1477542 – Regression: AVC denied related to keepalived 1.3.x, /proc and sysctl_net_t

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1477542 - Regression: AVC denied related to keepalived 1.3.x, /proc and sysctl_net_t

Summary: Regression: AVC denied related to keepalived 1.3.x, /proc and sysctl_net_t

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.4
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-08-02 11:13 UTC by Robert Scheck
Modified:	2018-04-10 12:36 UTC (History)
CC List:	13 users (show)
Fixed In Version:	selinux-policy-3.13.1-188.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-10 12:34:36 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:0763	0	None	None	None	2018-04-10 12:36:05 UTC

Description Robert Scheck 2017-08-02 11:13:34 UTC

Description of problem:
Since updating to RHEL 7.4 which contains a keepalived update from 1.2.x
to 1.3.x, the following SELinux related message shows up:

type=AVC msg=audit(1501671861.845:45): avc:  denied  { search } for  pid=2154 comm="keepalived" name="net" dev="proc" ino=9992 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
type=SYSCALL msg=audit(1501671861.845:45): arch=c000003e syscall=2 success=no exit=-13 a0=5623b7fa8330 a1=0 a2=5623b7fa834c a3=63 items=0 ppid=2152 pid=2154 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="keepalived" exe="/usr/sbin/keepalived" subj=system_u:system_r:keepalived_t:s0 key=(null)
type=PROCTITLE msg=audit(1501671861.845:45): proctitle=2F7573722F7362696E2F6B656570616C69766564002D44

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-166.el7.noarch
selinux-policy-targeted-3.13.1-166.el7.noarch
keepalived-1.3.5-1.el7.x86_64

How reproducible:
Everytime during boot when keepalived gets started.

Actual results:
AVC denied related to keepalived 1.3.x, /proc and sysctl_net_t.

Expected results:
No AVC denied related to keepalived 1.3.x, /proc and sysctl_net_t, but I
am not sure if this should be allowed or not (currently not allowed).

Comment 2 Robert Scheck 2017-08-02 13:31:37 UTC

Cross-filed ticket 01903060 on the Red Hat customer portal.

Comment 3 Milos Malik 2017-08-17 15:39:21 UTC

I assume that the AVC in comment#0 talks about /proc/sys/net directory.

There is a lot of files and directories under /proc/sys/net, all of them are labeled sysctl_net_t except for:

# ls -Z /proc/sys/net/unix
-rw-r--r--. root root system_u:object_r:sysctl_net_unix_t:s0 max_dgram_qlen
#

Comment 4 Robert Scheck 2017-08-17 18:33:29 UTC

$ sealert -l f56525a2-36a4-48ef-a9d8-61adbc0f3e1d
[…]
Source Context                system_u:system_r:keepalived_t:s0
Target Context                system_u:object_r:sysctl_net_t:s0
Target Objects                net [ dir ]
Source                        keepalived
Source Path                   /usr/sbin/keepalived
[…]
Policy RPM                    selinux-policy-3.13.1-166.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
[…]

Raw Audit Messages
type=AVC msg=audit(1502994621.228:112561): avc:  denied  { search } for  pid=2198 comm="keepalived" name="net" dev="proc" ino=9716 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
[…]
$

$ find /proc/ -inum 9716
/proc/sys/net
$ 

So the issue seems to be that keepalived is not allowed to search in the
/proc/sys/net directory in general?

Comment 8 Milos Malik 2018-01-30 16:03:08 UTC

comment#0 mentions that keepalived triggers SELinux denials which are related to /proc and sysctl_net_t. Here is the /proc related one:
----
type=PROCTITLE msg=audit(01/30/2018 10:55:44.274:633) : proctitle=/usr/sbin/keepalived -D --snmp 
type=SYSCALL msg=audit(01/30/2018 10:55:44.274:633) : arch=x86_64 syscall=statfs success=no exit=EACCES(Permission denied) a0=0x5566d189c854 a1=0x7ffc459bb9f0 a2=0x8000 a3=0x46 items=0 ppid=11234 pid=11236 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(01/30/2018 10:55:44.274:633) : avc:  denied  { getattr } for  pid=11236 comm=keepalived name=/ dev="proc" ino=1 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem 
----

The AVC is reproducible even if the latest selinux-policy build is installed.

# rpm -qa selinux\* keepalived\* | sort
keepalived-1.3.5-5.el7.x86_64
selinux-policy-3.13.1-186.el7.noarch
selinux-policy-devel-3.13.1-186.el7.noarch
selinux-policy-targeted-3.13.1-186.el7.noarch
#

Comment 9 Milos Malik 2018-01-30 16:24:14 UTC

Based on SELinux denials from comment#0 and comment#4, keepalived wants to search something under /proc/sys/net. Even if keepalived found the right file, it would not be able to read it, because the policy does not allow keepalived to read any files under /proc/sys/net. Therefore I believe that following rule should be also added to the policy:

allow keepalived_t sysctl_net_t : file { getattr open read } ;

Comment 14 Milos Malik 2018-02-06 14:07:42 UTC

The same SELinux denial as mentioned in comment#8 appeared again:
----
type=PROCTITLE msg=audit(02/06/2018 09:04:22.470:361) : proctitle=/usr/sbin/keepalived -D --snmp 
type=SYSCALL msg=audit(02/06/2018 09:04:22.470:361) : arch=x86_64 syscall=statfs success=no exit=EACCES(Permission denied) a0=0x558e1d0c6854 a1=0x7fff30aec800 a2=0x8000 a3=0x46 items=0 ppid=20591 pid=20593 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(02/06/2018 09:04:22.470:361) : avc:  denied  { getattr } for  pid=20593 comm=keepalived name=/ dev="proc" ino=1 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0 
----

# rpm -qa selinux\*
selinux-policy-targeted-3.13.1-187.el7.noarch
selinux-policy-3.13.1-187.el7.noarch
selinux-policy-devel-3.13.1-187.el7.noarch
#

Comment 20 errata-xmlrpc 2018-04-10 12:34:36 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763

Note You need to log in before you can comment on or make changes to this bug.