1401556 – keepalived needs access to "/var/agentx/master" UNIX socket

Bug 1401556 - keepalived needs access to "/var/agentx/master" UNIX socket

Summary: keepalived needs access to "/var/agentx/master" UNIX socket

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.4
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-12-05 14:51 UTC by Ryan O'Hara
Modified:	2018-04-10 12:26 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.13.1-176.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-10 12:25:40 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:0763	0	None	None	None	2018-04-10 12:26:24 UTC

Description Ryan O'Hara 2016-12-05 14:51:04 UTC

When starting keepalived with SNMP enabled, keepalived fails to connect as a subagent due to AVC for "/var/agentx/master" UNIX socket:

# ausearch -m avc
----
time->Mon Dec  5 08:45:31 2016
type=SYSCALL msg=audit(1480949131.095:4863): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7ffcc02bf450 a2=6e a3=2 items=0 ppid=55438 pid=55440 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="keepalived" exe="/usr/sbin/keepalived" subj=system_u:system_r:keepalived_t:s0 key=(null)
type=AVC msg=audit(1480949131.095:4863): avc:  denied  { connectto } for  pid=55440 comm="keepalived" path="/var/agentx/master" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=unix_stream_socket

Comment 1 Milos Malik 2016-12-05 16:59:17 UTC

Based on success=no exit=-13, the SELinux denial was caught in enforcing mode. Could you re-run the scenario in permissive mode and attach the resulting SELinux denials?

Comment 2 Ryan O'Hara 2016-12-05 18:56:29 UTC

In permissive mode:

type=SERVICE_START msg=audit(1480964036.515:5144): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=keepalived comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1480964036.521:5145): avc:  denied  { connectto } for  pid=9017 comm="keepalived" path="/var/agentx/master" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1480964036.521:5145): arch=c000003e syscall=42 success=yes exit=0 a0=c a1=7ffc69316fe0 a2=6e a3=2 items=0 ppid=9016 pid=9017 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="keepalived" exe="/usr/sbin/keepalived" subj=system_u:system_r:keepalived_t:s0 key=(null)

Comment 10 errata-xmlrpc 2018-04-10 12:25:40 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763

Note You need to log in before you can comment on or make changes to this bug.