When SELinux is enforcing, pulse fails to start the IPVS sync daemon at startup. If SELinux is in permissive mode, the sync daemon is started by pulse as expected. # rpm -qa | grep -e selinux-policy -e ipvsadm | sort ipvsadm-1.24-13.el5 selinux-policy-2.4.6-334.el5 selinux-policy-minimum-2.4.6-334.el5 selinux-policy-devel-2.4.6-334.el5 selinux-policy-mls-2.4.6-334.el5 selinux-policy-targeted-2.4.6-334.el5 selinux-policy-strict-2.4.6-334.el5 1. Check that selinux is in enforcing mode: # getenforce Enforcing 2. Check that sync daemon is enabled: # grep sync /etc/sysconfig/ha/lvs.cf syncdaemon = 1 3. Start pulse: # service pulse start Starting pulse: [ OK ] 4. Check if sync daemon is running: # ipvsadm --list --daemon We expect to see this command print "master sync daemon (mcast=eth0, syncid=0)". If the sync daemon is enabled (syncdaemon = 1), pulse will fork and exec the ipvsadm command to start the sync daemon. Looking at the audit.log shows some AVC denials. If SELinux is set to permissive mode and the test is repeated, the sync daemon is started as expected. # setenforce 0 # getenforce Permissive # service pulse start Starting pulse: [ OK ] # ipvsadm --list --daemon master sync daemon (mcast=eth0, syncid=0) # Following AVC appears in enforcing mode: ---- type=PATH msg=audit(09/21/2012 10:02:52.384:203) : item=0 name=/sbin/ipvsadm inode=131250 dev=03:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:iptables_exec_t:s0 type=CWD msg=audit(09/21/2012 10:02:52.384:203) : cwd=/ type=SYSCALL msg=audit(09/21/2012 10:02:52.384:203) : arch=i386 syscall=execve success=no exit=-13(Permission denied) a0=8e36008 a1=bf9ece9c a2=bf9ed72c a3=40000003 items=1 ppid=6478 pid=6485 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=34 comm=pulse exe=/usr/sbin/pulse subj=root:system_r:piranha_pulse_t:s0 key=(null) type=AVC msg=audit(09/21/2012 10:02:52.384:203) : avc: denied { execute } for pid=6485 comm=pulse name=ipvsadm dev=hda3 ino=131250 scontext=root:system_r:piranha_pulse_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file ----
Following AVCs appear in permissive mode: ---- type=SOCKETCALL msg=audit(09/21/2012 10:14:35.417:224) : nargs=3 a0=2 a1=3 a2=ff type=SYSCALL msg=audit(09/21/2012 10:14:35.417:224) : arch=i386 syscall=socketcall(socket) success=yes exit=3 a0=1 a1=bfa7d2e0 a2=3 a3=bfa7d404 items=0 ppid=8416 pid=8417 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=34 comm=ipvsadm exe=/sbin/ipvsadm subj=root:system_r:piranha_pulse_t:s0 key=(null) type=AVC msg=audit(09/21/2012 10:14:35.417:224) : avc: denied { net_raw } for pid=8417 comm=ipvsadm capability=net_raw scontext=root:system_r:piranha_pulse_t:s0 tcontext=root:system_r:piranha_pulse_t:s0 tclass=capability type=AVC msg=audit(09/21/2012 10:14:35.417:224) : avc: denied { create } for pid=8417 comm=ipvsadm scontext=root:system_r:piranha_pulse_t:s0 tcontext=root:system_r:piranha_pulse_t:s0 tclass=rawip_socket ---- type=PATH msg=audit(09/21/2012 10:14:35.413:223) : item=1 name=(null) inode=561338 dev=03:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 type=PATH msg=audit(09/21/2012 10:14:35.413:223) : item=0 name=/sbin/ipvsadm inode=131250 dev=03:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:iptables_exec_t:s0 type=CWD msg=audit(09/21/2012 10:14:35.413:223) : cwd=/ type=EXECVE msg=audit(09/21/2012 10:14:35.413:223) : argc=3 a0=/sbin/ipvsadm a1=--stop-daemon a2=backup type=SYSCALL msg=audit(09/21/2012 10:14:35.413:223) : arch=i386 syscall=execve success=yes exit=0 a0=824d008 a1=bfa6e31c a2=bfa6ebac a3=40000003 items=2 ppid=8416 pid=8417 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=34 comm=ipvsadm exe=/sbin/ipvsadm subj=root:system_r:piranha_pulse_t:s0 key=(null) type=AVC msg=audit(09/21/2012 10:14:35.413:223) : avc: