SELinux AVC denial for setattr about keepalived HOT 4 CLOSED

@szarkos Many thanks for your detailed analysis. I have updated https://bugzilla.redhat.com/show_bug.cgi?id=1997148 to identify how utimensat() is being called.

It seems wrong to modify a program to stop SELinux errors; it should be that the SELinux policy is updated to reflect what the program needs to do (unless of course the SELinux report identifies that the program is doing something that it shouldn't be doing). In this case however, i think that, especially given the magic code below, there is an argument for modifying keepalived as you suggest.

The magic code has an interesting comment in close_and_restore() (which is where the MAGIC_PRESERVE_ATIME functionality is):

        if ((ms->flags & MAGIC_PRESERVE_ATIME) != 0) {
                /*
                 * Try to restore access, modification times if read it.
                 * This is really *bad* because it will modify the status
                 * time of the file... And of course this will affect
                 * backup programs
                 */

so based on this, it would seem sensible to remove MAGIC_PRESERVE_ATIME (I think where the comment refers to "status time" it means "change time").

The question is: What is the impact of no longer setting MAGIC_PRESERVE_ATIME? The answer is, I think, nothing (well almost). Once the script is executed, the atime of the script will be updated anyway, so there is no point in preserving it.

Regarding preserving atime doing nothing is not quite correct. For some reason, file's magic.c does not preserve the atime and mtime properly; even if utimes() is available, magic.c does not restore the tv_usec value for atime and mtime, and so even with MAGIC_PRESERVE_ATIME, the mtime and atime are modified by having the fractions of a second part set to 0. It seems to me that magic.c should be using utimensat() directly and setting the tv_nsec thereby ensuring that the mtime and atime remain precisely the same.

My inclination therefore is to remove MAGIC_PRESERVE_ATIME, and then the mtime and ctime fields will not be modified, and although the atime field will be (it is anyway at the moment because the tv_nsec field is set to 0), it will be modified each time the script is run, and so there is no real impact.

from keepalived.

@pqarmitage - thank you for the quick response! I agree in most cases this sort of thing should be fixed in selinux-policy, but since the RH bugzilla and PR was rejected I figured I'd see if it was fixable here.

Would you prefer that I submit a PR for this?

from keepalived.

My reading of the RedHat Bugzilla was that they wouldn't fix the problem because they couldn't identify where utimensat() was being called. Since we have now identified that and the BZ is updated accordingly, they make take some action on it.

I don't need a pull request for this, I'll push a fix later.

from keepalived.

Commit b2b6539 removes MAGIC_PRESERVE_ATIME.

from keepalived.