Fix TCP HMs on UDP pools with SELinux

SELinux denied some specific TCP ports when using TCP-based HMs in UDP pools (keepalived). Enable a SELinux boolean keepalived_connect_any which allows keepalived to connect to any port. Closes-Bug: #2023751 Change-Id: Ie611ba9fde7b399989d847dd0c61dd3a158652bc (cherry picked from commit 294bd406f312984ee3029b301727d78caf7aea1d) (cherry picked from commit c0ceebebbfcf254e5f7b58f18208392260795259) (cherry picked from commit 4d52ce9c5c82c57690fdeacc44462e4822b80aea) (cherry picked from commit da9dc1230ea5eee46a13a0367bdf53ab1f34f917)
2023-06-14 04:32:08 -04:00 · 2023-06-14 04:32:08 -04:00 · 3f1dc2012d
commit 3f1dc2012d
parent f395d378eb
2 changed files with 10 additions and 0 deletions
--- a/elements/amphora-selinux/post-install.d/50-selinux-policies
+++ b/elements/amphora-selinux/post-install.d/50-selinux-policies
@ -17,3 +17,6 @@ enable_selinux_bool () {
 enable_selinux_bool os_haproxy_enable_nsfs
 enable_selinux_bool os_haproxy_ping
 enable_selinux_bool cluster_use_execmem
+# Allows keepalived to connect to any ports (required by TCP-based HMs on UDP
+# pools)
+enable_selinux_bool keepalived_connect_any
--- a/releasenotes/notes/fix-selinux-tcp-hm-on-udp-pools-89c3b8db89e359ba.yaml
+++ b/releasenotes/notes/fix-selinux-tcp-hm-on-udp-pools-89c3b8db89e359ba.yaml
@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Fixed an SELinux issues with TCP-based health-monitor on UDP pools, some
+    specific monitoring ports were denied by SELinux. The Amphora image now
+    enables the ``keepalived_connect_any`` SELinux boolean that allows
+    connections to any ports.