1311756 – IPv6 real servers fail when starting keepalived using systemd

Bug 1311756 - IPv6 real servers fail when starting keepalived using systemd

Summary: IPv6 real servers fail when starting keepalived using systemd

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	23
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-02-24 22:15 UTC by Major Hayden 🤠
Modified:	2016-03-05 06:23 UTC (History)
CC List:	9 users (show)
Fixed In Version:	selinux-policy-3.13.1-158.8.fc23 selinux-policy-3.13.1-158.9.fc23
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-03-05 06:23:05 UTC
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Major Hayden 🤠 2016-02-24 22:15:01 UTC

I'm currently using keepalived 1.2.19-2.fc23 on Fedora 23 (x86_64).  If I start keepalived manually on the command line, it will configure LVS real servers on v6 addresses without an issue.  I can run ipvsadm and the IPv6 real servers appear along with their health checks.

However, if I use systemd to start keepalived, the IPv6 real servers and health checks do not appear in ipvsadm.

My system journal ends up with this repeated for each real server:

IPVS: Operation not supported with specified address family

Comment 1 Major Hayden 🤠 2016-02-24 22:43:37 UTC

This appears to be an SELinux policy issue.  After disabling dontaudit rules, I was able to get the following output from audit2allow:

module keepalived_fix 1.0;

require {
	type keepalived_t;
	class netlink_generic_socket { create getattr setopt bind write read };
}


If I build that policy and apply it, keepalived can handle v6 virtual servers again.

Comment 2 Lukas Vrabec 2016-02-25 15:15:33 UTC

commit 73f0863a3f131bf3c7d27352ccd0107442eae645
Author: Lukas Vrabec <lvrabec>
Date:   Thu Feb 25 16:14:38 2016 +0100

    Allow keepalived to create netlink generic sockets. rhbz#1311756

Comment 3 Major Hayden 🤠 2016-02-25 17:59:39 UTC

Thanks so much for the quick fix, Lukas! :)

Comment 4 Fedora Update System 2016-02-27 13:50:42 UTC

selinux-policy-3.13.1-158.9.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870

Comment 5 Fedora Update System 2016-02-28 13:54:32 UTC

selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870

Comment 6 Fedora Update System 2016-03-05 06:22:12 UTC

selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.