denied { read } for pid=8417 comm=pulse path=/sbin/ipvsadm dev=hda3 ino=131250 scontext=root:system_r:piranha_pulse_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(09/21/2012 10:14:35.413:223) : avc: denied { execute_no_trans } for pid=8417 comm=pulse path=/sbin/ipvsadm dev=hda3 ino=131250 scontext=root:system_r:piranha_pulse_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(09/21/2012 10:14:35.413:223) : avc: denied { execute } for pid=8417 comm=pulse name=ipvsadm dev=hda3 ino=131250 scontext=root:system_r:piranha_pulse_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file ---- type=SOCKETCALL msg=audit(09/21/2012 10:14:35.417:225) : nargs=5 a0=3 a1=0 a2=481 a3=804fc64 a4=bfa7d304 type=SYSCALL msg=audit(09/21/2012 10:14:35.417:225) : arch=i386 syscall=socketcall(getsockopt) success=yes exit=0 a0=f a1=bfa7d2e0 a2=3 a3=bfa7d404 items=0 ppid=8416 pid=8417 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=34 comm=ipvsadm exe=/sbin/ipvsadm subj=root:system_r:piranha_pulse_t:s0 key=(null) type=AVC msg=audit(09/21/2012 10:14:35.417:225) : avc: denied { getopt } for pid=8417 comm=ipvsadm lport=255 scontext=root:system_r:piranha_pulse_t:s0 tcontext=root:system_r:piranha_pulse_t:s0 tclass=rawip_socket ---- type=SOCKETCALL msg=audit(09/21/2012 10:14:35.417:226) : nargs=5 a0=3 a1=0 a2=48c a3=bfa7d2d4 a4=18 type=SYSCALL msg=audit(09/21/2012 10:14:35.417:226) : arch=i386 syscall=socketcall(setsockopt) success=no exit=-3(No such process) a0=e a1=bfa7cd40 a2=15 a3=804e467 items=0 ppid=8416 pid=8417 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=34 comm=ipvsadm exe=/sbin/ipvsadm subj=root:system_r:piranha_pulse_t:s0 key=(null) type=AVC msg=audit(09/21/2012 10:14:35.417:226) : avc: denied { setopt } for pid=8417 comm=ipvsadm lport=255 scontext=root:system_r:piranha_pulse_t:s0 tcontext=root:system_r:piranha_pulse_t:s0 tclass=rawip_socket ---- type=PATH msg=audit(09/21/2012 10:14:38.030:227) : item=1 name=(null) inode=561338 dev=03:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 type=PATH msg=audit(09/21/2012 10:14:38.030:227) : item=0 name=/sbin/ipvsadm inode=131250 dev=03:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:iptables_exec_t:s0 type=CWD msg=audit(09/21/2012 10:14:38.030:227) : cwd=/ type=EXECVE msg=audit(09/21/2012 10:14:38.030:227) : argc=3 a0=/sbin/ipvsadm a1=--stop-daemon a2=backup type=SYSCALL msg=audit(09/21/2012 10:14:38.030:227) : arch=i386 syscall=execve success=yes exit=0 a0=824d008 a1=bfa6e2dc a2=bfa6ebac a3=40000003 items=2 ppid=8416 pid=8475 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=34 comm=ipvsadm exe=/sbin/ipvsadm subj=root:system_r:piranha_pulse_t:s0 key=(null) type=AVC msg=audit(09/21/2012 10:14:38.030:227) : avc: denied { read } for pid=8475 comm=pulse path=/sbin/ipvsadm dev=hda3 ino=131250 scontext=root:system_r:piranha_pulse_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(09/21/2012 10:14:38.030:227) : avc: denied { execute_no_trans } for pid=8475 comm=pulse path=/sbin/ipvsadm dev=hda3 ino=131250 scontext=root:system_r:piranha_pulse_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(09/21/2012 10:14:38.030:227) : avc: denied { execute } for pid=8475 comm=pulse name=ipvsadm dev=hda3 ino=131250 scontext=root:system_r:piranha_pulse_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file ----
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
We will need to add iptables_domtrans() in RHEL5 and probably another rules. Milos, could you test it with iptables_domtrans() in the local policy. Thank you.
When following policy module is enabled then no AVCs appear. policy_module(mypol, 1.0) require{ type piranha_pulse_t; } iptables_domtrans(piranha_pulse_t)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0060.html