Bug 180746

Summary: SELinux won't allow Quagga's ripd management through telnet
Product: [Fedora] Fedora Reporter: Razvan Sandu <rsandu>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4   
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: 1.27.1-2.25 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-03-21 01:41:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Razvan Sandu 2006-02-10 01:03:39 UTC 
Description of problem:
On a stock Fedora Core 4 + all online updates, SELinux enabled, I've configured
Quagga (zebra and ripd) with basic parameters (passwords).

I've tried to do a:

telnet localhost 2604

to configure ripd through vty, but got a "connection refused". Disabling 
SELinux ("setenforce 0") solves the problem.


Version-Release number of selected component (if applicable):
quagga-0.98.3-2
selinux-policy-targeted-1.27.1-2.18
kernel-2.6.15-1.1830_FC4
(Fedora Core 4 + all updates 06.02.2006)


How reproducible:


Steps to Reproduce:
1. Install FC4 + online updates (full install), with SELinux in targeted mode.
2. Configure zebra
3. Configure basic parameters in /etc/quagga/ripd.conf (passwords)
4. Try a telnet localhost 2604 , in order to configure ripd. You will get 
a "Connection refused".
5. Disable SELinux ("setenforce 0")
6. Do a telnet localhost 2604 again. You will now succesfully connect to 
ripd's vty.

  
Actual results:
With SELinux enabled (in targeted mode) you can't connect to ripd's vty 
through telnet on port 2604 (not even on localhost, locally). 
Putting "setenforce 0" solves the problem.

Expected results:
SELinux is expected to allow connection for configuring all four daemons in 
Quagga.


Additional info:
Usage of ssh instead telnet would be desirable.
Comment 1 Daniel Walsh 2006-02-10 14:39:00 UTC 
Are  you seeing AVC Messages in the /var/log/audit/audit.log or /var/log/messages?
Comment 2 Razvan Sandu 2006-02-15 12:58:18 UTC 
(In reply to comment #1)
> Are  you seeing AVC Messages in the /var/log/audit/audit.log or /var/log/messages?

Hello,

I'm not a guru in SELinux ;-), but I noticed ripd won't start with SELinux in
enforcing mode ("service ripd restart" fails).

Here are the AVC messages (when doing "service ripd restart")

type=AVC msg=audit(1140008372.143:1152): avc:  denied  { name_bind } for 
pid=12520 comm="ripd" src=520 scontext=root:system_r:zebra_t
tcontext=system_u:object_r:reserved_port_t tclass=udp_socket
type=SYSCALL msg=audit(1140008372.143:1152): arch=40000003 syscall=102
success=no exit=-13 a0=2 a1=bfb67110 a2=bfb67120 a3=0 items=0 pid=12520 auid=500
uid=92 gid=92 euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 comm="ripd"
exe="/usr/sbin/ripd"
type=SOCKADDR msg=audit(1140008372.143:1152): saddr=02000208000000000000000000000000
type=SOCKETCALL msg=audit(1140008372.143:1152): nargs=3 a0=5 a1=bfb67120 a2=10

Regards,
Razvan
Comment 3 Daniel Walsh 2006-02-21 23:50:38 UTC 
Fixed in selinux-targeted-policy-1.27.1-2.25