From c0ceebebbfcf254e5f7b58f18208392260795259 Mon Sep 17 00:00:00 2001 From: Gregory Thiemonge Date: Wed, 14 Jun 2023 04:32:08 -0400 Subject: [PATCH] Fix TCP HMs on UDP pools with SELinux SELinux denied some specific TCP ports when using TCP-based HMs in UDP pools (keepalived). Enable a SELinux boolean keepalived_connect_any which allows keepalived to connect to any port. Closes-Bug: #2023751 Change-Id: Ie611ba9fde7b399989d847dd0c61dd3a158652bc (cherry picked from commit 294bd406f312984ee3029b301727d78caf7aea1d) --- .../amphora-selinux/post-install.d/50-selinux-policies | 3 +++ .../fix-selinux-tcp-hm-on-udp-pools-89c3b8db89e359ba.yaml | 7 +++++++ 2 files changed, 10 insertions(+) create mode 100644 releasenotes/notes/fix-selinux-tcp-hm-on-udp-pools-89c3b8db89e359ba.yaml diff --git a/elements/amphora-selinux/post-install.d/50-selinux-policies b/elements/amphora-selinux/post-install.d/50-selinux-policies index 3642e40879..001ce628fe 100755 --- a/elements/amphora-selinux/post-install.d/50-selinux-policies +++ b/elements/amphora-selinux/post-install.d/50-selinux-policies @@ -17,3 +17,6 @@ enable_selinux_bool () { enable_selinux_bool os_haproxy_enable_nsfs enable_selinux_bool os_haproxy_ping enable_selinux_bool cluster_use_execmem +# Allows keepalived to connect to any ports (required by TCP-based HMs on UDP +# pools) +enable_selinux_bool keepalived_connect_any diff --git a/releasenotes/notes/fix-selinux-tcp-hm-on-udp-pools-89c3b8db89e359ba.yaml b/releasenotes/notes/fix-selinux-tcp-hm-on-udp-pools-89c3b8db89e359ba.yaml new file mode 100644 index 0000000000..97ca282820 --- /dev/null +++ b/releasenotes/notes/fix-selinux-tcp-hm-on-udp-pools-89c3b8db89e359ba.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + Fixed an SELinux issues with TCP-based health-monitor on UDP pools, some + specific monitoring ports were denied by SELinux. The Amphora image now + enables the ``keepalived_connect_any`` SELinux boolean that allows + connections to any ports.