# keepalived and enforcing selinux

## copapa

Hi everyone.

I'm trying to install keepalived on my boxes but it doesn't seem to ship with a selinux policy.

```
# ls -Z /etc/init.d/keepalived 

system_u:object_r:initrc_exec_t /etc/init.d/keepalived

# ls -Z /usr/sbin/keepalived 

root:object_r:bin_t /usr/sbin/keepalived
```

When run in enforcing mode I get this kind of log :

```
Dec 17 18:20:51 assystem Keepalived_vrrp[2530]: Netlink: sendmsg() error: Permission denied

Dec 17 18:20:51 assystem Keepalived_vrrp[2530]: Error sending gratuitous ARP on enp2s0 for 192.168.1.200

Dec 17 18:20:51 assystem Keepalived_vrrp[2530]: Error sending gratuitous ARP on enp2s0 for 192.168.1.200

Dec 17 18:20:51 assystem Keepalived_vrrp[2530]: Error sending gratuitous ARP on enp2s0 for 192.168.1.200

Dec 17 18:20:51 assystem Keepalived_vrrp[2530]: Error sending gratuitous ARP on enp2s0 for 192.168.1.200

```

When running in Permissive mode audit2allow gives me this :

```
# grep keepalive /var/log/audit/audit.log | audit2allow 

#============= initrc_t ==============

allow initrc_t self:netlink_route_socket nlmsg_write;

allow initrc_t self:netlink_socket { write getattr setopt read bind create };

allow initrc_t self:packet_socket { write create };

allow initrc_t self:rawip_socket { write create setopt };
```

But I don't think I should allow every init scripts to do that. What would be the procedure to create a policy for one init script (and its binary) ? I tried to change the type of the init script to give him only the permissions but now it appears with "system_u:object_r:unlabeled_t" as a context in the logs.

----------

