Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 451625 - zebra keeps dying because of SELinux
Summary: zebra keeps dying because of SELinux
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 9
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
: 448865 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2008-06-16 09:42 UTC by Răzvan Sandu
Modified: 2008-11-17 22:04 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-11-17 22:04:39 UTC

Attachments (Terms of Use)

Description Răzvan Sandu 2008-06-16 09:42:15 UTC
Description of problem:


On a F9 system + all online updates (upgraded from F8), dynamic routing daemons
(zebra and ripd are used) becomes inactive a short time after startup. If one
restarts them manually, they keep working OK for and indefinite period of time.

The error message I get seems to be SELinux-related:


SELinux is preventing zebra (zebra_t) "read" to net (proc_net_t).

Detailed Description:

SELinux denied access requested by zebra. It is not expected that this access is
required by zebra and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for net,

restorecon -v 'net'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
( Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (
against this package.

Additional Information:

Source Context                unconfined_u:system_r:zebra_t
Target Context                system_u:object_r:proc_net_t
Target Objects                net [ lnk_file ]
Source                        zebra
Source Path                   /usr/sbin/zebra
Port                          <Unknown>
Source RPM Packages           quagga-0.99.9-6.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-64.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name           
Platform                      Linux
                              #1 SMP Wed May 21 18:12:35 EDT 2008 i686 i686
Alert Count                   7
First Seen                    Ma 20 mai 2008 00:18:06 +0000
Last Seen                     Vi 13 iun 2008 16:54:27 +0000
Local ID                      9a58fef5-56d2-4a70-985e-bd0a16e08c17
Line Numbers                  

Raw Audit Messages     type=AVC msg=audit(1213365267.726:685): avc:  denied
 { read } for  pid=6740 comm="zebra" name="net" dev=proc ino=4026531868
tcontext=system_u:object_r:proc_net_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1213365267.726:685):
arch=40000003 syscall=5 success=no exit=-13 a0=b80f58e0 a1=0 a2=1b6 a3=0 items=0
ppid=6739 pid=6740 auid=500 uid=92 gid=92 euid=92 suid=92 fsuid=92 egid=92
sgid=92 fsgid=92 tty=pts1 ses=1 comm="zebra" exe="/usr/sbin/zebra"
subj=unconfined_u:system_r:zebra_t:s0 key=(null)

Problem persists even after a complete filesystem relabeling (touch
/.autorelabel; reboot)

Version-Release number of selected component (if applicable):

Actual results:
Dynamic routing die after a restart. If daemons (zebra and ripd) are restarted
manually, they keep working OK.

Expected results:
Dynamic routing should start normally and work directly after each reboot, as

Comment 1 Răzvan Sandu 2008-06-22 11:21:02 UTC
*** Bug 448865 has been marked as a duplicate of this bug. ***

Comment 2 Daniel Walsh 2008-06-22 12:00:02 UTC
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-68.fc9.noarch

Comment 3 Daniel Walsh 2008-11-17 22:04:39 UTC
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.