Fix TCP HMs on UDP pools with SELinux

SELinux denied some specific TCP ports when using TCP-based HMs in UDP
pools (keepalived).
Enable a SELinux boolean keepalived_connect_any which allows keepalived
to connect to any port.

Closes-Bug: #2023751
Change-Id: Ie611ba9fde7b399989d847dd0c61dd3a158652bc
(cherry picked from commit 294bd406f3)
(cherry picked from commit c0ceebebbf)
(cherry picked from commit 4d52ce9c5c)
(cherry picked from commit da9dc1230e)
This commit is contained in:
Gregory Thiemonge 2023-06-14 04:32:08 -04:00
parent f395d378eb
commit 3f1dc2012d
2 changed files with 10 additions and 0 deletions

View File

@ -17,3 +17,6 @@ enable_selinux_bool () {
enable_selinux_bool os_haproxy_enable_nsfs
enable_selinux_bool os_haproxy_ping
enable_selinux_bool cluster_use_execmem
# Allows keepalived to connect to any ports (required by TCP-based HMs on UDP
# pools)
enable_selinux_bool keepalived_connect_any

View File

@ -0,0 +1,7 @@
---
fixes:
- |
Fixed an SELinux issues with TCP-based health-monitor on UDP pools, some
specific monitoring ports were denied by SELinux. The Amphora image now
enables the ``keepalived_connect_any`` SELinux boolean that allows
connections to any ports.