Bug 2043120
| Summary: | frr triggers selinux violations | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | svenvd <svenvd> |
| Component: | frr | Assignee: | Michal Ruprich <mruprich> |
| Status: | CLOSED DUPLICATE | QA Contact: | FrantiĊĦek Hrdina <fhrdina> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.5 | CC: | fhrdina |
| Target Milestone: | rc | Keywords: | Reproducer, Triaged |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | FreeBSD | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-08-10 08:07:21 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I know about this for some time and I would like to fix this in RHEL-8.7.0. In this case I will create a Decentralized SELinux Policy for the package that should cover up most of the use cases for frr. I am closing this as a duplicate of bug #1941765. I am now in a process of finishing the mentioned bug and all the aforementioned AVCs should go away. *** This bug has been marked as a duplicate of bug 1941765 *** |
Description of problem: watchfrr triggers selinux violations time->Thu Jan 20 17:33:03 2022 type=PROCTITLE msg=audit(1642696383.603:28262): proctitle=2F7573722F6C69622F6672722F7761746368667272002D64002D4600747261646974696F6E616C007A6562726100626770640073746174696364 type=MMAP msg=audit(1642696383.603:28262): fd=9 flags=0x1 type=SYSCALL msg=audit(1642696383.603:28262): arch=c000003e syscall=9 success=yes exit=140627744976896 a0=0 a1=2000 a2=3 a3=1 items=0 ppid=184611 pid=184617 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="watchfrr" exe="/usr/lib/frr/watchfrr" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1642696383.603:28262): avc: denied { map } for pid=184617 comm="watchfrr" path="/var/tmp/frr/watchfrr.184611/logbuf.184617" dev="dm-3" ino=8508560 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=file permissive=1 ---- time->Thu Jan 20 17:33:03 2022 type=PROCTITLE msg=audit(1642696383.607:28263): proctitle=2F7573722F6C69622F6672722F7761746368667272002D64002D4600747261646974696F6E616C007A6562726100626770640073746174696364 type=SYSCALL msg=audit(1642696383.607:28263): arch=c000003e syscall=109 success=yes exit=0 a0=0 a1=0 a2=1 a3=7fe672c7e940 items=0 ppid=184617 pid=184621 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="watchfrr" exe="/usr/lib/frr/watchfrr" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1642696383.607:28263): avc: denied { setpgid } for pid=184621 comm="watchfrr" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1 How reproducible: systemctl restart frr Expected results: no selinux violations