Bug 2010873

Summary:	Additional rules for keepalived PING_CHECK
Product:	Red Hat Enterprise Linux 8	Reporter:	Juraj Hrdlica <jhrdlica>
Component:	selinux-policy	Assignee:	Zdenek Pytela <zpytela>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	8.4	CC:	bperkins, lvrabec, mmalik, pkoncity, rohara, ssekidde
Target Milestone:	rc	Keywords:	Triaged
Target Release:	8.6	Flags:	pm-rhel: mirror+
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-3.14.3-82.el8	Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:
Clones:	2014423 (view as bug list)		Environment:
Last Closed:	2022-05-10 15:15:05 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	2014423

Comment 1 Milos Malik 2021-10-05 15:54:55 UTC

The following SELinux denial appears 3 times in enforcing mode:
----
type=PROCTITLE msg=audit(10/05/2021 11:53:16.260:844) : proctitle=/usr/sbin/keepalived -D 
type=PATH msg=audit(10/05/2021 11:53:16.260:844) : item=0 name=/proc/sys/net/ipv4/ping_group_range inode=48051 dev=00:05 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(10/05/2021 11:53:16.260:844) : cwd=/etc/keepalived 
type=SYSCALL msg=audit(10/05/2021 11:53:16.260:844) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55e8f4ee8640 a2=O_RDWR a3=0x0 items=1 ppid=7635 pid=7636 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(10/05/2021 11:53:16.260:844) : avc:  denied  { write } for  pid=7636 comm=keepalived name=ping_group_range dev="proc" ino=48051 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0 
----

Comment 2 Milos Malik 2021-10-05 15:59:20 UTC

Following SELinux denials appear in permissive mode:
----
type=PROCTITLE msg=audit(10/05/2021 11:55:10.973:851) : proctitle=/usr/sbin/keepalived -D 
type=PATH msg=audit(10/05/2021 11:55:10.973:851) : item=0 name=/proc/sys/net/ipv4/ping_group_range inode=48051 dev=00:05 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(10/05/2021 11:55:10.973:851) : cwd=/etc/keepalived 
type=SYSCALL msg=audit(10/05/2021 11:55:10.973:851) : arch=x86_64 syscall=openat success=yes exit=9 a0=0xffffff9c a1=0x560268bbf640 a2=O_RDWR a3=0x0 items=1 ppid=7686 pid=7687 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(10/05/2021 11:55:10.973:851) : avc:  denied  { write } for  pid=7687 comm=keepalived name=ping_group_range dev="proc" ino=48051 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(10/05/2021 11:58:21.534:855) : proctitle=/usr/sbin/keepalived -D 
type=SYSCALL msg=audit(10/05/2021 11:58:21.534:855) : arch=x86_64 syscall=socket success=yes exit=8 a0=inet a1=SOCK_DGRAM a2=icmp a3=0x1 items=0 ppid=7768 pid=7769 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(10/05/2021 11:58:21.534:855) : avc:  denied  { create } for  pid=7769 comm=keepalived scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=icmp_socket permissive=1 
----
type=PROCTITLE msg=audit(10/05/2021 11:58:21.534:856) : proctitle=/usr/sbin/keepalived -D 
type=SYSCALL msg=audit(10/05/2021 11:58:21.534:856) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0x8 a1=SOL_SOCKET a2=SO_RCVBUF a3=0x7ffe82f70d0c items=0 ppid=7768 pid=7769 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(10/05/2021 11:58:21.534:856) : avc:  denied  { setopt } for  pid=7769 comm=keepalived scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=icmp_socket permissive=1 
----

Comment 3 Milos Malik 2021-10-05 16:04:17 UTC

Because of my keepalived configuration mistake, I didn't see the following SELinux denial in enforcing mode:
----
type=PROCTITLE msg=audit(10/05/2021 11:59:59.130:866) : proctitle=/usr/sbin/keepalived -D 
type=SYSCALL msg=audit(10/05/2021 11:59:59.130:866) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=inet a1=SOCK_DGRAM a2=icmp a3=0x1 items=0 ppid=7823 pid=7824 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(10/05/2021 11:59:59.130:866) : avc:  denied  { create } for  pid=7824 comm=keepalived scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=icmp_socket permissive=0 
----

Comment 6 Zdenek Pytela 2021-10-18 15:59:57 UTC

I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/919

Comment 7 Zdenek Pytela 2021-10-20 16:31:14 UTC

To backport:
commit 7227b5235753ba63c4f0d2aa023368da4349d6c9
Author: Zdenek Pytela <zpytela>
Date:   Mon Oct 18 17:53:44 2021 +0200

    Support new PING_CHECK health checker in keepalived

Comment 16 errata-xmlrpc 2022-05-10 15:15:05 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1995