On Tue, 2017-01-17 at 07:06 +0000, Xavier Decoud wrote:
Hi,
perhaps a rookie question...
I've installed keepalived 1.2.13 (from official CentOS repos) on
CentOS 7.3.
A check-script uses pidof to monitor whether a certain process is
still alive.
Now I get alerts like the following on all contexts of all running
processes:
setroubleshoot: SELinux is preventing /usr/sbin/killall5 from getattr
access on the file /usr/sbin/irqbalance. For complete SELinux
messages. run sealert -l 5db84650-63a7-408c-b8a0-34031c77b6a4
It's clear to me why. killall5 searches for process I'd like to
monitor.
Sure, one can create a loadable monitor to allow or to dontlog
(except the context of the monitored process).
But, what about i.e. services installed in the future?
Everytime there'll be a new process with a new context there'll be a
new alert.
Is there something like a wildcard to allow keepalived to use
killall5 / getattr on all contexts?
I don't like to switch keepalived to unconfined_exec_t just to get
rid of the alerts.
BTW, these alerts were not present under CentOS 6.8
You can allow a given domain to stat() all executable types or all file
types (wasn't clear which one you actually needed - sounds like just
executable types?). Would need to see the avc denials to know the
exact details, but for example, assuming that killall5 is just running
in keepalived's context, you might define a local policy module that
includes the following allow rule:
# Allow keepalived and its children to stat all executables.
allow keepalived_t exec_type:file getattr;
or
# Allow keepalived and its children to stat all files.
allow keepalived_t file_type:file getattr;