Bug 1891895 - keepalived can't start due to selinux, due node_bind error
Summary: keepalived can't start due to selinux, due node_bind error
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 33
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1890474 (view as bug list)
Depends On:
Blocks: 1895130
TreeView+ depends on / blocked
 
Reported: 2020-10-27 15:48 UTC by Michael S.
Modified: 2020-11-11 01:20 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-3.14.6-30.fc33
Clone Of:
: 1895130 (view as bug list)
Environment:
Last Closed: 2020-11-11 01:20:23 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Michael S. 2020-10-27 15:48:03 UTC 
Description of problem:

I just upgraded my firewalls to F33, and keepalived fail to start.




Version-Release number of selected component (if applicable):


How reproducible:

each time

Steps to Reproduce:
1. deploy keepalived with unicast_src_ip
2. start it
3.

Actual results:
fail with a error message:

oct. 27 15:29:24 mune.rht.gluster.org Keepalived_vrrp[624]: bind unicast_src 8.43.85.180 failed 13 - Permission denied
oct. 27 15:29:24 mune.rht.gluster.org Keepalived_vrrp[624]: (VLAN_PUBLIC): entering FAULT state (src address not configured)
oct. 27 15:29:24 mune.rht.gluster.org Keepalived_vrrp[624]: (VLAN_PUBLIC) Entering FAULT STATE
oct. 27 15:29:24 mune.rht.gluster.org Keepalived_vrrp[624]: VRRP_Group(VG1) Syncing instances to FAULT state
oct. 27 15:29:24 mune.rht.gluster.org Keepalived_vrrp[624]: (VLAN_COMMON) Entering FAULT STATE
oct. 27 15:29:24 mune.rht.gluster.org Keepalived_vrrp[624]: bind unicast_src 172.24.1.180 failed 13 - Permission denied
oct. 27 15:29:24 mune.rht.gluster.org Keepalived_vrrp[624]: (VLAN_COMMON) Entering FAULT STATE


Expected results:

do not fail

Additional info:

with setenforce 0, it work fine and do not produce any others errors message so far.

AVC log:

[root@mune ~]# grep -a AVC /var/log/audit/audit.log |grep keepaliv 
type=AVC msg=audit(1603812564.134:132): avc:  denied  { node_bind } for  pid=624 comm="keepalived" saddr=8.43.85.180 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket permissive=0
type=AVC msg=audit(1603812564.134:133): avc:  denied  { node_bind } for  pid=624 comm="keepalived" saddr=172.24.1.180 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket permissive=0
type=AVC msg=audit(1603812880.165:124): avc:  denied  { node_bind } for  pid=615 comm="keepalived" saddr=8.43.85.180 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket permissive=0
type=AVC msg=audit(1603812880.165:125): avc:  denied  { node_bind } for  pid=615 comm="keepalived" saddr=172.24.1.180 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket permissive=0
type=AVC msg=audit(1603812916.619:182): avc:  denied  { node_bind } for  pid=825 comm="keepalived" saddr=8.43.85.180 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket permissive=1


audit2allow: 

[root@mune ~]# grep -a AVC /var/log/audit/audit.log |grep keepaliv |audit2allow -
#============= keepalived_t ==============
allow keepalived_t node_t:rawip_socket node_bind;



I guess I miss a  corenet_raw_bind_generic_node(keepalived_t)   line, i will send a PR later tonight.
Comment 1 Michael S. 2020-10-27 16:40:52 UTC 
Submitted https://github.com/fedora-selinux/selinux-policy-contrib/pull/351 for F33, not sure if you want me to also do a PR for rawhide right now
Comment 2 Zdenek Pytela 2020-10-27 17:16:18 UTC 
commit dfd08a5bd959e70dfb78bcba788a19133ecaabe3 (HEAD -> f33, upstream/f33)
Author: Michael Scherer <misc>
Date:   Tue Oct 27 17:15:25 2020 +0100

    Let keepalived bind a raw socket
    
    See https://bugzilla.redhat.com/show_bug.cgi?id=1891895
Comment 3 Milos Malik 2020-10-27 17:33:28 UTC 
I believe this bug is a duplicate of BZ#1890474.
Comment 4 Zdenek Pytela 2020-10-27 18:56:42 UTC 
Good catch, Milos.
Comment 5 Zdenek Pytela 2020-10-27 18:56:56 UTC 
*** Bug 1890474 has been marked as a duplicate of this bug. ***
Comment 7 Fedora Update System 2020-11-09 15:12:20 UTC 
FEDORA-2020-ce67596732 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-ce67596732
Comment 8 Fedora Update System 2020-11-10 02:19:32 UTC 
FEDORA-2020-ce67596732 has been pushed to the Fedora 33 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-ce67596732`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-ce67596732

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Fedora Update System 2020-11-11 01:20:23 UTC 
FEDORA-2020-ce67596732 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.