Created attachment 1542817 [details]
audit.log

Description of problem:
=======================
Reported initially at bug 1671022 comment 21.
The fix[1] fix bug 1671022 included a change of Octavia behavior, which should also be reflected in respective SELinux policies.

Prior to the fix, a Python agent named Amphora agent managed the VIP interface both on a standalone (single amphora) and active/standby (two amphorae).

This created an issue where addresses would fail to create due to
a duplicate address detection.
To mitigate that,  in a case[2] of active/standby topology Keepalived will bring up the VIP interface instead of the Amphora agent. 


[1] https://review.openstack.org/#/c/632763/
[2] https://review.openstack.org/#/c/632763/4/octavia/amphorae/backends/agent/api_server/plug.py@134

Version-Release number of selected component (if applicable):
=============================================================
OSP13
openstack-selinux-0.8.17-2.el7ost.noarch

How reproducible:
=================
Always


Steps to Reproduce:
===================
As captured from bug 1671022 comment 21: 
1. Create a Highly available Octavia load balancer with IPv6 VIP.
2. Trigger failover via: openstack loadbalancer failover <lb_Id>


Actual results:
===============
One of the Amphorae instances marked with Status: ERROR

Expected results:
=================
Both Amphorae instances status should be: ALLOCATED

Additional info:
================
Tested with RHEL7.6


audit2allow:
#============= keepalived_t ==============

#!!!! WARNING: 'bin_t' is a base type.
allow keepalived_t bin_t:file entrypoint;


 audit2why
type=AVC msg=audit(1552241787.746:60): avc:  denied  { entrypoint } for  pid=3530 comm="(kill)" path="/usr/bin/kill" dev="vda1" ino=43348 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.