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1.run setup with VRRP enabled 2.check cat /var/log/audit/audit.log | audit2allow -r 3.check grep -ir keep /var/log/audit/audit.log Actual results: Expected results: Additional info: