Bug 2055578

Summary: SELinux labels OpenBGPD's /usr/sbin/bgpd process as zebra_t
Product: Red Hat Enterprise Linux 9 Reporter: Lukas Vrabec <lvrabec>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: low    
Version: 9.0CC: jcastran, lagordon, lvrabec, mmalik, plautrba, redhat-bugzilla, rmullett, ssekidde, sujagtap, zpytela
Target Milestone: rcKeywords: Reopened, Triaged
Target Release: 9.0Flags: pm-rhel: mirror+
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-34.1.27-1.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 1830170 Environment:
Last Closed: 2022-05-17 15:50:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1830170    
Bug Blocks:    
Deadline: 2022-02-22   

Comment 2 Robert Scheck 2022-02-17 23:11:19 UTC 
May I kindly ask if this change is also applied to Fedora (in order to be there for a future RHEL 10 already)?
Comment 8 Zdenek Pytela 2022-05-02 13:47:01 UTC 
Label for /usr/sbin/bgpd has been removed from selinux-policy in RHEL 9 and is present in Centos 9 Stream since the package version selinux-policy-34.1.27-1.el9. This is the commit message:

    Remove label for /usr/sbin/bgpd

    So far, the bgpd binary was labeled with zebra_exec_t, making the
    service start in the zebra_t domain and require additional permissions
    which were not designed for the original zebra project.

    With the default file context specification removed, the service will
    start in the unconfined_service_t domain.

Given the current state of the policy can still be useful for users as is, there are currently no plans to make any change in selinux-policy in Fedora.
Comment 10 errata-xmlrpc 2022-05-17 15:50:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: selinux-policy), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3918