Bug 1180881 - different AVCs while using Keepalived on HA VRRP setup
Summary: different AVCs while using Keepalived on HA VRRP setup
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux
Version: 6.0 (Juno)
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ga
: 6.0 (Juno)
Assignee: Ryan Hallisey
QA Contact: Roey Dekel
URL:
Whiteboard:
Depends On: 1180679
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-01-11 12:22 UTC by Ofer Blaut
Modified: 2015-02-09 14:22 UTC (History)
9 users (show)

Fixed In Version: openstack-selinux-0.6.17-1.el7ost
Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-02-09 14:22:21 UTC
Target Upstream Version:
Embargoed:
rhallise: needinfo+

Attachments (Terms of Use)
logs from audit.log (23.84 KB, text/plain)
2015-01-11 12:22 UTC, Ofer Blaut 		no flags Details
more info (22.29 KB, text/plain)
2015-01-11 12:54 UTC, Ofer Blaut 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2015:0144 0 normal SHIPPED_LIVE Red Hat Enterprise Linux OpenStack Platform 6.0 Enhancement Advisory 2015-02-09 19:20:08 UTC

Description Ofer Blaut 2015-01-11 12:22:46 UTC 
Created attachment 978754 [details]
logs from audit.log

Description of problem:

While working on HA - VRRP, i got different AVCs errors




[root@networker-64ceac62-aeea-4364-bd8c-b7f0d6fcaeac ~]# cat  /var/log/audit/audit.log | audit2allow -r

require {
	type neutron_t;
	type neutron_var_lib_t;
	type keepalived_t;
	class process { signal sigkill };
	class capability dac_override;
	class file { write execute getattr read open ioctl execute_no_trans };
}

#============= keepalived_t ==============
allow keepalived_t neutron_t:process sigkill;
allow keepalived_t neutron_var_lib_t:file { write execute ioctl read open getattr execute_no_trans };
allow keepalived_t self:capability dac_override;

#============= neutron_t ==============
allow neutron_t keepalived_t:process signal;



[root@networker-5d12223d-d960-4803-a46c-d35d3ec18daa ~]# cat  /var/log/audit/audit.log | audit2allow -r

require {
	type kernel_t;
	type neutron_var_lib_t;
	type keepalived_t;
	class capability dac_override;
	class file { execute read create ioctl execute_no_trans write getattr unlink open };
	class system module_request;
	class dir { write remove_name add_name };
}

#============= keepalived_t ==============

#!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules'
allow keepalived_t kernel_t:system module_request;
allow keepalived_t neutron_var_lib_t:dir { write remove_name add_name };
allow keepalived_t neutron_var_lib_t:file { execute read create getattr execute_no_trans write ioctl unlink open };
allow keepalived_t self:capability dac_override;




Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.run setup with VRRP enabled 
2.check  cat  /var/log/audit/audit.log | audit2allow -r
3.check grep -ir keep  /var/log/audit/audit.log

Actual results:


Expected results:


Additional info:
Comment 1 Ofer Blaut 2015-01-11 12:54:40 UTC 
Created attachment 978768 [details]
more info
Comment 2 Miroslav Grepl 2015-01-12 12:33:53 UTC 
The problem is 

/var/lib/neutron/ha_confs/e4bc9b4e-d540-4d91-8e3e-9a8bf66317fe/notify_backup.sh

is created on the fly. Am I correct?
Comment 4 Ofer Blaut 2015-01-13 06:04:35 UTC 
Adding , ACK

There was problem with vrrp, i didn't noticed if it is because of notify_backup.sh

I can only control HA by removing HA ports 

Ofer
Comment 15 Ofer Blaut 2015-01-20 06:19:35 UTC 
tested openstack-selinux-0.6.17-1.el7ost.noarch
Comment 17 errata-xmlrpc 2015-02-09 14:22:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2015-0144.html
Note You need to log in before you can comment on or make changes to this bug.