2186759 – misconfigured selinux policy for keepalived triggers AVC denials when using track_file

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2186759 - misconfigured selinux policy for keepalived triggers AVC denials when using track_file

Summary: misconfigured selinux policy for keepalived triggers AVC denials when using t...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	9.2
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Nobody
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-04-14 11:07 UTC by Juraj Hrdlica
Modified:	2023-11-07 11:22 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-38.1.22-1.el9
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-11-07 08:52:21 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1824	None	open	Allow keepalived watch var_run dirs	2023-08-10 13:02:23 UTC
Red Hat Issue Tracker	RHELPLAN-154724	None	None	None	2023-04-14 11:08:18 UTC
Red Hat Product Errata	RHBA-2023:6617	None	None	None	2023-11-07 08:52:30 UTC

Description Juraj Hrdlica 2023-04-14 11:07:36 UTC

Description of problem:
misconfigured selinux policy for keepalived triggers AVC denials when using track_file inside keepalived.conf
The file itself is being created by keepalived.

Version-Release number of selected component (if applicable):
keepalived-2.2.4-6.el9.x86_64
selinux-policy-38.1.11-2.el9_2.noarch


How reproducible:
always


Steps to Reproduce:
1. Use track_file inside keepalived.conf:

$ cat /etc/keepalived/keepalived.conf 
track_file test_file {
    file /etc/keepalived/keepalived_tracked_file
    init_file 0 overwrite
}

vrrp_instance VRRP1 {
    @main state MASTER
    @main priority 128
    @backup state BACKUP
    @backup priority 127

    virtual_router_id 162
    interface ens3
    virtual_ipaddress { 10.37.167.246 }
    advert_int 1
    track_file { test_file weight -2 }

}

2. Start keepalived


Actual results:

$ ausearch -m AVC,USER_AVC -ts recent
----
time->Fri Apr 14 11:40:23 2023
type=PROCTITLE msg=audit(1681465223.065:3035): proctitle=2F7573722F7362696E2F6B656570616C69766564002D2D646F6E742D666F726B002D44002D2D636F6E6669672D6964006D61696E
type=PATH msg=audit(1681465223.065:3035): item=3 name=(null) inode=4963022 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1681465223.065:3035): item=2 name=(null) inode=4963040 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1681465223.065:3035): item=1 name=(null) nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1681465223.065:3035): item=0 name=(null) inode=4963040 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1681465223.065:3035): cwd="/etc/keepalived"
type=SYSCALL msg=audit(1681465223.065:3035): arch=c000003e syscall=257 success=yes exit=13 a0=ffffff9c a1=7ffc50b82030 a2=800c2 a3=180 items=4 ppid=127934 pid=127935 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="keepalived" exe="/usr/sbin/keepalived" subj=system_u:system_r:keepalived_t:s0 key=(null)
type=AVC msg=audit(1681465223.065:3035): avc:  denied  { write } for  pid=127935 comm="keepalived" path="/etc/keepalived/keepalived_tracked_fileNDykHQ" dev="dm-0" ino=4963022 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1681465223.065:3035): avc:  denied  { create } for  pid=127935 comm="keepalived" name="keepalived_tracked_fileNDykHQ" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1681465223.065:3035): avc:  denied  { add_name } for  pid=127935 comm="keepalived" name="keepalived_tracked_fileNDykHQ" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissiv
e=1
type=AVC msg=audit(1681465223.065:3035): avc:  denied  { write } for  pid=127935 comm="keepalived" name="keepalived" dev="dm-0" ino=4963040 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissi
ve=1
----
time->Fri Apr 14 11:40:23 2023
type=PROCTITLE msg=audit(1681465223.066:3036): proctitle=2F7573722F7362696E2F6B656570616C69766564002D2D646F6E742D666F726B002D44002D2D636F6E6669672D6964006D61696E
type=SYSCALL msg=audit(1681465223.066:3036): arch=c000003e syscall=91 success=yes exit=0 a0=d a1=180 a2=0 a3=180 items=0 ppid=127934 pid=127935 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967
295 comm="keepalived" exe="/usr/sbin/keepalived" subj=system_u:system_r:keepalived_t:s0 key=(null)
type=AVC msg=audit(1681465223.066:3036): avc:  denied  { setattr } for  pid=127935 comm="keepalived" name="keepalived_tracked_fileNDykHQ" dev="dm-0" ino=4963022 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:etc_t:s
0 tclass=file permissive=1
----
time->Fri Apr 14 11:40:23 2023
type=PROCTITLE msg=audit(1681465223.066:3037): proctitle=2F7573722F7362696E2F6B656570616C69766564002D2D646F6E742D666F726B002D44002D2D636F6E6669672D6964006D61696E
type=PATH msg=audit(1681465223.066:3037): item=1 name=(null) inode=4963022 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1681465223.066:3037): item=0 name=(null) inode=4963040 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1681465223.066:3037): cwd="/etc/keepalived"
type=SYSCALL msg=audit(1681465223.066:3037): arch=c000003e syscall=82 success=yes exit=0 a0=7ffc50b82030 a1=5591fbb1b270 a2=0 a3=180 items=2 ppid=127934 pid=127935 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tt
y=(none) ses=4294967295 comm="keepalived" exe="/usr/sbin/keepalived" subj=system_u:system_r:keepalived_t:s0 key=(null)
type=AVC msg=audit(1681465223.066:3037): avc:  denied  { unlink } for  pid=127935 comm="keepalived" name="keepalived_tracked_file" dev="dm-0" ino=4963020 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:etc_t:s0 tclas
s=file permissive=1
type=AVC msg=audit(1681465223.066:3037): avc:  denied  { rename } for  pid=127935 comm="keepalived" name="keepalived_tracked_fileNDykHQ" dev="dm-0" ino=4963022 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:etc_t:s0
 tclass=file permissive=1
type=AVC msg=audit(1681465223.066:3037): avc:  denied  { remove_name } for  pid=127935 comm="keepalived" name="keepalived_tracked_fileNDykHQ" dev="dm-0" ino=4963022 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:etc
_t:s0 tclass=dir permissive=1
----
time->Fri Apr 14 11:40:23 2023
type=PROCTITLE msg=audit(1681465223.069:3039): proctitle=2F7573722F7362696E2F6B656570616C69766564002D2D646F6E742D666F726B002D44002D2D636F6E6669672D6964006D61696E
type=SYSCALL msg=audit(1681465223.069:3039): arch=c000003e syscall=254 success=yes exit=1 a0=c a1=5591fbb28dc0 a2=2c8 a3=63 items=0 ppid=127934 pid=127935 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) 
ses=4294967295 comm="keepalived" exe="/usr/sbin/keepalived" subj=system_u:system_r:keepalived_t:s0 key=(null)
type=AVC msg=audit(1681465223.069:3039): avc:  denied  { watch } for  pid=127935 comm="keepalived" path="/etc/keepalived" dev="dm-0" ino=4963040 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir per
missive=1


