keepalived is denied name_connect to port 3306 (mysqld_port_t).

Solution Unverified - Updated -

Issue

  • keepalived is denied name_connect to port 3306 (mysqld_port_t) where it tries to connect the port for healthcheck purpose.
        TCP_CHECK {
          connect_port 3306  <<<<<<<<<<<<<<<<<<<<<<<<<<<<<
          connect_timeout 30
          nb_get_retry 3
          delay_before_retry 3
        }
  • The following avc denial log message is observed in /var/log/audit/audit.log:
type=AVC msg=audit(1452239091.518:28180): avc:  denied  { name_connect } for  pid=8352 comm="keepalived" dest=3306 scontext=unconfined_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1452239091.518:28180): arch=x86_64 syscall=connect success=no exit=EINPROGRESS a0=8 a1=175e860 a2=80 a3=7fffc13b62f0 items=0 ppid=8351 pid=8352 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4378 comm=keepalived exe=/usr/sbin/keepalived subj=unconfined_u:system_r:keepalived_t:s0 key=(null)
  • It should like to be allowed for keepalived to perform name_connect to any optional ports including 3306 specified in TCP_CHECK in keepalived.conf.
KEEPALIVED.CONF(5)

[...]

 #TCP healthchecker (bind to IP port)
 TCP_CHECK
 {
     # ======== generic connection options
     # Optional IP address to connect to.
     # The default is real server’s IP
     connect_ip <IP ADDRESS>
     # Optional port to connect to if not
     # The default is real server’s port
     connect_port <PORT>
     # Optional interface to use to
     # originate the connection
     bindto <IP ADDRESS>
     # Optional source port to
     # originate the connection from
     bind_port <PORT>
     # Optional connection timeout in seconds.
     # The default is 5 seconds
     connect_timeout <INTEGER>
     # Optional fwmark to mark all outgoing
     # checker pakets with
     fwmark <INTEGER>

     # Optional random delay to begin initial check for
     # maximum N seconds.
     # Useful to scatter multiple simultaneous
     # checks to the same RS. Enabled by default, with
     # the maximum at delay_loop. Specify 0 to disable
     warmup <INT>
 } #TCP_CHECK

[...]

Environment

  • Red Hat Enterprise Linux 6.7 (kernel-2.6.32-573.12.1.el6.x86_64)
  • selinux-policy-targeted-3.7.19-279.el6_7.8.noarch
  • selinux-policy-3.7.19-279.el6_7.8.noarch
  • keepalived-1.2.13-5.el6_6.x86_64

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content