RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1418378 - watchquagga runs as initrc_t instead of zebra_t
Summary: watchquagga runs as initrc_t instead of zebra_t
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.9
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On: 1208617
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-01 16:50 UTC by Tomas Dolezal
Modified: 2018-03-09 12:29 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-10-02 13:20:44 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Tomas Dolezal 2017-02-01 16:50:26 UTC
Description of problem:
selinux denial appears when starting watchquagga daemon. It's functionality doesn't seem to be impaired -> is able to restart quagga processes.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-307.el6.noarch
quagga-0.99.15-13.el6.x86_64

How reproducible:
always

Steps to Reproduce:
just start watchquagga
or linked TCMS

Actual results:
with setenforce 0 (same with enforcing):
type=SYSCALL msg=audit(1.2.2017 11:44:34.710:891) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x17726a0 a1=0x1726c90 a2=0x1780f60 a3=0x30 items=0 ppid=7839 pid=7845 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7 comm=ip exe=/sbin/ip subj=unconfined_u:system_r:ifconfig_t:s0 key=(null) 
type=AVC msg=audit(1.2.2017 11:44:34.710:891) : avc:  denied  { read write } for  pid=7845 comm=ip path=/var/run/quagga/watchquagga.pid dev=vda1 ino=531141 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:zebra_var_run_t:s0 tclass=file

Expected results:
no denials

Additional info:
ps -efZ | grep quag
unconfined_u:system_r:initrc_t:s0 root    7777     1  0 11:44 ?        00:00:00 watchquagga -d -Az -b_ -r/sbin/service_%s_restart -s/sbin/service_%s_start -k/sbin/service_%s_stop zebra bgpd ospfd
unconfined_u:system_r:zebra_t:s0 quagga   7849     1  0 11:44 ?        00:00:00 zebra -d -A 127.0.0.1 -f /etc/quagga/zebra.conf
unconfined_u:system_r:zebra_t:s0 quagga   7883     1  0 11:44 ?        00:00:00 bgpd -d -A 127.0.0.1 -f /etc/quagga/bgpd.conf
unconfined_u:system_r:zebra_t:s0 quagga   7884     1  0 11:44 ?        00:00:00 ospfd -d -A 127.0.0.1 -f /etc/quagga/ospfd.conf

watchqauagga is newly introduced quagga daemon to rhel6.9

Comment 1 Milos Malik 2017-02-01 19:23:24 UTC
# service watchquagga status
watchquagga is stopped
# service watchquagga start
Starting watchquagga:                                      [  OK  ]
# service watchquagga status
watchquagga (pid 1734) is running...
# ps -efZ | grep quagga
unconfined_u:system_r:initrc_t:s0 root    1734     1  0 14:16 ?        00:00:00 watchquagga -d zebra bgpd ospfd ospf6d ripd ripngd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1752 1649  0 14:16 pts/0 00:00:00 grep quagga
# matchpathcon `which watchquagga`
/usr/sbin/watchquagga	system_u:object_r:bin_t:s0
#

The watchquagga service is not confined now.

Comment 2 Milos Malik 2017-02-01 19:24:24 UTC
I guess it's too late for fixing it in RHEL-6.9.

Comment 4 Lukas Vrabec 2017-10-02 13:20:44 UTC
Red Hat Enterprise Linux 6 transitioned to the Production 3 Phase on May 10, 2017.  During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:
http://redhat.com/rhel/lifecycle

This issue does not appear to meet the inclusion criteria for the Production Phase 3 and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification.  Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com


Note You need to log in before you can comment on or make changes to this bug.