Hide Forgot
Description of problem: selinux denial appears when starting watchquagga daemon. It's functionality doesn't seem to be impaired -> is able to restart quagga processes. Version-Release number of selected component (if applicable): selinux-policy-3.7.19-307.el6.noarch quagga-0.99.15-13.el6.x86_64 How reproducible: always Steps to Reproduce: just start watchquagga or linked TCMS Actual results: with setenforce 0 (same with enforcing): type=SYSCALL msg=audit(1.2.2017 11:44:34.710:891) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x17726a0 a1=0x1726c90 a2=0x1780f60 a3=0x30 items=0 ppid=7839 pid=7845 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7 comm=ip exe=/sbin/ip subj=unconfined_u:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(1.2.2017 11:44:34.710:891) : avc: denied { read write } for pid=7845 comm=ip path=/var/run/quagga/watchquagga.pid dev=vda1 ino=531141 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:zebra_var_run_t:s0 tclass=file Expected results: no denials Additional info: ps -efZ | grep quag unconfined_u:system_r:initrc_t:s0 root 7777 1 0 11:44 ? 00:00:00 watchquagga -d -Az -b_ -r/sbin/service_%s_restart -s/sbin/service_%s_start -k/sbin/service_%s_stop zebra bgpd ospfd unconfined_u:system_r:zebra_t:s0 quagga 7849 1 0 11:44 ? 00:00:00 zebra -d -A 127.0.0.1 -f /etc/quagga/zebra.conf unconfined_u:system_r:zebra_t:s0 quagga 7883 1 0 11:44 ? 00:00:00 bgpd -d -A 127.0.0.1 -f /etc/quagga/bgpd.conf unconfined_u:system_r:zebra_t:s0 quagga 7884 1 0 11:44 ? 00:00:00 ospfd -d -A 127.0.0.1 -f /etc/quagga/ospfd.conf watchqauagga is newly introduced quagga daemon to rhel6.9
# service watchquagga status watchquagga is stopped # service watchquagga start Starting watchquagga: [ OK ] # service watchquagga status watchquagga (pid 1734) is running... # ps -efZ | grep quagga unconfined_u:system_r:initrc_t:s0 root 1734 1 0 14:16 ? 00:00:00 watchquagga -d zebra bgpd ospfd ospf6d ripd ripngd unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1752 1649 0 14:16 pts/0 00:00:00 grep quagga # matchpathcon `which watchquagga` /usr/sbin/watchquagga system_u:object_r:bin_t:s0 # The watchquagga service is not confined now.
I guess it's too late for fixing it in RHEL-6.9.
Red Hat Enterprise Linux 6 transitioned to the Production 3 Phase on May 10, 2017. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available. The official life cycle policy can be reviewed here: http://redhat.com/rhel/lifecycle This issue does not appear to meet the inclusion criteria for the Production Phase 3 and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL: https://access.redhat.com