Bug 811351 – quagga does not start up if selinux is enforcing

Bug 811351 - quagga does not start up if selinux is enforcing

Summary:	quagga does not start up if selinux is enforcing

Status:	CLOSED ERRATA

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	selinux-policy (Show other bugs)
Sub Component:
Version:	17
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	---
Target Release:	---
Assigned To:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:

URL:
Whiteboard:
Keywords:

Duplicates:	811472 (view as bug list)
Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2012-04-10 15:03 EDT by Richard W.M. Jones
Modified:	2012-04-18 18:51 EDT (History)
CC List:	4 users (show)

See Also:
Fixed In Version:	selinux-policy-3.10.0-114.fc17
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2012-04-18 18:51:00 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Richard W.M. Jones 2012-04-10 15:03:56 EDT

Description of problem:

systemctl start zebra.service

error:

Apr 10 20:00:39 trick zebra[643]: privs_init: could not lookup user quagga

It works if SELinux is set to Permissive, with the
following message:

type=MAC_STATUS msg=audit(1334084469.612:1115): enforcing=0 old_enforcing=1 auid
=1000 ses=27
type=SYSCALL msg=audit(1334084469.612:1115): arch=c000003e syscall=1 success=yes
 exit=1 a0=3 a1=7fffa2df2f50 a2=1 a3=3a7461682e items=0 ppid=316 pid=684 auid=10
00 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=27 comm=
"setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfine
d_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1334084471.729:1116): avc:  denied  { read } for  pid=689 comm="zebra" name="passwd" dev="dm-1" ino=179130 scontext=system_u:system_r:zebra_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1334084471.729:1116): avc:  denied  { open } for  pid=689 comm="zebra" name="passwd" dev="dm-1" ino=179130 scontext=system_u:system_r:zebra_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1334084471.729:1116): arch=c000003e syscall=2 success=yes exit=4 a0=7f7bca1356ca a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=689 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="zebra" exe="/usr/sbin/zebra" subj=system_u:system_r:zebra_t:s0 key=(null)
type=AVC msg=audit(1334084471.730:1117): avc:  denied  { getattr } for  pid=689 comm="zebra" path="/etc/passwd" dev="dm-1" ino=179130 scontext=system_u:system_r:zebra_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=SYSCALL msg=audit(1334084471.730:1117): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7fffe84a5e70 a2=7fffe84a5e70 a3=0 items=0 ppid=1 pid=689 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="zebra" exe="/usr/sbin/zebra" subj=system_u:system_r:zebra_t:s0 key=(null)
type=SERVICE_START msg=audit(1334084471.739:1118): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="zebra" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'


Version-Release number of selected component (if applicable):
quagga-0.99.20.1-1.fc17.x86_64

How reproducible:
100%

Steps to Reproduce:
1. See above.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Miroslav Grepl 2012-04-11 03:52:04 EDT

Fixed in selinux-policy-3.10.0-114.fc17

Comment 2 Miroslav Grepl 2012-04-11 04:31:50 EDT

*** Bug 811472 has been marked as a duplicate of this bug. ***

Comment 3 Richard W.M. Jones 2012-04-11 10:17:14 EDT

(In reply to comment #1)
> Fixed in selinux-policy-3.10.0-114.fc17

We don't have a build for this yet?  At least, I can't
find one in Koji ...

Comment 4 Miroslav Grepl 2012-04-12 03:44:41 EDT

Yes, I am going to do it today.

Comment 5 Fedora Update System 2012-04-13 04:41:26 EDT

selinux-policy-3.10.0-114.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-114.fc17

Comment 6 Fedora Update System 2012-04-13 21:46:14 EDT

Package selinux-policy-3.10.0-114.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-114.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-5870/selinux-policy-3.10.0-114.fc17
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2012-04-18 18:51:00 EDT

selinux-policy-3.10.0-114.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.