Bug 1701750

Summary: keepalived netlink_connector_socket bind create permission
Product: [Fedora] Fedora Reporter: Morten Stevens <ms>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 31CC: bperkins, dwalsh, lvrabec, plautrba, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.14.4-23.fc31 selinux-policy-3.14.4-39.fc31 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-29 01:27:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Morten Stevens 2019-04-21 13:48:30 UTC 
Description of problem:

keepalived requires certain selinux permissions to work properly

Version-Release number of selected component (if applicable):

selinux-policy-3.14.4-12.fc31.noarch
keepalived-2.0.12-1.fc30.x86_64

How reproducible:

Steps to Reproduce:
1. dnf install keepalived
2. configure /etc/keepalived.conf

test configuration

vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 51
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1234
    }
    virtual_ipaddress {
        10.0.0.15
    }
}

3. systemctl start keepalived

Actual results:

tem_r:keepalived_t:s0 tclass=netlink_connector_socket permissive=1
type=AVC msg=audit(1555843256.692:221): avc:  denied  { create } for  pid=2415 comm="keepalived" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:s    ystem_r:keepalived_t:s0 tclass=netlink_connector_socket permissive=1
type=AVC msg=audit(1555843256.692:222): avc:  denied  { bind } for  pid=2415 comm="keepalived" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:sys    tem_r:keepalived_t:s0 tclass=netlink_connector_socket permissive=1


Expected results:

no avc denied error

Additional info:
Comment 1 Lukas Vrabec 2019-04-23 10:54:50 UTC 
commit ec7fe75bc33ab662d1258c78b95a213f43e00d91 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Tue Apr 23 12:54:27 2019 +0200

    Allow keepalived_t domain to create and use netlink_connector sockets BZ(1701750)
Comment 2 Morten Stevens 2019-04-24 10:12:51 UTC 
(In reply to Lukas Vrabec from comment #1)
> commit ec7fe75bc33ab662d1258c78b95a213f43e00d91 (HEAD -> rawhide)
> Author: Lukas Vrabec <lvrabec>
> Date:   Tue Apr 23 12:54:27 2019 +0200
> 
>     Allow keepalived_t domain to create and use netlink_connector sockets
> BZ(1701750)

Thank you.

Note: Fedora 29 and 30 is also affected. Are you going to backport this to F29 and F30?
Comment 3 Ben Cotton 2019-08-13 16:58:34 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to '31'.
Comment 4 Ben Cotton 2019-08-13 19:03:36 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to 31.
Comment 5 Fedora Update System 2019-10-22 19:32:40 UTC 
FEDORA-2019-7ef1fde499 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7ef1fde499
Comment 6 Fedora Update System 2019-10-23 15:44:40 UTC 
selinux-policy-3.14.4-38.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-7ef1fde499
Comment 7 Fedora Update System 2019-10-26 16:59:26 UTC 
FEDORA-2019-7d65c50fd6 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7d65c50fd6
Comment 8 Fedora Update System 2019-10-27 04:02:52 UTC 
selinux-policy-3.14.4-39.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-7d65c50fd6
Comment 9 Fedora Update System 2019-10-29 01:27:52 UTC 
selinux-policy-3.14.4-39.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.