On Tue, 2017-01-17 at 07:06 +0000, Xavier Decoud wrote: > Hi, > > perhaps a rookie question... > > I've installed keepalived 1.2.13 (from official CentOS repos) on > CentOS 7.3. > A check-script uses pidof to monitor whether a certain process is > still alive. > > Now I get alerts like the following on all contexts of all running > processes: > setroubleshoot: SELinux is preventing /usr/sbin/killall5 from getattr > access on the file /usr/sbin/irqbalance. For complete SELinux > messages. run sealert -l 5db84650-63a7-408c-b8a0-34031c77b6a4 > > It's clear to me why. killall5 searches for process I'd like to > monitor. > > Sure, one can create a loadable monitor to allow or to dontlog > (except the context of the monitored process). > But, what about i.e. services installed in the future? > Everytime there'll be a new process with a new context there'll be a > new alert. > > Is there something like a wildcard to allow keepalived to use > killall5 / getattr on all contexts? > I don't like to switch keepalived to unconfined_exec_t just to get > rid of the alerts. > > BTW, these alerts were not present under CentOS 6.8 You can allow a given domain to stat() all executable types or all file types (wasn't clear which one you actually needed - sounds like just executable types?). Would need to see the avc denials to know the exact details, but for example, assuming that killall5 is just running in keepalived's context, you might define a local policy module that includes the following allow rule: # Allow keepalived and its children to stat all executables. allow keepalived_t exec_type:file getattr; or # Allow keepalived and its children to stat all files. allow keepalived_t file_type:file getattr; _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
