Red Hat Bugzilla – Bug 678496
ipvsadm pulse and selinux don't play well
Last modified: 2012-09-21 04:32:04 EDT
Description of problem:
There appears to be a lack of selinux policy relating
to pulse and ipvsadm in general.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Configure a failover service as follows
a. 2 servers
b. vsftpd is the service to failover
c. a virtual ip address for vsftpd to use.
2. attempt to start pulse
After making some local selinux policies with
audit2allow to get the service to start, it appears
that when vsftpd is started by pulse it inherits
the system_u:system_r:piranha_pulse_t context
and therefore violates existing ftpd policy.
Configure ipvsadm with the following in
When attempting to start ipvsadm repeated
selinux denials are seen.
observe repeated selinux denials.
Failover service should startup without selinux denials.
could please attach your local policies and also AVC msgs related to this issue.
Created attachment 483684 [details]
selinux info for starting ipvsadm to sync data.
This contains 3 sets of files.
ipvsadm.* - These relate to trying to start ipvsadm. The configuration is
in "Scenario 2" in the ticket.
pulse.* - These relate to pulse trying to startup and bring up virtual ip's
of various services
nc.* - These relate to our use of nc in a custom health check script.
nc is used to connect to the port and see if something is listening.
This probably isn't required in the base package.
Created attachment 483686 [details]
selinux info for attempting to bring up a failover service (vsftpd)
pulsefos.* - Files relating to attempting to start pulse with a fos configuration.
pulsepidof.* - Files relating to pulse's use of pidof
vsftpdpulse.* - Files relating to pulse attempting to start vsftpd.
vsftpd.* - Files relating to vsftpd running under the piranha_pulse_t
context when started from pulse.
The policies include are generated by audit2allow. As such they
include far more than i'm happy with, especially in pulsefos.*
It looks like pulse will end up with the similar policy which we have for rgmanager.
If I understand correctly, pulse can run various services to failover.
Pulse can be used in two different modes.
LVS mode where it configures and maintains LVS mapping tables
based on the availability of the worker nodes.
FOS mode where it is used to failover a service between two nodes.
There is plenty of documentation on redhats website :)
Yes, I have checked it.
I added fixes to selinux-policy-2.4.6-303.el5 which is available on
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.