Bug 429256
Summary: | quagga ripngd does not work with selinux enforcing | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Tomasz Kepczynski <tomek> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 8 | Keywords: | Reopened |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Current | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-03-05 22:17:19 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Tomasz Kepczynski
2008-01-18 10:04:29 UTC
setsebool -P allow_zebra_write_config=1 should allow it. This bug is not about writing configuration file, so I reopen it. ripngd simply does not work with selinux enforing and as far as I can see it - under selinux enforcing it does not open IPv6 socket and cannot send and receive multicast announcements. And as I wrote - no avc messages but selinux permissive fixes the problem. I have that line in selinux permissive from lsof -c ripngd -P output: ripngd 4458 quagga 5u IPv6 31444 UDP *:521 When I switch to selinux enforing, that line is gone. Then please show me the avc messages from /var/log/audit/audit.log. As I wrote in comment #1 - there are absolutely NO avc messages in audit.log and this puzzles me a lot. To be absolutely sure I deleted audit.log and restarted auditd but that did not help. With selinux permissive I also do not see any avc messages. The only log I get is the one I already posted and my guess is that the main problem is with: Jan 18 10:56:30 gklab-59-001 ripngd[27269]: can't setsockopt IPV6_JOIN_GROUP: Bad file descriptor as ripng is multicast protocol. It probably also can't read link-local addresses off the interfaces in a system. Ok, I believe the problem is zebra policy does not allow it to listen on port 521. You can modify policy by executing # semanage port -a -t router_port_t -p udp 521 If this works for you I will ship it in selinux-policy-3.0.8-81.fc8 It seems to work. Bugs have been in modified for over one month. Closing as fixed in current release please reopen if the problem still persists. |