Bug 1890474 - SELinux prevents keepalived from binding a rawip_socket
Summary: SELinux prevents keepalived from binding a rawip_socket
Keywords:
Status: CLOSED DUPLICATE of bug 1891895
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-10-22 10:41 UTC by Morten Stevens
Modified: 2020-11-10 07:27 UTC (History)
8 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2020-10-27 18:56:56 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Morten Stevens 2020-10-22 10:41:51 UTC 
Description of problem:

type=AVC msg=audit(1603362524.779:609): avc:  denied  { node_bind } for  pid=1396 comm="keepalived" saddr=224.0.0.18 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket permissive=1


Version-Release number of selected component (if applicable):

selinux-policy-3.14.7-5.fc34.noarch
keepalived-2.1.5-3.fc34.x86_64
Comment 1 Milos Malik 2020-10-22 12:14:37 UTC 
Following SELinux denial appeared in enforcing mode:
----
type=PROCTITLE msg=audit(10/22/2020 08:13:00.964:586) : proctitle=/usr/sbin/keepalived -D 
type=SOCKADDR msg=audit(10/22/2020 08:13:00.964:586) : saddr={ saddr_fam=inet laddr=224.0.0.18 lport=0 } 
type=SYSCALL msg=audit(10/22/2020 08:13:00.964:586) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0xb a1=0x55bffc5bea08 a2=0x10 a3=0x7ffd12641a90 items=0 ppid=31379 pid=31381 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(10/22/2020 08:13:00.964:586) : avc:  denied  { node_bind } for  pid=31381 comm=keepalived saddr=224.0.0.18 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket permissive=0 
----
Comment 2 Milos Malik 2020-10-22 12:17:42 UTC 
The only SELinux denial which appeared in permissive mode is:
----
type=PROCTITLE msg=audit(10/22/2020 08:16:12.721:590) : proctitle=/usr/sbin/keepalived -D 
type=SOCKADDR msg=audit(10/22/2020 08:16:12.721:590) : saddr={ saddr_fam=inet laddr=224.0.0.18 lport=0 } 
type=SYSCALL msg=audit(10/22/2020 08:16:12.721:590) : arch=x86_64 syscall=bind success=yes exit=0 a0=0xb a1=0x55da184faa08 a2=0x10 a3=0x7ffcb91e9c10 items=0 ppid=31428 pid=31430 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(10/22/2020 08:16:12.721:590) : avc:  denied  { node_bind } for  pid=31430 comm=keepalived saddr=224.0.0.18 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket permissive=1 
----
Comment 4 Zdenek Pytela 2020-10-27 18:56:56 UTC 

*** This bug has been marked as a duplicate of bug 1891895 ***
Note You need to log in before you can comment on or make changes to this bug.