Bug 429256

Summary: quagga ripngd does not work with selinux enforcing
Product: [Fedora] Fedora Reporter: Tomasz Kepczynski <tomek>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: low    
Version: 8Keywords: Reopened
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-03-05 22:17:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomasz Kepczynski 2008-01-18 10:04:29 UTC 
Description of problem:
As in title really. With selinux enforcing I get this
from ripngd:

Jan 18 10:56:29 gklab-59-001 ripngd[27268]: Can't bind ripng socket: Permission
denied.
Jan 18 10:56:29 gklab-59-001 ripngd[27268]: can't create RIPng
Jan 18 10:56:29 gklab-59-001 ripngd[27269]: RIPNGd 0.99.9 starting: vty@2603
Jan 18 10:56:29 gklab-59-001 ripngd[27269]: Interface eth1 does not have any
link-local address
Jan 18 10:56:29 gklab-59-001 ripngd[27269]: Interface eth1 does not have any
link-local address
Jan 18 10:56:30 gklab-59-001 ripngd[27269]: can't setsockopt IPV6_JOIN_GROUP:
Bad file descriptor
Jan 18 10:56:30 gklab-59-001 ripngd[27269]: multicast join failed, interface
eth1 not running

No selinux denials, nothing in audit.log. When I change to
permissive mode everything works OK.

Version-Release number of selected component (if applicable):
quagga-0.99.9-3.fc8.x86_64
selinux-policy-targeted-3.0.8-74.fc8.noarch


How reproducible:
always

Steps to Reproduce:
1. configure ripngd to send advertisements
2. with selinux enforcing they are not sent
3. also setup logging and watch for messages above
  
Actual results:
ripngd does not work

Expected results:
ripngd works

Additional info:
Comment 1 Daniel Walsh 2008-01-18 21:06:09 UTC 
setsebool -P  allow_zebra_write_config=1

should allow it.
Comment 2 Tomasz Kepczynski 2008-01-19 06:40:17 UTC 
This bug is not about writing configuration file, so I reopen it.
ripngd simply does not work with selinux enforing and as far as
I can see it - under selinux enforcing it does not open IPv6
socket and cannot send and receive multicast announcements.
And as I wrote - no avc messages but selinux permissive
fixes the problem.

I have that line in selinux permissive from lsof -c ripngd -P
output:
ripngd  4458 quagga    5u  IPv6              31444             UDP *:521
When I switch to selinux enforing, that line is gone.
Comment 3 Daniel Walsh 2008-01-21 20:11:09 UTC 
Then please show me the avc messages from /var/log/audit/audit.log.
Comment 4 Tomasz Kepczynski 2008-01-22 07:16:03 UTC 
As I wrote in comment #1 - there are absolutely NO avc messages in
audit.log and this puzzles me a lot. To be absolutely sure I deleted
audit.log and restarted auditd but that did not help.
With selinux permissive I also do not see any avc messages.
The only log I get is the one I already posted and my guess is
that the main problem is with:
Jan 18 10:56:30 gklab-59-001 ripngd[27269]: can't setsockopt IPV6_JOIN_GROUP:
Bad file descriptor
as ripng is multicast protocol.
It probably also can't read link-local addresses off the interfaces in a system.
Comment 5 Daniel Walsh 2008-01-22 14:10:53 UTC 
Ok, I believe the problem is zebra policy does not allow it to listen on port 521.

You can modify policy by executing

# semanage port -a -t router_port_t -p udp 521

If this works for you I will ship it in selinux-policy-3.0.8-81.fc8
Comment 6 Tomasz Kepczynski 2008-01-23 10:37:13 UTC 
It seems to work.
Comment 7 Daniel Walsh 2008-03-05 22:17:19 UTC 
Bugs have been in modified for over one month.  Closing as fixed in current
release please reopen if the problem still persists.