Bug ID 889041: Failover scripts fail to access resolv.conf due to permission issues

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3, 15.0.0, 15.0.1,,,,, 15.1.0,,,,,, 15.1.1, 16.0.0,, 16.0.1

Fixed In:
16.1.0,, 15.1.2,

Opened: Mar 11, 2020

Severity: 3-Major


When a failover is triggered, the floating IP addresses do not migrate to the newly active device. In /var/log/auditd/audit.log, you see the following errors: /var/log/auditd/audit.log:type=AVC msg=audit(1583426470.463:27492): avc: denied { read } for pid=26865 comm="curl" name="resolv.conf" dev="dm-5" ino=32804 scontext=system_u:system_r:f5config_failover_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=lnk_file


Failover does not complete. Floating IP addresses do not move to the active device.


-- A failover event occurs. -- oci-curl will be called when failover happens, which may be unable to read /etc/resolv.conf.


Run two commands: tmsh modify sys db failover.selinuxallowscripts enable setenforce 0 Impact of workaround: these commands disable SELinux policy enforcement.

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips