Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1920397 - keepalived wants to getattr+read+write the /memfd:/keepalived/consolidated_configuration file
Summary: keepalived wants to getattr+read+write the /memfd:/keepalived/consolidated_co...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 34
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-01-26 09:00 UTC by Milos Malik
Modified: 2021-03-16 00:28 UTC (History)
10 users (show)

Fixed In Version: selinux-policy-3.14.7-25.fc34
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-03-16 00:28:44 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Milos Malik 2021-01-26 09:00:30 UTC
Description of problem:
 * the keepalived service seems to run successfully, but some SELinux denials are triggered

Version-Release number of selected component (if applicable):
keepalived-2.2.1-1.fc34.x86_64
selinux-policy-3.14.7-7.fc34.noarch
selinux-policy-targeted-3.14.7-7.fc34.noarch

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora rawhide machine (targeted policy is active)
2. start the keepalived service
3. search for SELinux denials

Actual results:
----
type=PROCTITLE msg=audit(01/26/2021 03:53:32.558:418) : proctitle=/usr/sbin/keepalived -D 
type=PATH msg=audit(01/26/2021 03:53:32.558:418) : item=0 name= inode=10 dev=00:01 mode=file,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/26/2021 03:53:32.558:418) : cwd=/ 
type=SYSCALL msg=audit(01/26/2021 03:53:32.558:418) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=0x4 a1=0x7f1ceb32f522 a2=0x7ffea6154400 a3=0x1000 items=1 ppid=1 pid=1778 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(01/26/2021 03:53:32.558:418) : avc:  denied  { getattr } for  pid=1778 comm=keepalived path=/memfd:/keepalived/consolidated_configuration (deleted) dev="tmpfs" ino=10 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(01/26/2021 03:53:32.560:419) : proctitle=/usr/sbin/keepalived -D 
type=CWD msg=audit(01/26/2021 03:53:32.560:419) : cwd=/ 
type=SYSCALL msg=audit(01/26/2021 03:53:32.560:419) : arch=x86_64 syscall=write success=no exit=EACCES(Permission denied) a0=0x4 a1=0x55746ac79e70 a2=0x92e a3=0x10 items=0 ppid=1 pid=1778 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(01/26/2021 03:53:32.560:419) : avc:  denied  { write } for  pid=1778 comm=keepalived path=/memfd:/keepalived/consolidated_configuration (deleted) dev="tmpfs" ino=10 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(01/26/2021 03:53:32.567:420) : proctitle=/usr/sbin/keepalived -D 
type=PATH msg=audit(01/26/2021 03:53:32.567:420) : item=0 name=/proc/self/fd/4 inode=10 dev=00:01 mode=file,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/26/2021 03:53:32.567:420) : cwd=/ 
type=SYSCALL msg=audit(01/26/2021 03:53:32.567:420) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7ffea6154ae0 a2=O_RDONLY a3=0x0 items=1 ppid=1779 pid=1781 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(01/26/2021 03:53:32.567:420) : avc:  denied  { read } for  pid=1781 comm=keepalived dev="tmpfs" ino=10 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 
----

Expected results:
 * no SELinux denials

Additional info:

