Bug ID 1048077: SELinux errors with gtmd when using internal FIPS card

Last Modified: Oct 28, 2023

Affected Product(s):
BIG-IP DNS(all modules)

Fixed In:
17.1.0, 16.1.4

Opened: Sep 20, 2021

Severity: 3-Major

Symptoms

You can observe the following avc error logs when the gtmd process tries to interact with internal FIPS card for DNSSEC key and signature creation: type=AVC msg=audit(1662044427.707:3960): avc: denied { create } for pid=39483 comm="gtmd" scontext=system_u:system_r:gtmd_t:s0 tcontext=system_u:system_r:gtmd_t:s0 tclass=netlink_route_socket type=AVC msg=audit(1662044427.709:3961): avc: denied { search } for pid=39483 comm="gtmd" name="gtmd" dev="dm-20" ino=188725 scontext=system_u:system_r:gtmd_t:s0 tcontext=system_u:object_r:svc_svc_t:s0 tclass=dir type=AVC msg=audit(1662044428.113:3962): avc: denied { create } for pid=39483 comm="gtmd" scontext=system_u:system_r:gtmd_t:s0 tcontext=system_u:system_r:gtmd_t:s0 tclass=netlink_route_socket type=AVC msg=audit(1662044428.114:3963): avc: denied { search } for pid=39483 comm="gtmd" name="gtmd" dev="dm-20" ino=188725 scontext=system_u:system_r:gtmd_t:s0 tcontext=system_u:object_r:svc_svc_t:s0 tclass=dir

Impact

No Impact to DNSSEC deployment but gtmd throws SELinux errors.

Conditions

- Internal FIPS card present with FIPS 140-3 supported devices. - DNSSEC Key and signature creation using internal keys.

Workaround

None

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips