Description of problem: After an upgrade of keepalived from 1.3.2 to 1.3.5 it refuses to start when selinux is in enforcing mode. Version-Release number of selected component (if applicable): 1.3.5 How reproducible: Always Steps to Reproduce: 1. Upgrade 2. Try to start 3. Actual results: Start fails Expected results: Start successful Additional info: # ausearch -m avc,user_avc,selinux_err,user_selinux_err -i -ts recent ---- type=AVC msg=audit(06/02/2017 11:59:32.180:333348) : avc: denied { read write } for pid=7012 comm=keepalived name=core_pattern dev="proc" ino=44362028 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(06/02/2017 11:59:32.188:333350) : avc: denied { read } for pid=7016 comm=keepalived name=modprobe dev="proc" ino=43213025 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(06/02/2017 11:59:39.878:333359) : avc: denied { read write } for pid=7348 comm=keepalived name=core_pattern dev="proc" ino=44362028 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(06/02/2017 11:59:39.885:333360) : avc: denied { read } for pid=7351 comm=keepalived name=modprobe dev="proc" ino=43213025 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(06/02/2017 12:03:27.919:333394) : avc: denied { read write } for pid=7902 comm=keepalived name=core_pattern dev="proc" ino=44362028 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(06/02/2017 12:03:27.927:333396) : avc: denied { read } for pid=7905 comm=keepalived name=modprobe dev="proc" ino=43213025 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=0 ---- type=USER_AVC msg=audit(06/02/2017 12:03:38.834:333400) : pid=738 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received setenforce notice (enforcing=0) exe=/usr/bin/dbus-daemon (deleted) sauid=dbus hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(06/02/2017 12:03:42.841:333401) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=AVC msg=audit(06/02/2017 12:03:42.853:333402) : avc: denied { read write } for pid=7966 comm=keepalived name=core_pattern dev="proc" ino=44362028 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=1 ---- type=AVC msg=audit(06/02/2017 12:03:42.853:333403) : avc: denied { open } for pid=7966 comm=keepalived path=/proc/sys/kernel/core_pattern dev="proc" ino=44362028 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=1 ---- type=AVC msg=audit(06/02/2017 12:03:42.863:333405) : avc: denied { read } for pid=7969 comm=keepalived name=modprobe dev="proc" ino=43213025 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=1 ---- type=AVC msg=audit(06/02/2017 12:03:42.863:333406) : avc: denied { open } for pid=7969 comm=keepalived path=/proc/sys/kernel/modprobe dev="proc" ino=43213025 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=1 ---- type=AVC msg=audit(06/02/2017 12:03:42.864:333407) : avc: denied { create } for pid=7969 comm=keepalived scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=netlink_netfilter_socket permissive=1 ---- type=AVC msg=audit(06/02/2017 12:03:42.864:333408) : avc: denied { bind } for pid=7969 comm=keepalived scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=netlink_netfilter_socket permissive=1 ---- type=AVC msg=audit(06/02/2017 12:03:42.864:333409) : avc: denied { getattr } for pid=7969 comm=keepalived scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=netlink_netfilter_socket permissive=1 ---- type=AVC msg=audit(06/02/2017 12:04:16.482:333412) : avc: denied { write } for pid=7967 comm=keepalived name=core_pattern dev="proc" ino=44362028 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:usermodehelper_t:s0 tclass=file permissive=1
This is selinux-policy, not keepalived.
selinux-policy-3.13.1-225.18.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-45ca9bfcb6
selinux-policy-3.13.1-225.18.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-45ca9bfcb6
selinux-policy-3.13.1-225.18.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.