Bug 1418378

Summary: watchquagga runs as initrc_t instead of zebra_t
Product: Red Hat Enterprise Linux 6 Reporter: Tomas Dolezal <todoleza>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED WONTFIX QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.9CC: dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-02 13:20:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1208617    
Bug Blocks:    

Description Tomas Dolezal 2017-02-01 16:50:26 UTC 
Description of problem:
selinux denial appears when starting watchquagga daemon. It's functionality doesn't seem to be impaired -> is able to restart quagga processes.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-307.el6.noarch
quagga-0.99.15-13.el6.x86_64

How reproducible:
always

Steps to Reproduce:
just start watchquagga
or linked TCMS

Actual results:
with setenforce 0 (same with enforcing):
type=SYSCALL msg=audit(1.2.2017 11:44:34.710:891) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x17726a0 a1=0x1726c90 a2=0x1780f60 a3=0x30 items=0 ppid=7839 pid=7845 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7 comm=ip exe=/sbin/ip subj=unconfined_u:system_r:ifconfig_t:s0 key=(null) 
type=AVC msg=audit(1.2.2017 11:44:34.710:891) : avc:  denied  { read write } for  pid=7845 comm=ip path=/var/run/quagga/watchquagga.pid dev=vda1 ino=531141 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:zebra_var_run_t:s0 tclass=file

Expected results:
no denials

Additional info:
ps -efZ | grep quag
unconfined_u:system_r:initrc_t:s0 root    7777     1  0 11:44 ?        00:00:00 watchquagga -d -Az -b_ -r/sbin/service_%s_restart -s/sbin/service_%s_start -k/sbin/service_%s_stop zebra bgpd ospfd
unconfined_u:system_r:zebra_t:s0 quagga   7849     1  0 11:44 ?        00:00:00 zebra -d -A 127.0.0.1 -f /etc/quagga/zebra.conf
unconfined_u:system_r:zebra_t:s0 quagga   7883     1  0 11:44 ?        00:00:00 bgpd -d -A 127.0.0.1 -f /etc/quagga/bgpd.conf
unconfined_u:system_r:zebra_t:s0 quagga   7884     1  0 11:44 ?        00:00:00 ospfd -d -A 127.0.0.1 -f /etc/quagga/ospfd.conf

watchqauagga is newly introduced quagga daemon to rhel6.9
Comment 1 Milos Malik 2017-02-01 19:23:24 UTC 
# service watchquagga status
watchquagga is stopped
# service watchquagga start
Starting watchquagga:                                      [  OK  ]
# service watchquagga status
watchquagga (pid 1734) is running...
# ps -efZ | grep quagga
unconfined_u:system_r:initrc_t:s0 root    1734     1  0 14:16 ?        00:00:00 watchquagga -d zebra bgpd ospfd ospf6d ripd ripngd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1752 1649  0 14:16 pts/0 00:00:00 grep quagga
# matchpathcon `which watchquagga`
/usr/sbin/watchquagga	system_u:object_r:bin_t:s0
#

The watchquagga service is not confined now.
Comment 2 Milos Malik 2017-02-01 19:24:24 UTC 
I guess it's too late for fixing it in RHEL-6.9.
Comment 4 Lukas Vrabec 2017-10-02 13:20:44 UTC 
Red Hat Enterprise Linux 6 transitioned to the Production 3 Phase on May 10, 2017.  During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:
http://redhat.com/rhel/lifecycle

This issue does not appear to meet the inclusion criteria for the Production Phase 3 and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification.  Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com