Bug 1311756

Summary: IPv6 real servers fail when starting keepalived using systemd
Product: [Fedora] Fedora Reporter: Major Hayden 🤠 <mhayden>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 23CC: athmanem, bperkins, dominick.grift, dwalsh, lvrabec, matthias, mgrepl, plautrba, rohara
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-158.8.fc23 selinux-policy-3.13.1-158.9.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-05 06:23:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Major Hayden 🤠 2016-02-24 22:15:01 UTC 
I'm currently using keepalived 1.2.19-2.fc23 on Fedora 23 (x86_64).  If I start keepalived manually on the command line, it will configure LVS real servers on v6 addresses without an issue.  I can run ipvsadm and the IPv6 real servers appear along with their health checks.

However, if I use systemd to start keepalived, the IPv6 real servers and health checks do not appear in ipvsadm.

My system journal ends up with this repeated for each real server:

IPVS: Operation not supported with specified address family
Comment 1 Major Hayden 🤠 2016-02-24 22:43:37 UTC 
This appears to be an SELinux policy issue.  After disabling dontaudit rules, I was able to get the following output from audit2allow:

module keepalived_fix 1.0;

require {
	type keepalived_t;
	class netlink_generic_socket { create getattr setopt bind write read };
}


If I build that policy and apply it, keepalived can handle v6 virtual servers again.
Comment 2 Lukas Vrabec 2016-02-25 15:15:33 UTC 
commit 73f0863a3f131bf3c7d27352ccd0107442eae645
Author: Lukas Vrabec <lvrabec>
Date:   Thu Feb 25 16:14:38 2016 +0100

    Allow keepalived to create netlink generic sockets. rhbz#1311756
Comment 3 Major Hayden 🤠 2016-02-25 17:59:39 UTC 
Thanks so much for the quick fix, Lukas! :)
Comment 4 Fedora Update System 2016-02-27 13:50:42 UTC 
selinux-policy-3.13.1-158.9.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870
Comment 5 Fedora Update System 2016-02-28 13:54:32 UTC 
selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870
Comment 6 Fedora Update System 2016-03-05 06:22:12 UTC 
selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.