Bug 1890474

Summary: SELinux prevents keepalived from binding a rawip_socket
Product: [Fedora] Fedora Reporter: Morten Stevens <ms>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: bperkins, dwalsh, grepl.miroslav, lvrabec, mmalik, plautrba, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 18:56:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Morten Stevens 2020-10-22 10:41:51 UTC 
Description of problem:

type=AVC msg=audit(1603362524.779:609): avc:  denied  { node_bind } for  pid=1396 comm="keepalived" saddr=224.0.0.18 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket permissive=1


Version-Release number of selected component (if applicable):

selinux-policy-3.14.7-5.fc34.noarch
keepalived-2.1.5-3.fc34.x86_64
Comment 1 Milos Malik 2020-10-22 12:14:37 UTC 
Following SELinux denial appeared in enforcing mode:
----
type=PROCTITLE msg=audit(10/22/2020 08:13:00.964:586) : proctitle=/usr/sbin/keepalived -D 
type=SOCKADDR msg=audit(10/22/2020 08:13:00.964:586) : saddr={ saddr_fam=inet laddr=224.0.0.18 lport=0 } 
type=SYSCALL msg=audit(10/22/2020 08:13:00.964:586) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0xb a1=0x55bffc5bea08 a2=0x10 a3=0x7ffd12641a90 items=0 ppid=31379 pid=31381 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(10/22/2020 08:13:00.964:586) : avc:  denied  { node_bind } for  pid=31381 comm=keepalived saddr=224.0.0.18 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket permissive=0 
----
Comment 2 Milos Malik 2020-10-22 12:17:42 UTC 
The only SELinux denial which appeared in permissive mode is:
----
type=PROCTITLE msg=audit(10/22/2020 08:16:12.721:590) : proctitle=/usr/sbin/keepalived -D 
type=SOCKADDR msg=audit(10/22/2020 08:16:12.721:590) : saddr={ saddr_fam=inet laddr=224.0.0.18 lport=0 } 
type=SYSCALL msg=audit(10/22/2020 08:16:12.721:590) : arch=x86_64 syscall=bind success=yes exit=0 a0=0xb a1=0x55da184faa08 a2=0x10 a3=0x7ffcb91e9c10 items=0 ppid=31428 pid=31430 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(10/22/2020 08:16:12.721:590) : avc:  denied  { node_bind } for  pid=31430 comm=keepalived saddr=224.0.0.18 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket permissive=1 
----
Comment 4 Zdenek Pytela 2020-10-27 18:56:56 UTC 

*** This bug has been marked as a duplicate of bug 1891895 ***