Bug 1199149 - AVC while using Keepalived on HA VRRP setup
Summary: AVC while using Keepalived on HA VRRP setup
Keywords:
Status: CLOSED DUPLICATE of bug 1195252
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux
Version: 6.0 (Juno)
Hardware: Unspecified
OS: Unspecified
high
urgent
Target Milestone: z2
: 6.0 (Juno)
Assignee: Ryan Hallisey
QA Contact: Ami Jeain
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-03-05 14:28 UTC by Roey Dekel
Modified: 2023-02-22 23:02 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-05 14:42:33 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1169859 0 high CLOSED Neutron l3-agent has SELinux denial when starting or stopping keepalived 2021-02-22 00:41:40 UTC

Description Roey Dekel 2015-03-05 14:28:46 UTC 
Description of problem:
While working on HA - VRRP, i got different AVCs errors

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-153.el7_0.13.noarch
selinux-policy-targeted-3.12.1-153.el7_0.13.noarch
openstack-selinux-0.6.23-1.el7ost.noarch

How reproducible:
100%

Steps to Reproduce:
1.run setup with VRRP enabled 
2.check  cat  /var/log/audit/audit.log | audit2allow -r
3.check grep -ir keep  /var/log/audit/audit.log

Actual results:
[root@network-1 ~]# cat  /var/log/audit/audit.log | audit2allow -r

require {
	type neutron_t;
	type keepalived_exec_t;
	class file execute;
}

#============= neutron_t ==============
allow neutron_t keepalived_exec_t:file execute;

[root@network-1 ~]# grep -ir keep  /var/log/audit/audit.log
type=AVC msg=audit(1425564138.121:1779): avc:  denied  { execute } for  pid=2437 comm="neutron-rootwra" name="keepalived" dev="vda1" ino=16846923 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:keepalived_exec_t:s0 tclass=file
type=AVC msg=audit(1425564138.122:1780): avc:  denied  { execute } for  pid=2437 comm="neutron-rootwra" name="keepalived" dev="vda1" ino=16846923 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:keepalived_exec_t:s0 tclass=file
type=AVC msg=audit(1425564195.138:2095): avc:  denied  { execute } for  pid=2672 comm="neutron-rootwra" name="keepalived" dev="vda1" ino=16846923 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:keepalived_exec_t:s0 tclass=file
type=AVC msg=audit(1425564195.139:2096): avc:  denied  { execute } for  pid=2672 comm="neutron-rootwra" name="keepalived" dev="vda1" ino=16846923 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:keepalived_exec_t:s0 tclass=file
type=AVC msg=audit(1425564217.471:2373): avc:  denied  { execute } for  pid=2882 comm="neutron-rootwra" name="keepalived" dev="vda1" ino=16846923 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:keepalived_exec_t:s0 tclass=file
type=AVC msg=audit(1425564217.471:2374): avc:  denied  { execute } for  pid=2882 comm="neutron-rootwra" name="keepalived" dev="vda1" ino=16846923 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:keepalived_exec_t:s0 tclass=file
type=AVC msg=audit(1425564469.256:3169): avc:  denied  { execute } for  pid=3393 comm="neutron-rootwra" name="keepalived" dev="vda1" ino=16846923 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:keepalived_exec_t:s0 tclass=file
type=AVC msg=audit(1425564469.257:3170): avc:  denied  { execute } for  pid=3393 comm="neutron-rootwra" name="keepalived" dev="vda1" ino=16846923 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:keepalived_exec_t:s0 tclass=file


Expected results:
no avc
Comment 4 Assaf Muller 2015-03-05 14:37:18 UTC 
Similar issue was fixed in the linked bug. Looks like it came creeping back up.
Comment 5 Lon Hohberger 2015-03-05 14:42:33 UTC 

*** This bug has been marked as a duplicate of bug 1195252 ***
Note You need to log in before you can comment on or make changes to this bug.