From 3d50df9db9516c77dddb5dd9c5daa74a835851a4 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 19 Oct 2023 19:27:22 +0200
Subject: [PATCH] Dontaudit keepalived setattr on
 keepalived_unconfined_script_exec_t

Keepalived can be configured to execute periodically a VRRP script.
Keepalived does sanity checks on such a script through calling the
check_script_secure() function, which internally relies on libmagic
magic_file() function which internally opens/reads the file, then
closes it and tries restore its access time.

Resolves: RHEL-14029
---
 policy/modules/contrib/keepalived.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/contrib/keepalived.te b/policy/modules/contrib/keepalived.te
index 1efeb3017e..750315cc25 100644
--- a/policy/modules/contrib/keepalived.te
+++ b/policy/modules/contrib/keepalived.te
@@ -147,6 +147,8 @@ optional_policy(`
 	allow keepalived_t keepalived_unconfined_script_exec_t:dir search_dir_perms;
 	allow keepalived_t keepalived_unconfined_script_exec_t:dir read_file_perms;
 	allow keepalived_t keepalived_unconfined_script_exec_t:file ioctl;
+	dontaudit keepalived_t keepalived_unconfined_script_exec_t:file setattr;
+
 
 	init_dbus_chat(keepalived_unconfined_script_t)