Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1418378 - watchquagga runs as initrc_t instead of zebra_t
Summary: watchquagga runs as initrc_t instead of zebra_t
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.9
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
Depends On: 1208617
TreeView+ depends on / blocked
Reported: 2017-02-01 16:50 UTC by Tomas Dolezal
Modified: 2018-03-09 12:29 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-10-02 13:20:44 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Tomas Dolezal 2017-02-01 16:50:26 UTC
Description of problem:
selinux denial appears when starting watchquagga daemon. It's functionality doesn't seem to be impaired -> is able to restart quagga processes.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
just start watchquagga
or linked TCMS

Actual results:
with setenforce 0 (same with enforcing):
type=SYSCALL msg=audit(1.2.2017 11:44:34.710:891) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x17726a0 a1=0x1726c90 a2=0x1780f60 a3=0x30 items=0 ppid=7839 pid=7845 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7 comm=ip exe=/sbin/ip subj=unconfined_u:system_r:ifconfig_t:s0 key=(null) 
type=AVC msg=audit(1.2.2017 11:44:34.710:891) : avc:  denied  { read write } for  pid=7845 comm=ip path=/var/run/quagga/watchquagga.pid dev=vda1 ino=531141 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:zebra_var_run_t:s0 tclass=file

Expected results:
no denials

Additional info:
ps -efZ | grep quag
unconfined_u:system_r:initrc_t:s0 root    7777     1  0 11:44 ?        00:00:00 watchquagga -d -Az -b_ -r/sbin/service_%s_restart -s/sbin/service_%s_start -k/sbin/service_%s_stop zebra bgpd ospfd
unconfined_u:system_r:zebra_t:s0 quagga   7849     1  0 11:44 ?        00:00:00 zebra -d -A -f /etc/quagga/zebra.conf
unconfined_u:system_r:zebra_t:s0 quagga   7883     1  0 11:44 ?        00:00:00 bgpd -d -A -f /etc/quagga/bgpd.conf
unconfined_u:system_r:zebra_t:s0 quagga   7884     1  0 11:44 ?        00:00:00 ospfd -d -A -f /etc/quagga/ospfd.conf

watchqauagga is newly introduced quagga daemon to rhel6.9

Comment 1 Milos Malik 2017-02-01 19:23:24 UTC
# service watchquagga status
watchquagga is stopped
# service watchquagga start
Starting watchquagga:                                      [  OK  ]
# service watchquagga status
watchquagga (pid 1734) is running...
# ps -efZ | grep quagga
unconfined_u:system_r:initrc_t:s0 root    1734     1  0 14:16 ?        00:00:00 watchquagga -d zebra bgpd ospfd ospf6d ripd ripngd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1752 1649  0 14:16 pts/0 00:00:00 grep quagga
# matchpathcon `which watchquagga`
/usr/sbin/watchquagga	system_u:object_r:bin_t:s0

The watchquagga service is not confined now.

Comment 2 Milos Malik 2017-02-01 19:24:24 UTC
I guess it's too late for fixing it in RHEL-6.9.

Comment 4 Lukas Vrabec 2017-10-02 13:20:44 UTC
Red Hat Enterprise Linux 6 transitioned to the Production 3 Phase on May 10, 2017.  During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:

This issue does not appear to meet the inclusion criteria for the Production Phase 3 and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification.  Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:


Note You need to log in before you can comment on or make changes to this bug.