Issue
What were you trying to do that didn't work?
Keepalived scripts executing as `keepalived_unconfined_script_t` SELinux domain cannot execute `systemctl` commands
There is no rule in the policy to allow `systemd` (executing as `init_t`) to send back the result to the keepalived script (executing as `keepalived_unconfined_script_t`).
Please provide the package NVR for which bug is seen:
selinux-policy-3.14.3-128.el8_9.1.noarch
How reproducible:
keepalived with a healthcheck scripts checking systemctl status
Temporary solution:
https://access.redhat.com/solutions/7053361
Expected results
systemd is able to send back the result to the keepalived script (executing as keepalived_unconfined_script_t)
Actual results
A USER_AVC related to `init_t` and `keepalived_unconfined_script_t` is seen in the audit.log:
type=USER_AVC msg=audit(01/16/2024 14:39:57.358:4406319) : pid=2242023 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.856978 spid=1 tpid=325533 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:keepalived_unconfined_script_t:s0 tclass=dbus permissive=0 exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?'
