Created attachment 978754 [details] logs from audit.log Description of problem: While working on HA - VRRP, i got different AVCs errors [root@networker-64ceac62-aeea-4364-bd8c-b7f0d6fcaeac ~]# cat /var/log/audit/audit.log | audit2allow -r require { type neutron_t; type neutron_var_lib_t; type keepalived_t; class process { signal sigkill }; class capability dac_override; class file { write execute getattr read open ioctl execute_no_trans }; } #============= keepalived_t ============== allow keepalived_t neutron_t:process sigkill; allow keepalived_t neutron_var_lib_t:file { write execute ioctl read open getattr execute_no_trans }; allow keepalived_t self:capability dac_override; #============= neutron_t ============== allow neutron_t keepalived_t:process signal; [root@networker-5d12223d-d960-4803-a46c-d35d3ec18daa ~]# cat /var/log/audit/audit.log | audit2allow -r require { type kernel_t; type neutron_var_lib_t; type keepalived_t; class capability dac_override; class file { execute read create ioctl execute_no_trans write getattr unlink open }; class system module_request; class dir { write remove_name add_name }; } #============= keepalived_t ============== #!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules' allow keepalived_t kernel_t:system module_request; allow keepalived_t neutron_var_lib_t:dir { write remove_name add_name }; allow keepalived_t neutron_var_lib_t:file { execute read create getattr execute_no_trans write ioctl unlink open }; allow keepalived_t self:capability dac_override; Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1.run setup with VRRP enabled 2.check cat /var/log/audit/audit.log | audit2allow -r 3.check grep -ir keep /var/log/audit/audit.log Actual results: Expected results: Additional info:
Created attachment 978768 [details] more info
The problem is /var/lib/neutron/ha_confs/e4bc9b4e-d540-4d91-8e3e-9a8bf66317fe/notify_backup.sh is created on the fly. Am I correct?
Adding , ACK There was problem with vrrp, i didn't noticed if it is because of notify_backup.sh I can only control HA by removing HA ports Ofer
tested openstack-selinux-0.6.17-1.el7ost.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2015-0144.html