Why keepalived process for l3-ha is spawned with wrong selinux context system_u:system_r:unconfined_service_t:s0?

Solution Unverified - Updated -

Issue

  • Keeplived process for l3-ha router is created using unconfined selinux context and when neutron l3 agent try to kill it (due to reload keeplived configuration -> kill -HUP), it fails with permission denied error causing connectivity problems on VMs / virtual routers.

Below is the security context of keeplived on one of the controller nodes:

$ ps auxwwwZ | grep keep | grep -v grep
system_u:system_r:unconfined_service_t:s0 root 30699 0.0  0.0 113836 2364 ?    S    09:56   0:01 keepalived -P -f /var/lib/neutron/ha_confs/8d67bd9b-713b-4089-8258-4dc5716f5904/keepalived.conf -p /var/lib/neutron/ha_confs/8d67bd9b-713b-4089-8258-4dc5716f5904.pid -r /var/lib/neutron/ha_confs/8d67bd9b-713b-4089-8258-4dc5716f5904.pid-vrrp

And below is the exception logs of neutron-l3-agent:

$ journalctl -u neutron-l3-agent

Jun 30 12:07:39 node.env neutron-l3-agent[10430]: raise RuntimeError(m)
Jun 30 12:07:39 node.env neutron-l3-agent[10430]: RuntimeError:
Jun 30 12:07:39 node.env neutron-l3-agent[10430]: Command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'kill', '-HUP', '30698']
Jun 30 12:07:39 node.env neutron-l3-agent[10430]: Exit code: 1
Jun 30 12:07:39 node.env neutron-l3-agent[10430]: Stdout: ''
Jun 30 12:07:39 node.env neutron-l3-agent[10430]: Stderr: 'kill: sending signal to 30698 failed: Permission denied\n'

Below is the output of audit2why from the same controller node:

$ cat /var/log/audit/audit.log | audit2why 
type=AVC msg=audit(1435669733.108:1983001): avc:  denied  { signal } for  pid=18902 comm="kill" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process

The keepalived process is expected to be spawned with context system_u:system_r:keepalived_t:s0. Why is then the process is spawned with

Environment

  • Red Hat Enterprise Linux Openstack Platform v6.0

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In