Bug 2186759

Summary:	misconfigured selinux policy for keepalived triggers AVC denials when using track_file
Product:	Red Hat Enterprise Linux 9	Reporter:	Juraj Hrdlica <jhrdlica>
Component:	selinux-policy	Assignee:	Nobody <nobody>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	9.2	CC:	bperkins, lvrabec, mmalik, zpytela
Target Milestone:	rc	Keywords:	Triaged
Target Release:	---	Flags:	pm-rhel: mirror+
Hardware:	Unspecified
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-38.1.22-1.el9	Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2023-11-07 08:52:21 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Juraj Hrdlica 2023-04-14 11:07:36 UTC

Description of problem:
misconfigured selinux policy for keepalived triggers AVC denials when using track_file inside keepalived.conf
The file itself is being created by keepalived.

Version-Release number of selected component (if applicable):
keepalived-2.2.4-6.el9.x86_64
selinux-policy-38.1.11-2.el9_2.noarch


How reproducible:
always


Steps to Reproduce:
1. Use track_file inside keepalived.conf:

$ cat /etc/keepalived/keepalived.conf 
track_file test_file {
    file /etc/keepalived/keepalived_tracked_file
    init_file 0 overwrite
}

vrrp_instance VRRP1 {
    @main state MASTER
    @main priority 128
    @backup state BACKUP
    @backup priority 127

    virtual_router_id 162
    interface ens3
    virtual_ipaddress { 10.37.167.246 }
    advert_int 1
    track_file { test_file weight -2 }

}

2. Start keepalived


Actual results:

$ ausearch -m AVC,USER_AVC -ts recent
----
time->Fri Apr 14 11:40:23 2023
type=PROCTITLE msg=audit(1681465223.065:3035): proctitle=2F7573722F7362696E2F6B656570616C69766564002D2D646F6E742D666F726B002D44002D2D636F6E6669672D6964006D61696E
type=PATH msg=audit(1681465223.065:3035): item=3 name=(null) inode=4963022 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1681465223.065:3035): item=2 name=(null) inode=4963040 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1681465223.065:3035): item=1 name=(null) nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1681465223.065:3035): item=0 name=(null) inode=4963040 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1681465223.065:3035): cwd="/etc/keepalived"
type=SYSCALL msg=audit(1681465223.065:3035): arch=c000003e syscall=257 success=yes exit=13 a0=ffffff9c a1=7ffc50b82030 a2=800c2 a3=180 items=4 ppid=127934 pid=127935 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="keepalived" exe="/usr/sbin/keepalived" subj=system_u:system_r:keepalived_t:s0 key=(null)
type=AVC msg=audit(1681465223.065:3035): avc:  denied  { write } for  pid=127935 comm="keepalived" path="/etc/keepalived/keepalived_tracked_fileNDykHQ" dev="dm-0" ino=4963022 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1681465223.065:3035): avc:  denied  { create } for  pid=127935 comm="keepalived" name="keepalived_tracked_fileNDykHQ" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1681465223.065:3035): avc:  denied  { add_name } for  pid=127935 comm="keepalived" name="keepalived_tracked_fileNDykHQ" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissiv
e=1
type=AVC msg=audit(1681465223.065:3035): avc:  denied  { write } for  pid=127935 comm="keepalived" name="keepalived" dev="dm-0" ino=4963040 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissi
ve=1
----
time->Fri Apr 14 11:40:23 2023
type=PROCTITLE msg=audit(1681465223.066:3036): proctitle=2F7573722F7362696E2F6B656570616C69766564002D2D646F6E742D666F726B002D44002D2D636F6E6669672D6964006D61696E
type=SYSCALL msg=audit(1681465223.066:3036): arch=c000003e syscall=91 success=yes exit=0 a0=d a1=180 a2=0 a3=180 items=0 ppid=127934 pid=127935 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967
295 comm="keepalived" exe="/usr/sbin/keepalived" subj=system_u:system_r:keepalived_t:s0 key=(null)
type=AVC msg=audit(1681465223.066:3036): avc:  denied  { setattr } for  pid=127935 comm="keepalived" name="keepalived_tracked_fileNDykHQ" dev="dm-0" ino=4963022 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:etc_t:s
0 tclass=file permissive=1
----
time->Fri Apr 14 11:40:23 2023
type=PROCTITLE msg=audit(1681465223.066:3037): proctitle=2F7573722F7362696E2F6B656570616C69766564002D2D646F6E742D666F726B002D44002D2D636F6E6669672D6964006D61696E
type=PATH msg=audit(1681465223.066:3037): item=1 name=(null) inode=4963022 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1681465223.066:3037): item=0 name=(null) inode=4963040 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1681465223.066:3037): cwd="/etc/keepalived"
type=SYSCALL msg=audit(1681465223.066:3037): arch=c000003e syscall=82 success=yes exit=0 a0=7ffc50b82030 a1=5591fbb1b270 a2=0 a3=180 items=2 ppid=127934 pid=127935 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tt
y=(none) ses=4294967295 comm="keepalived" exe="/usr/sbin/keepalived" subj=system_u:system_r:keepalived_t:s0 key=(null)
type=AVC msg=audit(1681465223.066:3037): avc:  denied  { unlink } for  pid=127935 comm="keepalived" name="keepalived_tracked_file" dev="dm-0" ino=4963020 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:etc_t:s0 tclas
s=file permissive=1
type=AVC msg=audit(1681465223.066:3037): avc:  denied  { rename } for  pid=127935 comm="keepalived" name="keepalived_tracked_fileNDykHQ" dev="dm-0" ino=4963022 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:etc_t:s0
 tclass=file permissive=1
type=AVC msg=audit(1681465223.066:3037): avc:  denied  { remove_name } for  pid=127935 comm="keepalived" name="keepalived_tracked_fileNDykHQ" dev="dm-0" ino=4963022 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:etc
_t:s0 tclass=dir permissive=1
----
time->Fri Apr 14 11:40:23 2023
type=PROCTITLE msg=audit(1681465223.069:3039): proctitle=2F7573722F7362696E2F6B656570616C69766564002D2D646F6E742D666F726B002D44002D2D636F6E6669672D6964006D61696E
type=SYSCALL msg=audit(1681465223.069:3039): arch=c000003e syscall=254 success=yes exit=1 a0=c a1=5591fbb28dc0 a2=2c8 a3=63 items=0 ppid=127934 pid=127935 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) 
ses=4294967295 comm="keepalived" exe="/usr/sbin/keepalived" subj=system_u:system_r:keepalived_t:s0 key=(null)
type=AVC msg=audit(1681465223.069:3039): avc:  denied  { watch } for  pid=127935 comm="keepalived" path="/etc/keepalived" dev="dm-0" ino=4963040 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir per
missive=1