Comment 1 Milos Malik 2021-01-26 09:24:35 UTC
Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(01/26/2021 04:22:50.490:583) : proctitle=/usr/sbin/keepalived -D 
type=PATH msg=audit(01/26/2021 04:22:50.490:583) : item=0 name= inode=20 dev=00:01 mode=file,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/26/2021 04:22:50.490:583) : cwd=/ 
type=SYSCALL msg=audit(01/26/2021 04:22:50.490:583) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=0x4 a1=0x7f95dfe8f522 a2=0x7ffe9e618220 a3=0x1000 items=1 ppid=1 pid=29535 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(01/26/2021 04:22:50.490:583) : avc:  denied  { getattr } for  pid=29535 comm=keepalived path=/memfd:/keepalived/consolidated_configuration (deleted) dev="tmpfs" ino=20 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(01/26/2021 04:22:50.492:584) : proctitle=/usr/sbin/keepalived -D 
type=CWD msg=audit(01/26/2021 04:22:50.492:584) : cwd=/ 
type=SYSCALL msg=audit(01/26/2021 04:22:50.492:584) : arch=x86_64 syscall=write success=yes exit=2350 a0=0x4 a1=0x564662d3be70 a2=0x92e a3=0x10 items=0 ppid=1 pid=29535 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(01/26/2021 04:22:50.492:584) : avc:  denied  { write } for  pid=29535 comm=keepalived path=/memfd:/keepalived/consolidated_configuration (deleted) dev="tmpfs" ino=20 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(01/26/2021 04:22:50.498:585) : proctitle=/usr/sbin/keepalived -D 
type=PATH msg=audit(01/26/2021 04:22:50.498:585) : item=0 name=/proc/self/fd/4 inode=20 dev=00:01 mode=file,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/26/2021 04:22:50.498:585) : cwd=/ 
type=SYSCALL msg=audit(01/26/2021 04:22:50.498:585) : arch=x86_64 syscall=openat success=yes exit=9 a0=0xffffff9c a1=0x7ffe9e618900 a2=O_RDONLY a3=0x0 items=1 ppid=29536 pid=29538 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(01/26/2021 04:22:50.498:585) : avc:  denied  { open } for  pid=29538 comm=keepalived path=/memfd:/keepalived/consolidated_configuration (deleted) dev="tmpfs" ino=20 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 
type=AVC msg=audit(01/26/2021 04:22:50.498:585) : avc:  denied  { read } for  pid=29538 comm=keepalived dev="tmpfs" ino=20 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 
----

Comment 2 Zdenek Pytela 2021-01-26 16:52:17 UTC
Brandon,

It looks like the service starts successfully without access to the memfd resources, so does keepalived actually need it?

Comment 3 Brandon Perkins 2021-01-26 18:19:17 UTC
It isn't strictly necessary, but it would be preferred to have it.  The short version is that the first process reads the configuration file and then needs to write a temporary "file" somewhere so that the subsequent processes use the identical configuration without reading the original file itself (in that bizarre situation where the file could be changed out from underneath it).  The default for keepalived is to use a memfd type file but will fall-back to using the filesystem that includes KA_TMP_DIR (default /tmp).  So, the reason it is working is that the fallback is working, but the correct thing to do here is to either allow memfd access or keepalived will need to disable USE_MEMFD_CREATE_SYSCALL in the build.

Comment 4 Zdenek Pytela 2021-01-27 08:38:55 UTC
Thank you Brandon for the explanation, this is sufficient justification.

Comment 5 Ryan O'Hara 2021-02-02 17:05:17 UTC
I think this is a problem with Fedora, too, as I recently encountered something that seems similar (same?) with the keepalived 2.2.x. Do I need to clone this for F34/rawhide?

Comment 6 Milos Malik 2021-02-02 17:21:17 UTC
This bug is a Fedora 34/rawhide bug. No need to clone it.

Comment 7 Ben Cotton 2021-02-09 16:19:19 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 34 development cycle.
Changing version to 34.

Comment 9 Zdenek Pytela 2021-02-25 20:08:49 UTC
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/618

Comment 10 Zdenek Pytela 2021-02-25 20:49:05 UTC
commit e9818096e91db46008fc5a0c76d9bbc4f8a55763 (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Thu Feb 25 21:03:19 2021 +0100

    Allow keepalived read/write its private memfd: objects

    Keepalived version 2.2 require read and write access to the
    /memfd:/keepalived/consolidated_configuration file.
    Without this access, a fallback tmpdir file access is used,
    but the preferred way is memfd.

    Resolves: rhbz#1920397

Comment 11 Fedora Update System 2021-03-03 10:15:44 UTC
FEDORA-2021-1cb3d5cac1 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-1cb3d5cac1

Comment 12 Fedora Update System 2021-03-03 15:47:28 UTC
FEDORA-2021-1cb3d5cac1 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-1cb3d5cac1`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-1cb3d5cac1

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 13 Fedora Update System 2021-03-12 18:56:50 UTC
FEDORA-2021-1e99f2ed79 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-1e99f2ed79`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-1e99f2ed79

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 14 Fedora Update System 2021-03-16 00:28:44 UTC
FEDORA-2021-1e99f2ed79 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.