Bug 1429327
| Summary: | SELinux gives denials for keepalived | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Supreet <srandhaw> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.3 | CC: | bperkins, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, zpytela |
| Target Milestone: | rc | Keywords: | SELinux |
| Target Release: | 7.4 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-174.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-04-10 12:28:17 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1420851 | ||
The "netstat -apn" command investigates running processes which leads to many SELinux denials. Here is the audit2allow output: allow keepalived_t NetworkManager_t:process getattr; allow keepalived_t auditd_t:process getattr; allow keepalived_t chronyd_t:process getattr; allow keepalived_t crond_t:process getattr; allow keepalived_t dhcpc_t:process getattr; allow keepalived_t gssproxy_t:process getattr; allow keepalived_t init_t:process getattr; allow keepalived_t policykit_t:process getattr; allow keepalived_t postfix_master_t:process getattr; allow keepalived_t postfix_pickup_t:process getattr; allow keepalived_t postfix_qmgr_t:process getattr; allow keepalived_t rhnsd_t:process getattr; allow keepalived_t rpcbind_t:process getattr; allow keepalived_t rpcd_t:process getattr; allow keepalived_t self:capability sys_ptrace; allow keepalived_t self:process getattr; allow keepalived_t sshd_t:process getattr; allow keepalived_t syslogd_t:process getattr; allow keepalived_t system_cronjob_t:process getattr; allow keepalived_t system_dbusd_t:process getattr; allow keepalived_t systemd_logind_t:process getattr; allow keepalived_t tuned_t:process getattr; allow keepalived_t udev_t:process getattr; allow keepalived_t unconfined_t:process getattr; Already tested in permissive mode. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0763 |
Description of problem: SELinux is preventing /usr/sbin/killall5 from using the sys_ptrace capability Version-Release number of selected component (if applicable): selinux-policy-3.13.1-102.el7.noarch nginx-1.10.1-1.el7.ngx.x86_64 How reproducible: Reproducible using following /etc/keepalived/keepalived.conf config vrrp_script chk_nginx { script "pidof nginx" interval 1 weight 2 } Upgraded : selinux-policy-targeted-3.13.1-102.el7_3.13.noarch.rpm selinux-policy-minimum-3.13.1-102.el7_3.13.noarch.rpm selinux-policy-3.13.1-102.el7_3.13.noarch.rpm Actual results: It logs the AVC's Expected results: It should not log the AVC's Additional info: Entry for check script in keepalived.conf :- vrrp_script chk_proc { script "netstat -apn| grep :443| grep LISTEN" interval 1 weight 2 } Errors in the audit.log file :- type=AVC msg=audit(1487763997.791:477734): avc: denied { sys_ptrace } for pid=19588 comm="netstat" capability=19 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=capability type=AVC msg=audit(1487763997.791:477735): avc: denied { sys_ptrace } for pid=19588 comm="netstat" capability=19 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=capability type=AVC msg=audit(1487763997.791:477736): avc: denied { sys_ptrace } for pid=19588 comm="netstat" capability=19 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=capability type=AVC msg=audit(1487763997.791:477737): avc: denied { dac_override } for pid=19588 comm="netstat" capability=1 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=capability type=AVC msg=audit(1487763997.791:477737): avc: denied { dac_read_search } for pid=19588 comm="netstat" capability=2 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=capability