Expected results:
No denials

Comment 1 Milos Malik 2023-04-14 12:14:14 UTC

Is there a default location for the tracked file?

For example: the /var/lib/keepalived/keepalived_tracked_file location (when used in the keepalived configuration file) does not trigger any SELinux denials.

Comment 2 Juraj Hrdlica 2023-04-14 13:20:02 UTC

Keepalived doesn't create directories if they don't exist and as /var/lib/keepalived does not exist by default after the installation I would guess it didn't even attempt to create the file therefore there are no denials to be observed.
journalctl shows `Keepalived_vrrp[138272]: Unable to open '/var/lib/keepalived/keepalived_tracked_file' - errno 2 (No such file or directory)` at least in my case.

As for your question I do not believe there is a default location for the tracked file, `/etc/keepalived/` is the place that contains the conf file by default so it made sense for me to use that.

Comment 4 Milos Malik 2023-04-25 16:44:10 UTC

SELinux policy defines the following keepalived related types:

# seinfo -t | grep keepalived
   keepalived_exec_t
   keepalived_t
   keepalived_tmp_t
   keepalived_tmpfs_t
   keepalived_unconfined_script_exec_t
   keepalived_unconfined_script_t
   keepalived_unit_file_t
   keepalived_var_run_t
#

Least resistance approach: we can choose from already defined SELinux types and locations.

# semanage fcontext -l | grep keepalived_var_run_t
/var/run/keepalived.*                              all files          system_u:object_r:keepalived_var_run_t:s0 
#

Let's modify the keepalived configuration file accordingly:

# grep track /etc/keepalived/keepalived.conf 
track_file test_file {
    file /var/run/keepalived_tracked_file
    track_file { test_file weight -2 }
#

Let's see if that's enough:

# service keepalived status
Redirecting to /bin/systemctl status keepalived.service
○ keepalived.service - LVS and VRRP High Availability Monitor
     Loaded: loaded (/usr/lib/systemd/system/keepalived.service; disabled; preset: disabled)
     Active: inactive (dead)
# service keepalived start
Redirecting to /bin/systemctl start keepalived.service
# ls -Zl /var/run/keepalived*
-rw-r--r--. 1 root root system_u:object_r:keepalived_var_run_t:s0 5 Apr 25 12:32 /var/run/keepalived.pid
-rw-------. 1 root root system_u:object_r:keepalived_var_run_t:s0 2 Apr 25 12:32 /var/run/keepalived_tracked_file
#

The keepalived service starts and runs successfully in enforcing mode, but the following SELinux denial appears:

----
type=PROCTITLE msg=audit(04/25/2023 12:32:20.139:313) : proctitle=/usr/sbin/keepalived --dont-fork -D 
type=SYSCALL msg=audit(04/25/2023 12:32:20.139:313) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0xc a1=0x556008bf5660 a2=0x2c8 a3=0x20bf0 items=0 ppid=4751 pid=4753 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(04/25/2023 12:32:20.139:313) : avc:  denied  { watch } for  pid=4753 comm=keepalived path=/run dev="tmpfs" ino=1 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0 
----

SELinux QE conclusion:
Either we use an existing type+location or we define a new type+location. Both options require an allow rule with watch permission to be added into SELinux policy. For example:

