Bug 1891895

Summary: keepalived can't start due to selinux, due node_bind error
Product: [Fedora] Fedora Reporter: Michael S. <misc>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 33CC: bperkins, dwalsh, grepl.miroslav, lvrabec, mmalik, ms, plautrba, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.14.6-30.fc33 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1895130 (view as bug list) Environment:
Last Closed: 2020-11-11 01:20:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1895130    

Description Michael S. 2020-10-27 15:48:03 UTC 
Description of problem:

I just upgraded my firewalls to F33, and keepalived fail to start.




Version-Release number of selected component (if applicable):


How reproducible:

each time

Steps to Reproduce:
1. deploy keepalived with unicast_src_ip
2. start it
3.

Actual results:
fail with a error message:

oct. 27 15:29:24 mune.rht.gluster.org Keepalived_vrrp[624]: bind unicast_src 8.43.85.180 failed 13 - Permission denied
oct. 27 15:29:24 mune.rht.gluster.org Keepalived_vrrp[624]: (VLAN_PUBLIC): entering FAULT state (src address not configured)
oct. 27 15:29:24 mune.rht.gluster.org Keepalived_vrrp[624]: (VLAN_PUBLIC) Entering FAULT STATE
oct. 27 15:29:24 mune.rht.gluster.org Keepalived_vrrp[624]: VRRP_Group(VG1) Syncing instances to FAULT state
oct. 27 15:29:24 mune.rht.gluster.org Keepalived_vrrp[624]: (VLAN_COMMON) Entering FAULT STATE
oct. 27 15:29:24 mune.rht.gluster.org Keepalived_vrrp[624]: bind unicast_src 172.24.1.180 failed 13 - Permission denied
oct. 27 15:29:24 mune.rht.gluster.org Keepalived_vrrp[624]: (VLAN_COMMON) Entering FAULT STATE


Expected results:

do not fail

Additional info:

with setenforce 0, it work fine and do not produce any others errors message so far.

AVC log:

[root@mune ~]# grep -a AVC /var/log/audit/audit.log |grep keepaliv 
type=AVC msg=audit(1603812564.134:132): avc:  denied  { node_bind } for  pid=624 comm="keepalived" saddr=8.43.85.180 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket permissive=0
type=AVC msg=audit(1603812564.134:133): avc:  denied  { node_bind } for  pid=624 comm="keepalived" saddr=172.24.1.180 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket permissive=0
type=AVC msg=audit(1603812880.165:124): avc:  denied  { node_bind } for  pid=615 comm="keepalived" saddr=8.43.85.180 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket permissive=0
type=AVC msg=audit(1603812880.165:125): avc:  denied  { node_bind } for  pid=615 comm="keepalived" saddr=172.24.1.180 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket permissive=0
type=AVC msg=audit(1603812916.619:182): avc:  denied  { node_bind } for  pid=825 comm="keepalived" saddr=8.43.85.180 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket permissive=1


audit2allow: 

[root@mune ~]# grep -a AVC /var/log/audit/audit.log |grep keepaliv |audit2allow -
#============= keepalived_t ==============
allow keepalived_t node_t:rawip_socket node_bind;



I guess I miss a  corenet_raw_bind_generic_node(keepalived_t)   line, i will send a PR later tonight.
Comment 1 Michael S. 2020-10-27 16:40:52 UTC 
Submitted https://github.com/fedora-selinux/selinux-policy-contrib/pull/351 for F33, not sure if you want me to also do a PR for rawhide right now
Comment 2 Zdenek Pytela 2020-10-27 17:16:18 UTC 
commit dfd08a5bd959e70dfb78bcba788a19133ecaabe3 (HEAD -> f33, upstream/f33)
Author: Michael Scherer <misc>
Date:   Tue Oct 27 17:15:25 2020 +0100

    Let keepalived bind a raw socket
    
    See https://bugzilla.redhat.com/show_bug.cgi?id=1891895
Comment 3 Milos Malik 2020-10-27 17:33:28 UTC 
I believe this bug is a duplicate of BZ#1890474.
Comment 4 Zdenek Pytela 2020-10-27 18:56:42 UTC 
Good catch, Milos.
Comment 5 Zdenek Pytela 2020-10-27 18:56:56 UTC 
*** Bug 1890474 has been marked as a duplicate of this bug. ***
Comment 7 Fedora Update System 2020-11-09 15:12:20 UTC 
FEDORA-2020-ce67596732 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-ce67596732
Comment 8 Fedora Update System 2020-11-10 02:19:32 UTC 
FEDORA-2020-ce67596732 has been pushed to the Fedora 33 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-ce67596732`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-ce67596732

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Fedora Update System 2020-11-11 01:20:23 UTC 
FEDORA-2020-ce67596732 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.