Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1815281

Summary: Usage of network namespaces in keepalived results in AVC denials
Product: Red Hat Enterprise Linux 8 Reporter: Brandon Perkins <bperkins>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.2CC: lvrabec, mmalik, plautrba, rohara, ssekidde
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: 8.3Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 01:56:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 3 Zdenek Pytela 2020-06-22 15:02:28 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/278
Comment 7 Milos Malik 2020-06-30 10:33:33 UTC 
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      32
# rpm -qa selinux-policy\* keepalived\* | sort
keepalived-2.0.10-10.el8.x86_64
selinux-policy-3.14.3-48.el8.noarch
selinux-policy-devel-3.14.3-48.el8.noarch
selinux-policy-targeted-3.14.3-48.el8.noarch
# ip netns list
pokus
# grep -v ^# /etc/sysconfig/keepalived 

KEEPALIVED_OPTIONS="-D --namespace=pokus"

# service keepalived start
Redirecting to /bin/systemctl start keepalived.service
Job for keepalived.service failed because the service did not take the steps required by its unit configuration.
See "systemctl status keepalived.service" and "journalctl -xe" for details.
# service keepalived status
Redirecting to /bin/systemctl status keepalived.service
● keepalived.service - LVS and VRRP High Availability Monitor
   Loaded: loaded (/usr/lib/systemd/system/keepalived.service; disabled; vendor preset: disabled)
   Active: failed (Result: protocol) since Tue 2020-06-30 06:31:30 EDT; 1s ago
  Process: 61250 ExecStart=/usr/sbin/keepalived $KEEPALIVED_OPTIONS (code=exited, status=0/SUCCESS)