# cat testpolicy.cil 
( allow keepalived_t var_run_t ( dir ( search )))

# semodule -i testpolicy.cil 
# semodule -lfull | grep testpolicy
400 testpolicy                     cil
#

Comment 5 Nikola Knazekova 2023-08-08 16:08:11 UTC

I created PR to allow keeaplived watch /var/run dirs: https://github.com/fedora-selinux/selinux-policy/pull/1824

Please use the /var/run location for keepalived_tracked_file as described in #c4

Comment 7 Milos Malik 2023-08-10 13:12:36 UTC

When the track_file is located in /var/run directory, the following SELinux denials appear in enforcing mode:
----
type=PROCTITLE msg=audit(08/10/2023 09:04:46.997:352) : proctitle=/usr/sbin/keepalived --dont-fork -D 
type=PATH msg=audit(08/10/2023 09:04:46.997:352) : item=0 name=/run/ inode=1 dev=00:18 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(08/10/2023 09:04:46.997:352) : cwd=/ 
type=SYSCALL msg=audit(08/10/2023 09:04:46.997:352) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0xb a1=0x555c2a39eba0 a2=0x2c8 a3=0x20950 items=1 ppid=4781 pid=4783 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(08/10/2023 09:04:46.997:352) : avc:  denied  { watch } for  pid=4783 comm=keepalived path=/run dev="tmpfs" ino=1 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(08/10/2023 09:04:46.997:353) : proctitle=/usr/sbin/keepalived --dont-fork -D 
type=PATH msg=audit(08/10/2023 09:04:46.997:353) : item=0 name=/run inode=1 dev=00:18 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(08/10/2023 09:04:46.997:353) : cwd=/etc/keepalived 
type=SYSCALL msg=audit(08/10/2023 09:04:46.997:353) : arch=x86_64 syscall=statfs success=no exit=EACCES(Permission denied) a0=0x555c2a3a4170 a1=0x7fffd7f84a20 a2=0x55597ff8e234 a3=0x0 items=1 ppid=4781 pid=4782 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(08/10/2023 09:04:46.997:353) : avc:  denied  { getattr } for  pid=4782 comm=keepalived name=/ dev="tmpfs" ino=1 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0 
----

# rpm -qa selinux\* keepalived\* | sort
keepalived-2.2.8-3.el9.x86_64
selinux-policy-38.1.18-1.el9.noarch
selinux-policy-targeted-38.1.18-1.el9.noarch
# mount | grep run
tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,size=360844k,nr_inodes=819200,mode=755,inode64)
none on /run/credentials/systemd-sysctl.service type ramfs (ro,nosuid,nodev,noexec,relatime,seclabel,mode=700)
none on /run/credentials/systemd-tmpfiles-setup-dev.service type ramfs (ro,nosuid,nodev,noexec,relatime,seclabel,mode=700)
none on /run/credentials/systemd-tmpfiles-setup.service type ramfs (ro,nosuid,nodev,noexec,relatime,seclabel,mode=700)
tmpfs on /run/user/0 type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=180420k,nr_inodes=45105,mode=700,inode64)
#

My apologies, I didn't notice the second AVC sooner.

Comment 8 Milos Malik 2023-08-10 13:14:46 UTC

The same SELinux denials appear in permissive mode:
----
type=PROCTITLE msg=audit(08/10/2023 09:13:46.699:360) : proctitle=/usr/sbin/keepalived --dont-fork -D 
type=PATH msg=audit(08/10/2023 09:13:46.699:360) : item=0 name=/run inode=1 dev=00:18 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(08/10/2023 09:13:46.699:360) : cwd=/etc/keepalived 
type=SYSCALL msg=audit(08/10/2023 09:13:46.699:360) : arch=x86_64 syscall=statfs success=yes exit=0 a0=0x55fe85983de0 a1=0x7ffc36d0e660 a2=0x55fbda706783 a3=0x0 items=1 ppid=4826 pid=4828 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(08/10/2023 09:13:46.699:360) : avc:  denied  { getattr } for  pid=4828 comm=keepalived name=/ dev="tmpfs" ino=1 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=1 
----
type=PROCTITLE msg=audit(08/10/2023 09:13:46.700:361) : proctitle=/usr/sbin/keepalived --dont-fork -D 
type=PATH msg=audit(08/10/2023 09:13:46.700:361) : item=0 name=/run/ inode=1 dev=00:18 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(08/10/2023 09:13:46.700:361) : cwd=/ 
type=SYSCALL msg=audit(08/10/2023 09:13:46.700:361) : arch=x86_64 syscall=inotify_add_watch success=yes exit=1 a0=0xb a1=0x55fe85978ba0 a2=0x2c8 a3=0x20950 items=1 ppid=4826 pid=4828 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(08/10/2023 09:13:46.700:361) : avc:  denied  { watch } for  pid=4828 comm=keepalived path=/run dev="tmpfs" ino=1 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 
----

Comment 21 errata-xmlrpc 2023-11-07 08:52:21 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6617