Bug 1311756 - IPv6 real servers fail when starting keepalived using systemd
Summary: IPv6 real servers fail when starting keepalived using systemd
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 23
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-02-24 22:15 UTC by Major Hayden
Modified: 2016-03-05 06:23 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-3.13.1-158.8.fc23 selinux-policy-3.13.1-158.9.fc23
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-03-05 06:23:05 UTC


Attachments (Terms of Use)

Description Major Hayden 2016-02-24 22:15:01 UTC
I'm currently using keepalived 1.2.19-2.fc23 on Fedora 23 (x86_64).  If I start keepalived manually on the command line, it will configure LVS real servers on v6 addresses without an issue.  I can run ipvsadm and the IPv6 real servers appear along with their health checks.

However, if I use systemd to start keepalived, the IPv6 real servers and health checks do not appear in ipvsadm.

My system journal ends up with this repeated for each real server:

IPVS: Operation not supported with specified address family

Comment 1 Major Hayden 2016-02-24 22:43:37 UTC
This appears to be an SELinux policy issue.  After disabling dontaudit rules, I was able to get the following output from audit2allow:

module keepalived_fix 1.0;

require {
	type keepalived_t;
	class netlink_generic_socket { create getattr setopt bind write read };
}


If I build that policy and apply it, keepalived can handle v6 virtual servers again.

Comment 2 Lukas Vrabec 2016-02-25 15:15:33 UTC
commit 73f0863a3f131bf3c7d27352ccd0107442eae645
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Thu Feb 25 16:14:38 2016 +0100

    Allow keepalived to create netlink generic sockets. rhbz#1311756

Comment 3 Major Hayden 2016-02-25 17:59:39 UTC
Thanks so much for the quick fix, Lukas! :)

Comment 4 Fedora Update System 2016-02-27 13:50:42 UTC
selinux-policy-3.13.1-158.9.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870

Comment 5 Fedora Update System 2016-02-28 13:54:32 UTC
selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870

Comment 6 Fedora Update System 2016-03-05 06:22:12 UTC
selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.