Jun 30 06:31:30 ci-vm-10-0-138-80.hosted.upshift.rdu2.redhat.com Keepalived[61250]: Changing syslog ident to Keepalived_pokus
Jun 30 06:31:30 ci-vm-10-0-138-80.hosted.upshift.rdu2.redhat.com Keepalived_pokus[61250]: Unable to create directory /var/run/keepalived
Jun 30 06:31:30 ci-vm-10-0-138-80.hosted.upshift.rdu2.redhat.com Keepalived_pokus[61250]: setns() failed with error 1
Jun 30 06:31:30 ci-vm-10-0-138-80.hosted.upshift.rdu2.redhat.com Keepalived_pokus[61250]: Unable to set network namespace pokus - exiting
Jun 30 06:31:30 ci-vm-10-0-138-80.hosted.upshift.rdu2.redhat.com Keepalived_pokus[61250]: Stopped Keepalived v2.0.10 (11/12,2018)
Jun 30 06:31:30 ci-vm-10-0-138-80.hosted.upshift.rdu2.redhat.com Keepalived_pokus[61250]: unmount of /var/run/keepalived failed - errno 1
Jun 30 06:31:30 ci-vm-10-0-138-80.hosted.upshift.rdu2.redhat.com Keepalived_pokus[61250]: unlink of /var/run/keepalived failed - error (2) 'No such file or directory'
Jun 30 06:31:30 ci-vm-10-0-138-80.hosted.upshift.rdu2.redhat.com systemd[1]: keepalived.service: Can't open PID file /var/run/keepalived.pid (yet?) after start: No such fil…r directory
Jun 30 06:31:30 ci-vm-10-0-138-80.hosted.upshift.rdu2.redhat.com systemd[1]: keepalived.service: Failed with result 'protocol'.
Jun 30 06:31:30 ci-vm-10-0-138-80.hosted.upshift.rdu2.redhat.com systemd[1]: Failed to start LVS and VRRP High Availability Monitor.
Hint: Some lines were ellipsized, use -l to show in full.
# ausearch -m avc -i -ts recent
----
type=PROCTITLE msg=audit(06/30/2020 06:31:30.496:374) : proctitle=/usr/sbin/keepalived -D --namespace=pokus 
type=PATH msg=audit(06/30/2020 06:31:30.496:374) : item=1 name=/var/run/keepalived nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(06/30/2020 06:31:30.496:374) : item=0 name=/var/run/ inode=11004 dev=00:18 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/30/2020 06:31:30.496:374) : cwd=/ 
type=SYSCALL msg=audit(06/30/2020 06:31:30.496:374) : arch=x86_64 syscall=mkdir success=no exit=EACCES(Permission denied) a0=0x5591bda59d33 a1=0755 a2=0x1 a3=0x4000 items=2 ppid=1 pid=61250 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(06/30/2020 06:31:30.496:374) : avc:  denied  { create } for  pid=61250 comm=keepalived name=keepalived scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:keepalived_var_run_t:s0 tclass=dir permissive=0 
----
Comment 8 Milos Malik 2020-06-30 10:47:22 UTC 
----
type=PROCTITLE msg=audit(06/30/2020 06:33:54.377:378) : proctitle=/usr/sbin/keepalived -D --namespace=pokus 
type=PATH msg=audit(06/30/2020 06:33:54.377:378) : item=1 name=/var/run/keepalived inode=84233 dev=00:18 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:keepalived_var_run_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(06/30/2020 06:33:54.377:378) : item=0 name=/var/run/ inode=11004 dev=00:18 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/30/2020 06:33:54.377:378) : cwd=/ 
type=SYSCALL msg=audit(06/30/2020 06:33:54.377:378) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=0x561dda91cd33 a1=0755 a2=0x1 a3=0x4000 items=2 ppid=1 pid=61279 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(06/30/2020 06:33:54.377:378) : avc:  denied  { create } for  pid=61279 comm=keepalived name=keepalived scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:keepalived_var_run_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(06/30/2020 06:33:54.378:379) : proctitle=/usr/sbin/keepalived -D --namespace=pokus 
type=PATH msg=audit(06/30/2020 06:33:54.378:379) : item=0 name=/ inode=128 dev=fd:01 mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:root_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/30/2020 06:33:54.378:379) : cwd=/ 
type=SYSCALL msg=audit(06/30/2020 06:33:54.378:379) : arch=x86_64 syscall=mount success=yes exit=0 a0=0x561dda92c403 a1=0x561dda91d92a a2=0x0 a3=MS_REC|MS_SLAVE items=1 ppid=1 pid=61279 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(06/30/2020 06:33:54.378:379) : avc:  denied  { mounton } for  pid=61279 comm=keepalived path=/ dev="vda1" ino=128 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(06/30/2020 06:33:54.387:380) : proctitle=/usr/sbin/keepalived -D --namespace=pokus 
type=PATH msg=audit(06/30/2020 06:33:54.387:380) : item=0 name=/var/run/keepalived inode=84234 dev=00:18 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:keepalived_var_run_t:s0 nametype=NORMAL cap_fe=? cap_fver=? cap_fp=none cap_fi=none 
type=CWD msg=audit(06/30/2020 06:33:54.387:380) : cwd=/ 
type=SYSCALL msg=audit(06/30/2020 06:33:54.387:380) : arch=x86_64 syscall=umount2 success=yes exit=0 a0=0x561dda91cd33 a1=0x0 a2=0x0 a3=0x4000 items=1 ppid=1 pid=61280 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(06/30/2020 06:33:54.387:380) : avc:  denied  { unmount } for  pid=61280 comm=keepalived scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=1 
----
type=PROCTITLE msg=audit(06/30/2020 06:33:54.387:381) : proctitle=/usr/sbin/keepalived -D --namespace=pokus 
type=PATH msg=audit(06/30/2020 06:33:54.387:381) : item=1 name=/var/run/keepalived/pokus inode=84234 dev=00:18 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:keepalived_var_run_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(06/30/2020 06:33:54.387:381) : item=0 name=/var/run/keepalived/ inode=84233 dev=00:18 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:keepalived_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/30/2020 06:33:54.387:381) : cwd=/ 
type=SYSCALL msg=audit(06/30/2020 06:33:54.387:381) : arch=x86_64 syscall=rmdir success=yes exit=0 a0=0x561ddbaa9560 a1=0x0 a2=0x0 a3=0x4000 items=2 ppid=1 pid=61280 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(06/30/2020 06:33:54.387:381) : avc:  denied  { rmdir } for  pid=61280 comm=keepalived name=pokus dev="tmpfs" ino=84234 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:keepalived_var_run_t:s0 tclass=dir permissive=1 
----
Comment 11 Zdenek Pytela 2020-07-02 10:29:18 UTC 
I've submitted a Fedora PR to address the mkdir/rmdir part:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/290

