Description of problem: * the keepalived service seems to run successfully, but some SELinux denials are triggered Version-Release number of selected component (if applicable): keepalived-2.2.1-1.fc34.x86_64 selinux-policy-3.14.7-7.fc34.noarch selinux-policy-targeted-3.14.7-7.fc34.noarch How reproducible: * always Steps to Reproduce: 1. get a Fedora rawhide machine (targeted policy is active) 2. start the keepalived service 3. search for SELinux denials Actual results: ---- type=PROCTITLE msg=audit(01/26/2021 03:53:32.558:418) : proctitle=/usr/sbin/keepalived -D type=PATH msg=audit(01/26/2021 03:53:32.558:418) : item=0 name= inode=10 dev=00:01 mode=file,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(01/26/2021 03:53:32.558:418) : cwd=/ type=SYSCALL msg=audit(01/26/2021 03:53:32.558:418) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=0x4 a1=0x7f1ceb32f522 a2=0x7ffea6154400 a3=0x1000 items=1 ppid=1 pid=1778 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) type=AVC msg=audit(01/26/2021 03:53:32.558:418) : avc: denied { getattr } for pid=1778 comm=keepalived path=/memfd:/keepalived/consolidated_configuration (deleted) dev="tmpfs" ino=10 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 ---- type=PROCTITLE msg=audit(01/26/2021 03:53:32.560:419) : proctitle=/usr/sbin/keepalived -D type=CWD msg=audit(01/26/2021 03:53:32.560:419) : cwd=/ type=SYSCALL msg=audit(01/26/2021 03:53:32.560:419) : arch=x86_64 syscall=write success=no exit=EACCES(Permission denied) a0=0x4 a1=0x55746ac79e70 a2=0x92e a3=0x10 items=0 ppid=1 pid=1778 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) type=AVC msg=audit(01/26/2021 03:53:32.560:419) : avc: denied { write } for pid=1778 comm=keepalived path=/memfd:/keepalived/consolidated_configuration (deleted) dev="tmpfs" ino=10 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 ---- type=PROCTITLE msg=audit(01/26/2021 03:53:32.567:420) : proctitle=/usr/sbin/keepalived -D type=PATH msg=audit(01/26/2021 03:53:32.567:420) : item=0 name=/proc/self/fd/4 inode=10 dev=00:01 mode=file,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(01/26/2021 03:53:32.567:420) : cwd=/ type=SYSCALL msg=audit(01/26/2021 03:53:32.567:420) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7ffea6154ae0 a2=O_RDONLY a3=0x0 items=1 ppid=1779 pid=1781 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) type=AVC msg=audit(01/26/2021 03:53:32.567:420) : avc: denied { read } for pid=1781 comm=keepalived dev="tmpfs" ino=10 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 ---- Expected results: * no SELinux denials Additional info:
Following SELinux denials appeared in permissive mode: ---- type=PROCTITLE msg=audit(01/26/2021 04:22:50.490:583) : proctitle=/usr/sbin/keepalived -D type=PATH msg=audit(01/26/2021 04:22:50.490:583) : item=0 name= inode=20 dev=00:01 mode=file,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(01/26/2021 04:22:50.490:583) : cwd=/ type=SYSCALL msg=audit(01/26/2021 04:22:50.490:583) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=0x4 a1=0x7f95dfe8f522 a2=0x7ffe9e618220 a3=0x1000 items=1 ppid=1 pid=29535 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) type=AVC msg=audit(01/26/2021 04:22:50.490:583) : avc: denied { getattr } for pid=29535 comm=keepalived path=/memfd:/keepalived/consolidated_configuration (deleted) dev="tmpfs" ino=20 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 ---- type=PROCTITLE msg=audit(01/26/2021 04:22:50.492:584) : proctitle=/usr/sbin/keepalived -D type=CWD msg=audit(01/26/2021 04:22:50.492:584) : cwd=/ type=SYSCALL msg=audit(01/26/2021 04:22:50.492:584) : arch=x86_64 syscall=write success=yes exit=2350 a0=0x4 a1=0x564662d3be70 a2=0x92e a3=0x10 items=0 ppid=1 pid=29535 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) type=AVC msg=audit(01/26/2021 04:22:50.492:584) : avc: denied { write } for pid=29535 comm=keepalived path=/memfd:/keepalived/consolidated_configuration (deleted) dev="tmpfs" ino=20 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 ---- type=PROCTITLE msg=audit(01/26/2021 04:22:50.498:585) : proctitle=/usr/sbin/keepalived -D type=PATH msg=audit(01/26/2021 04:22:50.498:585) : item=0 name=/proc/self/fd/4 inode=20 dev=00:01 mode=file,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(01/26/2021 04:22:50.498:585) : cwd=/ type=SYSCALL msg=audit(01/26/2021 04:22:50.498:585) : arch=x86_64 syscall=openat success=yes exit=9 a0=0xffffff9c a1=0x7ffe9e618900 a2=O_RDONLY a3=0x0 items=1 ppid=29536 pid=29538 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) type=AVC msg=audit(01/26/2021 04:22:50.498:585) : avc: denied { open } for pid=29538 comm=keepalived path=/memfd:/keepalived/consolidated_configuration (deleted) dev="tmpfs" ino=20 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(01/26/2021 04:22:50.498:585) : avc: denied { read } for pid=29538 comm=keepalived dev="tmpfs" ino=20 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 ----
Brandon, It looks like the service starts successfully without access to the memfd resources, so does keepalived actually need it?
It isn't strictly necessary, but it would be preferred to have it. The short version is that the first process reads the configuration file and then needs to write a temporary "file" somewhere so that the subsequent processes use the identical configuration without reading the original file itself (in that bizarre situation where the file could be changed out from underneath it). The default for keepalived is to use a memfd type file but will fall-back to using the filesystem that includes KA_TMP_DIR (default /tmp). So, the reason it is working is that the fallback is working, but the correct thing to do here is to either allow memfd access or keepalived will need to disable USE_MEMFD_CREATE_SYSCALL in the build.
Thank you Brandon for the explanation, this is sufficient justification.
I think this is a problem with Fedora, too, as I recently encountered something that seems similar (same?) with the keepalived 2.2.x. Do I need to clone this for F34/rawhide?
This bug is a Fedora 34/rawhide bug. No need to clone it.
This bug appears to have been reported against 'rawhide' during the Fedora 34 development cycle. Changing version to 34.
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/618
commit e9818096e91db46008fc5a0c76d9bbc4f8a55763 (HEAD -> rawhide, upstream/rawhide) Author: Zdenek Pytela <zpytela> Date: Thu Feb 25 21:03:19 2021 +0100 Allow keepalived read/write its private memfd: objects Keepalived version 2.2 require read and write access to the /memfd:/keepalived/consolidated_configuration file. Without this access, a fallback tmpdir file access is used, but the preferred way is memfd. Resolves: rhbz#1920397
FEDORA-2021-1cb3d5cac1 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-1cb3d5cac1
FEDORA-2021-1cb3d5cac1 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-1cb3d5cac1` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-1cb3d5cac1 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-1e99f2ed79 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-1e99f2ed79` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-1e99f2ed79 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-1e99f2ed79 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.