Created attachment 1542817 [details] audit.log Description of problem: ======================= Reported initially at bug 1671022 comment 21. The fix[1] fix bug 1671022 included a change of Octavia behavior, which should also be reflected in respective SELinux policies. Prior to the fix, a Python agent named Amphora agent managed the VIP interface both on a standalone (single amphora) and active/standby (two amphorae). This created an issue where addresses would fail to create due to a duplicate address detection. To mitigate that, in a case[2] of active/standby topology Keepalived will bring up the VIP interface instead of the Amphora agent. [1] https://review.openstack.org/#/c/632763/ [2] https://review.openstack.org/#/c/632763/4/octavia/amphorae/backends/agent/api_server/plug.py@134 Version-Release number of selected component (if applicable): ============================================================= OSP13 openstack-selinux-0.8.17-2.el7ost.noarch How reproducible: ================= Always Steps to Reproduce: =================== As captured from bug 1671022 comment 21: 1. Create a Highly available Octavia load balancer with IPv6 VIP. 2. Trigger failover via: openstack loadbalancer failover <lb_Id> Actual results: =============== One of the Amphorae instances marked with Status: ERROR Expected results: ================= Both Amphorae instances status should be: ALLOCATED Additional info: ================ Tested with RHEL7.6 audit2allow: #============= keepalived_t ============== #!!!! WARNING: 'bin_t' is a base type. allow keepalived_t bin_t:file entrypoint; audit2why type=AVC msg=audit(1552241787.746:60): avc: denied { entrypoint } for pid=3530 comm="(kill)" path="/usr/bin/kill" dev="vda1" ino=43348 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access.
PR: https://github.com/redhat-openstack/openstack-selinux/pull/30 Tests: https://gist.github.com/nmagnezi/fdfb546944a2138aef15c31a958057c7
PR merged.
Hey Julie, When is the next promotion of openstack-selinux? We wish to have this fix in an OSP13 RPM so we can test against it. Thanks, Nir
Thanks for the ping. I will do a build in the next couple of days.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0926