SELinux is blocking keepalived scripts

Solution Verified - Updated -

Issue

  • Unable to run keepalived scripts with SELinux in Enforcing mode.

  • SELinux AVC messages similar to the following are logged in /var/log/audit/audit.log:

    type=AVC msg=audit(1546871807.096:14299028): avc:  denied  { getattr } for  pid=87919 comm="pidof" path="/usr/sbin/haproxy-systemd-wrapper" dev="dm-0" ino=2297156 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:haproxy_exec_t:s0 tclass=file permissive=0

    type=AVC msg=audit(01/21/2019 09:26:37.548:5455867) : avc:  denied  { getattr } for  pid=20569 comm=pidof path=/usr/libexec/postfix/pickup dev="dm-0" ino=406383 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:postfix_pickup_exec_t:s0 tclass=file permissive=0

    type=AVC msg=audit(1548773332.351:1343): avc:  denied  { signull } for  pid=15336 comm="killall" scontext=system_u:system_r:keepalived_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=0

Environment

  • Red Hat Enterprise Linux 7
  • keepalived
  • SELinux in Enforcing mode

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content