Bug 2010873

Summary: Additional rules for keepalived PING_CHECK
Product: Red Hat Enterprise Linux 8 Reporter: Juraj Hrdlica <jhrdlica>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.4CC: bperkins, lvrabec, mmalik, pkoncity, rohara, ssekidde
Target Milestone: rcKeywords: Triaged
Target Release: 8.6   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-82.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2014423 (view as bug list) Environment:
Last Closed: 2022-05-10 15:15:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2014423    

Comment 1 Milos Malik 2021-10-05 15:54:55 UTC 
The following SELinux denial appears 3 times in enforcing mode:
----
type=PROCTITLE msg=audit(10/05/2021 11:53:16.260:844) : proctitle=/usr/sbin/keepalived -D 
type=PATH msg=audit(10/05/2021 11:53:16.260:844) : item=0 name=/proc/sys/net/ipv4/ping_group_range inode=48051 dev=00:05 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(10/05/2021 11:53:16.260:844) : cwd=/etc/keepalived 
type=SYSCALL msg=audit(10/05/2021 11:53:16.260:844) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55e8f4ee8640 a2=O_RDWR a3=0x0 items=1 ppid=7635 pid=7636 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(10/05/2021 11:53:16.260:844) : avc:  denied  { write } for  pid=7636 comm=keepalived name=ping_group_range dev="proc" ino=48051 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0 
----
Comment 2 Milos Malik 2021-10-05 15:59:20 UTC 
Following SELinux denials appear in permissive mode:
----
type=PROCTITLE msg=audit(10/05/2021 11:55:10.973:851) : proctitle=/usr/sbin/keepalived -D 
type=PATH msg=audit(10/05/2021 11:55:10.973:851) : item=0 name=/proc/sys/net/ipv4/ping_group_range inode=48051 dev=00:05 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(10/05/2021 11:55:10.973:851) : cwd=/etc/keepalived 
type=SYSCALL msg=audit(10/05/2021 11:55:10.973:851) : arch=x86_64 syscall=openat success=yes exit=9 a0=0xffffff9c a1=0x560268bbf640 a2=O_RDWR a3=0x0 items=1 ppid=7686 pid=7687 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(10/05/2021 11:55:10.973:851) : avc:  denied  { write } for  pid=7687 comm=keepalived name=ping_group_range dev="proc" ino=48051 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(10/05/2021 11:58:21.534:855) : proctitle=/usr/sbin/keepalived -D 
type=SYSCALL msg=audit(10/05/2021 11:58:21.534:855) : arch=x86_64 syscall=socket success=yes exit=8 a0=inet a1=SOCK_DGRAM a2=icmp a3=0x1 items=0 ppid=7768 pid=7769 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(10/05/2021 11:58:21.534:855) : avc:  denied  { create } for  pid=7769 comm=keepalived scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=icmp_socket permissive=1 
----
type=PROCTITLE msg=audit(10/05/2021 11:58:21.534:856) : proctitle=/usr/sbin/keepalived -D 
type=SYSCALL msg=audit(10/05/2021 11:58:21.534:856) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0x8 a1=SOL_SOCKET a2=SO_RCVBUF a3=0x7ffe82f70d0c items=0 ppid=7768 pid=7769 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(10/05/2021 11:58:21.534:856) : avc:  denied  { setopt } for  pid=7769 comm=keepalived scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=icmp_socket permissive=1 
----
Comment 3 Milos Malik 2021-10-05 16:04:17 UTC 
Because of my keepalived configuration mistake, I didn't see the following SELinux denial in enforcing mode:
----
type=PROCTITLE msg=audit(10/05/2021 11:59:59.130:866) : proctitle=/usr/sbin/keepalived -D 
type=SYSCALL msg=audit(10/05/2021 11:59:59.130:866) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=inet a1=SOCK_DGRAM a2=icmp a3=0x1 items=0 ppid=7823 pid=7824 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(10/05/2021 11:59:59.130:866) : avc:  denied  { create } for  pid=7824 comm=keepalived scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=icmp_socket permissive=0 
----
Comment 6 Zdenek Pytela 2021-10-18 15:59:57 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/919
Comment 7 Zdenek Pytela 2021-10-20 16:31:14 UTC 
To backport:
commit 7227b5235753ba63c4f0d2aa023368da4349d6c9
Author: Zdenek Pytela <zpytela>
Date:   Mon Oct 18 17:53:44 2021 +0200

    Support new PING_CHECK health checker in keepalived
Comment 16 errata-xmlrpc 2022-05-10 15:15:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1995