Expected results:
No denials

Comment 1 Milos Malik 2023-04-14 12:14:14 UTC

Is there a default location for the tracked file?

For example: the /var/lib/keepalived/keepalived_tracked_file location (when used in the keepalived configuration file) does not trigger any SELinux denials.

Comment 2 Juraj Hrdlica 2023-04-14 13:20:02 UTC

Keepalived doesn't create directories if they don't exist and as /var/lib/keepalived does not exist by default after the installation I would guess it didn't even attempt to create the file therefore there are no denials to be observed.
journalctl shows `Keepalived_vrrp[138272]: Unable to open '/var/lib/keepalived/keepalived_tracked_file' - errno 2 (No such file or directory)` at least in my case.

As for your question I do not believe there is a default location for the tracked file, `/etc/keepalived/` is the place that contains the conf file by default so it made sense for me to use that.

Comment 4 Milos Malik 2023-04-25 16:44:10 UTC

SELinux policy defines the following keepalived related types:

# seinfo -t | grep keepalived
   keepalived_exec_t
   keepalived_t
   keepalived_tmp_t
   keepalived_tmpfs_t
   keepalived_unconfined_script_exec_t
   keepalived_unconfined_script_t
   keepalived_unit_file_t
   keepalived_var_run_t
#

Least resistance approach: we can choose from already defined SELinux types and locations.

# semanage fcontext -l | grep keepalived_var_run_t
/var/run/keepalived.*                              all files          system_u:object_r:keepalived_var_run_t:s0 
#

Let's modify the keepalived configuration file accordingly:

# grep track /etc/keepalived/keepalived.conf 
track_file test_file {
    file /var/run/keepalived_tracked_file
    track_file { test_file weight -2 }
#

Let's see if that's enough:

# service keepalived status
Redirecting to /bin/systemctl status keepalived.service
○ keepalived.service - LVS and VRRP High Availability Monitor
     Loaded: loaded (/usr/lib/systemd/system/keepalived.service; disabled; preset: disabled)
     Active: inactive (dead)
# service keepalived start
Redirecting to /bin/systemctl start keepalived.service
# ls -Zl /var/run/keepalived*
-rw-r--r--. 1 root root system_u:object_r:keepalived_var_run_t:s0 5 Apr 25 12:32 /var/run/keepalived.pid
-rw-------. 1 root root system_u:object_r:keepalived_var_run_t:s0 2 Apr 25 12:32 /var/run/keepalived_tracked_file
#

The keepalived service starts and runs successfully in enforcing mode, but the following SELinux denial appears:

----
type=PROCTITLE msg=audit(04/25/2023 12:32:20.139:313) : proctitle=/usr/sbin/keepalived --dont-fork -D 
type=SYSCALL msg=audit(04/25/2023 12:32:20.139:313) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0xc a1=0x556008bf5660 a2=0x2c8 a3=0x20bf0 items=0 ppid=4751 pid=4753 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(04/25/2023 12:32:20.139:313) : avc:  denied  { watch } for  pid=4753 comm=keepalived path=/run dev="tmpfs" ino=1 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0 
----

SELinux QE conclusion:
Either we use an existing type+location or we define a new type+location. Both options require an allow rule with watch permission to be added into SELinux policy. For example:

