Bug 1486638

Summary: keepalived 1.3.5 requires setpgid permission
Product: Red Hat Enterprise Linux 7 Reporter: Zdenek Pytela <zpytela>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact: Mirek Jahoda <mjahoda>
Priority: urgent    
Version: 7.4CC: bperkins, bruce.howells, fkrska, lvrabec, mgrepl, mjahoda, mmalik, plautrba, ssekidde, tim.dijen, zpytela
Target Milestone: rcKeywords: Regression, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-174.el7 Doc Type: Bug Fix
Doc Text:
In Red Hat Enterprise Linux 7.4, an SELinux allow rule for the keepalived utility was missing. Consequently, SELinux denial occurred when keepalived had been run. With this update, the missing rule has been added, and keepalived is now working with SELinux in Enforcing mode.
 Story Points: ---
Clone Of:
: 1500813 (view as bug list) Environment:
Last Closed: 2018-04-10 12:42:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1500813    

Description Zdenek Pytela 2017-08-30 09:44:22 UTC 
Description of problem:
In RHEL 7.4, keepalived was rebased to version 1.3.5. After upgrade from RHEL 7.3 with keepalived-1.2.13-9, avc denials started to appear.

Version-Release number of selected component (if applicable):
keepalived-1.3.5-1.el7.x86_64
selinux-policy-3.13.1-166.el7.noarch


How reproducible:
always

Steps to Reproduce:
1. Upgrade to keepalived-1.3.5-1.el7
2. Run keepalived

Actual results:
type=AVC msg=audit(1504016429.630:5751): avc:  denied  { setpgid } for  pid=10662 comm="keepalived" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=process


Expected results:
no avc denial

Additional info:
downgrading keepalived to 1.2.13-9 makes the software working again
custom policy based on the avc helps as well

See also:
OSP11 -undercloud on RHEL 7.4: avc: denied { setpgid } for pid=26143
https://bugzilla.redhat.com/show_bug.cgi?id=1469823

keepalived: Rebase to latest stable release
https://bugzilla.redhat.com/show_bug.cgi?id=1419049
Comment 10 Tim van Dijen 2017-11-29 08:54:38 UTC 
So when can we expect the new selinux-policy package to be available in the repository?
Comment 11 Filip Krska 2017-11-29 09:08:49 UTC 
The 7.4.z Errata shall be released in matter of days if everything goes well.
Comment 14 errata-xmlrpc 2018-04-10 12:42:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763