Bug 1311756 - IPv6 real servers fail when starting keepalived using systemd
IPv6 real servers fail when starting keepalived using systemd
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
23
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-24 17:15 EST by Major Hayden
Modified: 2016-03-05 01:23 EST (History)
9 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-158.8.fc23 selinux-policy-3.13.1-158.9.fc23
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-03-05 01:23:05 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Major Hayden 2016-02-24 17:15:01 EST
I'm currently using keepalived 1.2.19-2.fc23 on Fedora 23 (x86_64).  If I start keepalived manually on the command line, it will configure LVS real servers on v6 addresses without an issue.  I can run ipvsadm and the IPv6 real servers appear along with their health checks.

However, if I use systemd to start keepalived, the IPv6 real servers and health checks do not appear in ipvsadm.

My system journal ends up with this repeated for each real server:

IPVS: Operation not supported with specified address family
Comment 1 Major Hayden 2016-02-24 17:43:37 EST
This appears to be an SELinux policy issue.  After disabling dontaudit rules, I was able to get the following output from audit2allow:

module keepalived_fix 1.0;

require {
	type keepalived_t;
	class netlink_generic_socket { create getattr setopt bind write read };
}


If I build that policy and apply it, keepalived can handle v6 virtual servers again.
Comment 2 Lukas Vrabec 2016-02-25 10:15:33 EST
commit 73f0863a3f131bf3c7d27352ccd0107442eae645
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Thu Feb 25 16:14:38 2016 +0100

    Allow keepalived to create netlink generic sockets. rhbz#1311756
Comment 3 Major Hayden 2016-02-25 12:59:39 EST
Thanks so much for the quick fix, Lukas! :)
Comment 4 Fedora Update System 2016-02-27 08:50:42 EST
selinux-policy-3.13.1-158.9.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870
Comment 5 Fedora Update System 2016-02-28 08:54:32 EST
selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870
Comment 6 Fedora Update System 2016-03-05 01:22:12 EST
selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.