Description of problem: There appears to be a lack of selinux policy relating to pulse and ipvsadm in general. Version-Release number of selected component (if applicable): piranha-0.8.4-7.el5 ipvsadm-1.24-8.1 selinux-policy-targeted-2.4.6-300.el5 How reproducible: Always. Steps to Reproduce: Scenario 1: 1. Configure a failover service as follows a. 2 servers b. vsftpd is the service to failover c. a virtual ip address for vsftpd to use. 2. attempt to start pulse After making some local selinux policies with audit2allow to get the service to start, it appears that when vsftpd is started by pulse it inherits the system_u:system_r:piranha_pulse_t context and therefore violates existing ftpd policy. Scenario 2: Configure ipvsadm with the following in /etc/sysconfig/ipvsadm {{{ --start-daemon=backup --mcast-interface=eth1 --start-daemon=master --mcast-interface=eth1 }}} When attempting to start ipvsadm repeated selinux denials are seen. Actual results: observe repeated selinux denials. Expected results: Failover service should startup without selinux denials. Additional info:
Stuart, could please attach your local policies and also AVC msgs related to this issue. Thank you.
Created attachment 483684 [details] selinux info for starting ipvsadm to sync data. This contains 3 sets of files. ipvsadm.* - These relate to trying to start ipvsadm. The configuration is in "Scenario 2" in the ticket. pulse.* - These relate to pulse trying to startup and bring up virtual ip's of various services nc.* - These relate to our use of nc in a custom health check script. nc is used to connect to the port and see if something is listening. This probably isn't required in the base package.
Created attachment 483686 [details] selinux info for attempting to bring up a failover service (vsftpd) pulsefos.* - Files relating to attempting to start pulse with a fos configuration. pulsepidof.* - Files relating to pulse's use of pidof vsftpdpulse.* - Files relating to pulse attempting to start vsftpd. vsftpd.* - Files relating to vsftpd running under the piranha_pulse_t context when started from pulse. The policies include are generated by audit2allow. As such they include far more than i'm happy with, especially in pulsefos.* Regards Stuart
Stuart, really thanks. It looks like pulse will end up with the similar policy which we have for rgmanager. If I understand correctly, pulse can run various services to failover.
Pulse can be used in two different modes. LVS mode where it configures and maintains LVS mapping tables based on the availability of the worker nodes. FOS mode where it is used to failover a service between two nodes. There is plenty of documentation on redhats website :) Regards Stuart
Yes, I have checked it.
I added fixes to selinux-policy-2.4.6-303.el5 which is available on http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html