# cat testpolicy.cil 
( allow keepalived_t var_run_t ( dir ( search )))

# semodule -i testpolicy.cil 
# semodule -lfull | grep testpolicy
400 testpolicy                     cil
#

Comment 5 Nikola Knazekova 2023-08-08 16:08:11 UTC

I created PR to allow keeaplived watch /var/run dirs: https://github.com/fedora-selinux/selinux-policy/pull/1824

Please use the /var/run location for keepalived_tracked_file as described in #c4

Comment 7 Milos Malik 2023-08-10 13:12:36 UTC

When the track_file is located in /var/run directory, the following SELinux denials appear in enforcing mode:
----
type=PROCTITLE msg=audit(08/10/2023 09:04:46.997:352) : proctitle=/usr/sbin/keepalived --dont-fork -D 
type=PATH msg=audit(08/10/2023 09:04:46.997:352) : item=0 name=/run/ inode=1 dev=00:18 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(08/10/2023 09:04:46.997:352) : cwd=/ 
type=SYSCALL msg=audit(08/10/2023 09:04:46.997:352) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0xb a1=0x555c2a39eba0 a2=0x2c8 a3=0x20950 items=1 ppid=4781 pid=4783 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(08/10/2023 09:04:46.997:352) : avc:  denied  { watch } for  pid=4783 comm=keepalived path=/run dev="tmpfs" ino=1 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(08/10/2023 09:04:46.997:353) : proctitle=/usr/sbin/keepalived --dont-fork -D 
type=PATH msg=audit(08/10/2023 09:04:46.997:353) : item=0 name=/run inode=1 dev=00:18 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(08/10/2023 09:04:46.997:353) : cwd=/etc/keepalived 
type=SYSCALL msg=audit(08/10/2023 09:04:46.997:353) : arch=x86_64 syscall=statfs success=no exit=EACCES(Permission denied) a0=0x555c2a3a4170 a1=0x7fffd7f84a20 a2=0x55597ff8e234 a3=0x0 items=1 ppid=4781 pid=4782 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(08/10/2023 09:04:46.997:353) : avc:  denied  { getattr } for  pid=4782 comm=keepalived name=/ dev="tmpfs" ino=1 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0 
----

# rpm -qa selinux\* keepalived\* | sort
keepalived-2.2.8-3.el9.x86_64
selinux-policy-38.1.18-1.el9.noarch
selinux-policy-targeted-38.1.18-1.el9.noarch
# mount | grep run
tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,size=360844k,nr_inodes=819200,mode=755,inode64)
none on /run/credentials/systemd-sysctl.service type ramfs (ro,nosuid,nodev,noexec,relatime,seclabel,mode=700)
none on /run/credentials/systemd-tmpfiles-setup-dev.service type ramfs (ro,nosuid,nodev,noexec,relatime,seclabel,mode=700)
none on /run/credentials/systemd-tmpfiles-setup.service type ramfs (ro,nosuid,nodev,noexec,relatime,seclabel,mode=700)
tmpfs on /run/user/0 type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=180420k,nr_inodes=45105,mode=700,inode64)
#

My apologies, I didn't notice the second AVC sooner.

Comment 8 Milos Malik 2023-08-10 13:14:46 UTC

The same SELinux denials appear in permissive mode:
----
type=PROCTITLE msg=audit(08/10/2023 09:13:46.699:360) : proctitle=/usr/sbin/keepalived --dont-fork -D 
type=PATH msg=audit(08/10/2023 09:13:46.699:360) : item=0 name=/run inode=1 dev=00:18 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(08/10/2023 09:13:46.699:360) : cwd=/etc/keepalived 
type=SYSCALL msg=audit(08/10/2023 09:13:46.699:360) : arch=x86_64 syscall=statfs success=yes exit=0 a0=0x55fe85983de0 a1=0x7ffc36d0e660 a2=0x55fbda706783 a3=0x0 items=1 ppid=4826 pid=4828 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(08/10/2023 09:13:46.699:360) : avc:  denied  { getattr } for  pid=4828 comm=keepalived name=/ dev="tmpfs" ino=1 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=1 
----
type=PROCTITLE msg=audit(08/10/2023 09:13:46.700:361) : proctitle=/usr/sbin/keepalived --dont-fork -D 
type=PATH msg=audit(08/10/2023 09:13:46.700:361) : item=0 name=/run/ inode=1 dev=00:18 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(08/10/2023 09:13:46.700:361) : cwd=/ 
type=SYSCALL msg=audit(08/10/2023 09:13:46.700:361) : arch=x86_64 syscall=inotify_add_watch success=yes exit=1 a0=0xb a1=0x55fe85978ba0 a2=0x2c8 a3=0x20950 items=1 ppid=4826 pid=4828 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(08/10/2023 09:13:46.700:361) : avc:  denied  { watch } for  pid=4828 comm=keepalived path=/run dev="tmpfs" ino=1 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 
----

Comment 21 errata-xmlrpc 2023-11-07 08:52:21 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6617

Note You need to log in before you can comment on or make changes to this bug.