I can't see any mounton or tmpfs denial.
Comment 19 Milos Malik 2020-07-10 12:20:29 UTC 
I tried to run keepalived in a namespace without using the --namespace command line option:

# ip netns list
pokus
# grep namespace /etc/keepalived/keepalived.conf 
   net_namespace pokus
# service keepalived status
Redirecting to /bin/systemctl status keepalived.service
● keepalived.service - LVS and VRRP High Availability Monitor
   Loaded: loaded (/usr/lib/systemd/system/keepalived.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2020-07-10 08:05:40 EDT; 9min ago
  Process: 21057 ExecStart=/usr/sbin/keepalived $KEEPALIVED_OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 21058 (keepalived)
    Tasks: 1 (limit: 11396)
   Memory: 3.3M
   CGroup: /system.slice/keepalived.service
           └─21058 /usr/sbin/keepalived -D

Jul 10 08:05:40 ci-vm-10-0-138-240.hosted.upshift.rdu2.redhat.com Keepalived[21057]: Command line: '/usr/sbin/keepalived' '-D'
Jul 10 08:05:40 ci-vm-10-0-138-240.hosted.upshift.rdu2.redhat.com Keepalived[21057]: Opening file '/etc/keepalived/keepalived.conf'.
Jul 10 08:05:40 ci-vm-10-0-138-240.hosted.upshift.rdu2.redhat.com Keepalived[21057]: (Line 12) number '0' outside range [1e-06, 4294]
Jul 10 08:05:40 ci-vm-10-0-138-240.hosted.upshift.rdu2.redhat.com Keepalived[21057]: (Line 12) vrrp_garp_interval '0' is invalid
Jul 10 08:05:40 ci-vm-10-0-138-240.hosted.upshift.rdu2.redhat.com Keepalived[21057]: (Line 13) number '0' outside range [1e-06, 4294]
Jul 10 08:05:40 ci-vm-10-0-138-240.hosted.upshift.rdu2.redhat.com Keepalived[21057]: (Line 13) vrrp_gna_interval '0' is invalid
Jul 10 08:05:40 ci-vm-10-0-138-240.hosted.upshift.rdu2.redhat.com Keepalived[21057]: (Line 14) Unknown keyword 'net_namespace'
Jul 10 08:05:40 ci-vm-10-0-138-240.hosted.upshift.rdu2.redhat.com systemd[1]: keepalived.service: Can't open PID file /var/run/keepalived.pid (yet?) after s…directory
Jul 10 08:05:40 ci-vm-10-0-138-240.hosted.upshift.rdu2.redhat.com Keepalived[21058]: Warning - keepalived has no configuration to run
Jul 10 08:05:40 ci-vm-10-0-138-240.hosted.upshift.rdu2.redhat.com systemd[1]: Started LVS and VRRP High Availability Monitor.
Hint: Some lines were ellipsized, use -l to show in full.
# 

What I find interesting is this line:

Keepalived[21057]: (Line 14) Unknown keyword 'net_namespace'
Comment 21 Milos Malik 2020-07-10 12:40:45 UTC 
# rpm -qa keepalived\*
keepalived-2.0.10-11.el8.x86_64
# man keepalived.conf | col -b | grep -i namespace
       # keepalived in a separate network namespace:
       # Set the network namespace to run in.
       # Note: the namespace cannot be changed on a configuration reload.
       net_namespace NAME
       # ipsets wasn't network namespace aware until Linux 3.13, and so
       # use of ipsets is disabled if using a namespace and vrrp_ipsets
       # allows ipsets to be used with a namespace on kernels prior to 3.13.
       namespace_with_ipsets
       # If multiple instances of keepalived are run in the same namespace,
#

But the man page claims that net_namespace is recognized in Global definitions section.
Comment 42 errata-xmlrpc 2020-11-04 01:56:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4528