copapa
n00b
Joined: 14 Nov 2014
Posts: 7
|
 Posted: Wed Dec 17, 2014 5:37 pm Post subject: keepalived and enforcing selinux |
 |
|
Hi everyone.
I'm trying to install keepalived on my boxes but it doesn't seem to ship with a selinux policy.
| Code: | # ls -Z /etc/init.d/keepalived
system_u:object_r:initrc_exec_t /etc/init.d/keepalived
# ls -Z /usr/sbin/keepalived
root:object_r:bin_t /usr/sbin/keepalived |
When run in enforcing mode I get this kind of log :
| Code: | Dec 17 18:20:51 assystem Keepalived_vrrp[2530]: Netlink: sendmsg() error: Permission denied
Dec 17 18:20:51 assystem Keepalived_vrrp[2530]: Error sending gratuitous ARP on enp2s0 for 192.168.1.200
Dec 17 18:20:51 assystem Keepalived_vrrp[2530]: Error sending gratuitous ARP on enp2s0 for 192.168.1.200
Dec 17 18:20:51 assystem Keepalived_vrrp[2530]: Error sending gratuitous ARP on enp2s0 for 192.168.1.200
Dec 17 18:20:51 assystem Keepalived_vrrp[2530]: Error sending gratuitous ARP on enp2s0 for 192.168.1.200
|
When running in Permissive mode audit2allow gives me this :
| Code: | # grep keepalive /var/log/audit/audit.log | audit2allow
#============= initrc_t ==============
allow initrc_t self:netlink_route_socket nlmsg_write;
allow initrc_t self:netlink_socket { write getattr setopt read bind create };
allow initrc_t self:packet_socket { write create };
allow initrc_t self:rawip_socket { write create setopt }; |
But I don't think I should allow every init scripts to do that. What would be the procedure to create a policy for one init script (and its binary) ? I tried to change the type of the init script to give him only the permissions but now it appears with "system_u:object_r:unlabeled_t" as a context in the logs. |
|
Networking & Security
