Description of problem: Version-Release number of selected component (if applicable): keepalived-2.1.5-3.fc33.x86_64 selinux-policy-3.14.6-34.fc33.noarch selinux-policy-targeted-3.14.6-34.fc33.noarch How reproducible: * always Steps to Reproduce: 1. get a Fedora 33 machine (targeted policy is active) 2. configure the keepalived service to use a namespace 3. start the keepalived service 4. search for SELinux denials Actual results (enforcing mode): ---- type=PROCTITLE msg=audit(01/27/2021 18:49:34.632:1025) : proctitle=/usr/sbin/keepalived -D --namespace=testns30699 type=PATH msg=audit(01/27/2021 18:49:34.632:1025) : item=0 name=/run/netns/testns30699 inode=4026532337 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nsfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(01/27/2021 18:49:34.632:1025) : cwd=/ type=SYSCALL msg=audit(01/27/2021 18:49:34.632:1025) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x5649bb5270a0 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=18663 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) type=AVC msg=audit(01/27/2021 18:49:34.632:1025) : avc: denied { read } for pid=18663 comm=keepalived dev="nsfs" ino=4026532337 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0 ---- Expected results: * the keepalived service runs successfully with --namespace option * the keepalived service does not trigger any SELinux denials
Following SELinux denials appeared in permissive mode: ---- type=PROCTITLE msg=audit(01/27/2021 19:06:39.990:1208) : proctitle=/usr/sbin/keepalived -D --namespace=testns18060 type=PATH msg=audit(01/27/2021 19:06:39.990:1208) : item=1 name=/run/keepalived/keepalived.pid inode=1810 dev=00:19 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:keepalived_var_run_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(01/27/2021 19:06:39.990:1208) : item=0 name=/run/keepalived/ inode=1809 dev=00:19 mode=dir,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:keepalived_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(01/27/2021 19:06:39.990:1208) : cwd=/ type=SYSCALL msg=audit(01/27/2021 19:06:39.990:1208) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x55d2536b0ce0 a1=0x55d2538a52f0 a2=0x2 a3=0x8 items=2 ppid=1 pid=23987 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) type=AVC msg=audit(01/27/2021 19:06:39.990:1208) : avc: denied { dac_override } for pid=23987 comm=keepalived capability=dac_override scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=capability permissive=1 ---- type=PROCTITLE msg=audit(01/27/2021 19:06:40.027:1210) : proctitle=/usr/sbin/keepalived -D --namespace=testns18060 type=PATH msg=audit(01/27/2021 19:06:40.027:1210) : item=0 name=/run/netns/testns18060 inode=4026532337 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nsfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(01/27/2021 19:06:40.027:1210) : cwd=/ type=SYSCALL msg=audit(01/27/2021 19:06:40.027:1210) : arch=x86_64 syscall=openat success=yes exit=4 a0=0xffffff9c a1=0x5633e549b0a0 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=24691 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) type=AVC msg=audit(01/27/2021 19:06:40.027:1210) : avc: denied { open } for pid=24691 comm=keepalived path=/run/netns/testns18060 dev="nsfs" ino=4026532337 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(01/27/2021 19:06:40.027:1210) : avc: denied { read } for pid=24691 comm=keepalived dev="nsfs" ino=4026532337 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1 ----
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/619
Backported to f33: https://github.com/fedora-selinux/selinux-policy-contrib/pull/389
FEDORA-2021-e9050fdd5c has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-e9050fdd5c
FEDORA-2021-e9050fdd5c has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-e9050fdd5c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-e9050fdd5c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-e9050fdd5c has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.