Bugzilla – Bug 1216060
SELinux preventing Keepalived stats file - "Unable to change file permission of /tmp/keepalived.stats - errno 13 (Permission denied)"
Last modified: 2024-01-18 16:30:19 UTC
Hi, it should be possible to dump keepalived statistics by sending it a USR2 signal. However this does not seem to work on Leap Micro: ``` # kill -USR2 $(cat /run/keepalived.pid) ``` Reports the following in the journal: ``` Oct 09 15:04:01 asgard2 Keepalived_vrrp[4941]: Printing VRRP stats for process(4941) on signal Oct 09 15:04:01 asgard2 Keepalived_vrrp[4941]: Unable to change file permission of /tmp/keepalived.stats - errno 13 (Permission denied) Oct 09 15:04:01 asgard2 Keepalived_vrrp[4941]: Can't open /tmp/keepalived.stats (13: Permission denied) ``` It seems it does see the /tmp/ directory, as an empty file is created: ``` # ls -l /tmp/keepalived.statsnHSQsP -rw-------. 1 root root 0 Oct 9 15:04 /tmp/keepalived.statsnHSQsP ``` It seems to be an issue with the SELinux rules: ``` # tail -n1 /var/log/audit/audit.log type=AVC msg=audit(1696863841.345:240): avc: denied { setattr } for pid=4941 comm="keepalived" name="keepalived.statsnHSQsP" dev="tmpfs" ino=80 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:keepalived_tmp_t:s0 tclass=file permissive=0 ```
thanks for the report, taking a look
SUSE-RU-2023:4445-1: An update that has one fix can now be installed. Category: recommended (moderate) Bug References: 1216060 Sources used: openSUSE Leap Micro 5.4 (src): selinux-policy-20230511+git5.54d165ea-150400.4.15.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): selinux-policy-20230511+git5.54d165ea-150400.4.15.1 SUSE Linux Enterprise Micro 5.4 (src): selinux-policy-20230511+git5.54d165ea-150400.4.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-RU-2023:4444-1: An update that has one fix can now be installed. Category: recommended (moderate) Bug References: 1216060 Sources used: openSUSE Leap Micro 5.3 (src): selinux-policy-20210716+git59.bb8b3de0-150400.5.6.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): selinux-policy-20210716+git59.bb8b3de0-150400.5.6.1 SUSE Linux Enterprise Micro 5.3 (src): selinux-policy-20210716+git59.bb8b3de0-150400.5.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-RU-2023:4456-1: An update that has one fix can now be installed. Category: recommended (moderate) Bug References: 1216060 Sources used: SUSE Linux Enterprise Micro 5.5 (src): selinux-policy-20230511+git9.1b35a6ab-150500.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
I can confirm the issue has been fixed with the above updates. I found another AVC that pops up whenever the keepalived service is started: type=AVC msg=audit(1700233048.268:61): avc: denied {write} for pid=1180 comm="keepalived" path="pipe:[17765]" dev="pipefs" ino=17765 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=fifo_file permissive=0 and associated keepalived error: [ 292.819993][ T1224] bpfilter: write fail -13 Not sure whether this breaks anything else.
Hmm this one is super weird, I can reproduce it in leap micro 5.4, but it does not happen in factory. I strace'd the keepalived run with the following commands: pkill -9 keepalived strace -e trace=pipe,pipe2,write runcon -r system_r -u system_u -t keepalived_t -l s0 /usr/sbin/keepalived --dont-fork -D and it looks more or less the same (two pipes2 syscalls..) in factory and leap micro 5.4 I think that means probably there is something wrong in the policy, but after long digging, I could not find out where exactly. I will look into this more in the next weeks, for now low prio since we don't have a report that it breaks functionality.
After way too long debugging, I found out that it only happens if using the build setup for SLE Micro. I don't know how this is possible. Build the keepalived factory content with the leap/sle micro setup (on tumbleweed): osc co openSUSE:Factory/keepalived osc -A https://api.suse.de co SUSE:SLE-15-SP4:Update/keepalived cd SUSE:SLE-15-SP4:Update/keepalived rm * cp ../../openSUSE:Factory/keepalived/* . osc addremove osc build --clean sudo zypper in -f <rpm that was built> cd /usr/sbin sudo runcon -r system_r -u system_u -t keepalived_t -l s0 /usr/sbin/keepalived --dont-fork -> the AVC gets triggered -> then build the regular openSUSE:Factory/keepalived, install, execute as above, avc does not get triggered Maybe maybe this is caused by some dependency? @Johannes did you ever encounter such a problem? I am kind of stuck with this
We just discussed this in the weekly meeting It's caused by 68 %if %{with keepalived_nftables} 69 BuildRequires: pkgconfig(libnftables) 70 BuildRequires: pkgconfig(libnftnl) 71 %endif being active on Factory only. libnftnl is then used there to talk to the kernel, so no AVC there.
updates are queued, closing
Great news, thank you.
SUSE-RU-2024:0151-1: An update that has two fixes can now be installed. Category: recommended (moderate) Bug References: 1215423, 1216060 Sources used: openSUSE Leap Micro 5.3 (src): selinux-policy-20210716+git65.8c9b6599-150400.5.12.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): selinux-policy-20210716+git65.8c9b6599-150400.5.12.1 SUSE Linux Enterprise Micro 5.3 (src): selinux-policy-20210716+git65.8c9b6599-150400.5.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-RU-2024:0150-1: An update that has three fixes can now be installed. Category: recommended (moderate) Bug References: 1205931, 1215423, 1216060 Sources used: SUSE Linux Enterprise Micro for Rancher 5.4 (src): selinux-policy-20230511+git12.c35c6fe1-150400.4.24.1 SUSE Linux Enterprise Micro 5.4 (src): selinux-policy-20230511+git12.c35c6fe1-150400.4.24.1 openSUSE Leap Micro 5.4 (src): selinux-policy-20230511+git12.c35c6fe1-150400.4.24.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-RU-2024:0149-1: An update that has two fixes can now be installed. Category: recommended (moderate) Bug References: 1205931, 1216060 Sources used: SUSE Linux Enterprise Micro 5.5 (src): selinux-policy-20230511+git13.edb03d70-150500.3.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.