Bug ID 889041: Failover scripts fail to access resolv.conf due to permission issues

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 16.0.0, 16.0.0.1

Opened: Mar 11, 2020
Severity: 3-Major

Symptoms

When a failover is triggered, the floating IP addresses do not migrate to the newly active device. In /var/log/auditd/audit.log, you see the following errors: /var/log/auditd/audit.log:type=AVC msg=audit(1583426470.463:27492): avc: denied { read } for pid=26865 comm="curl" name="resolv.conf" dev="dm-5" ino=32804 scontext=system_u:system_r:f5config_failover_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=lnk_file

Impact

Failover does not complete. Floating IP addresses do not move to the active device.

Conditions

-- A failover event occurs. -- oci-curl will be called when failover happens, which may be unable to read /etc/resolv.conf.

Workaround

Run two commands: tmsh modify sys db failover.selinuxallowscripts enable setenforce 0 Impact of workaround: these commands disable SELinux policy enforcement.

Fix Information

None

Behavior Change