Hi,
perhaps a rookie question...
I've installed keepalived 1.2.13 (from official CentOS repos) on CentOS 7.3. A check-script uses pidof to monitor whether a certain process is still alive.
Now I get alerts like the following on all contexts of all running processes: setroubleshoot: SELinux is preventing /usr/sbin/killall5 from getattr access on the file /usr/sbin/irqbalance. For complete SELinux messages. run sealert -l 5db84650-63a7-408c-b8a0-34031c77b6a4
It's clear to me why. killall5 searches for process I'd like to monitor.
Sure, one can create a loadable monitor to allow or to dontlog (except the context of the monitored process). But, what about i.e. services installed in the future? Everytime there'll be a new process with a new context there'll be a new alert.
Is there something like a wildcard to allow keepalived to use killall5 / getattr on all contexts? I don't like to switch keepalived to unconfined_exec_t just to get rid of the alerts.
BTW, these alerts were not present under CentOS 6.8
KR Xavier
On Tue, 2017-01-17 at 07:06 +0000, Xavier Decoud wrote:
Hi,
perhaps a rookie question...
I've installed keepalived 1.2.13 (from official CentOS repos) on CentOS 7.3. A check-script uses pidof to monitor whether a certain process is still alive.
Now I get alerts like the following on all contexts of all running processes: setroubleshoot: SELinux is preventing /usr/sbin/killall5 from getattr access on the file /usr/sbin/irqbalance. For complete SELinux messages. run sealert -l 5db84650-63a7-408c-b8a0-34031c77b6a4
It's clear to me why. killall5 searches for process I'd like to monitor.
Sure, one can create a loadable monitor to allow or to dontlog (except the context of the monitored process). But, what about i.e. services installed in the future? Everytime there'll be a new process with a new context there'll be a new alert.
Is there something like a wildcard to allow keepalived to use killall5 / getattr on all contexts? I don't like to switch keepalived to unconfined_exec_t just to get rid of the alerts.
BTW, these alerts were not present under CentOS 6.8
You can allow a given domain to stat() all executable types or all file types (wasn't clear which one you actually needed - sounds like just executable types?). Would need to see the avc denials to know the exact details, but for example, assuming that killall5 is just running in keepalived's context, you might define a local policy module that includes the following allow rule: # Allow keepalived and its children to stat all executables. allow keepalived_t exec_type:file getattr; or # Allow keepalived and its children to stat all files. allow keepalived_t file_type:file getattr;
The following seems to work as exec_type looks like the 'wildcard'. At least I got rid of the alerts, so hopefully there are no side-effects.
Thx Xavier
# cat keepalived-pidof.te module keepalived-pidof 1.0;
require { type keepalived_t; type exec_type; class file getattr; }
#============= keepalived_t ============== allow keepalived_t exec_type:file getattr;
# checkmodule -M -m -o keepalived-pidof.mod keepalived-pidof.te # semodule_package -o keepalived-pidof.pp -m keepalived-pidof.mod # semodule -i keepalived-pidof.pp
selinux@lists.fedoraproject.org