With zebra_disable_trans=0, the BGP daemon is unable to open its socket. Also, quagga doesn't appear to be able to add routes via netlink. I get: type=AVC msg=audit(1132257722.373:3416750): avc: denied { name_bind } for pid =3329 comm="bgpd" src=2605 scontext=root:system_r:zebra_t tcontext=system_u:obje ct_r:port_t tclass=tcp_socket type=AVC msg=audit(1132257728.353:3417439): avc: denied { connect } for pid=3 329 comm="bgpd" scontext=root:system_r:zebra_t tcontext=root:system_r:zebra_t tc lass=tcp_socket type=AVC msg=audit(1132258321.252:3479915): avc: denied { nlmsg_write } for p id=1863 comm="zebra" scontext=system_u:system_r:zebra_t tcontext=system_u:system _r:zebra_t tclass=netlink_route_socket
Fixed in selinux-policy-targeted-1.27.1-2.15
I have selinux-policy-targeted-1.27.1-2.16 and it is not fixed; bgpd is still unable to open its socket: type=AVC msg=audit(1139061094.618:163): avc: denied { connect } for pid=8251 comm="bgpd" scontext=root:system_r:zebra_t tcontext=root:system_r:zebra_t tclass=tcp_socket type=SYSCALL msg=audit(1139061094.618:163): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf883d40 a2=830ab4 a3=2 items=0 pid=8251 auid=500 uid=92 gid=92 euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 comm="bgpd" exe="/usr/sbin/bgpd" type=SOCKADDR msg=audit(1139061094.618:163): saddr=020000B3D8B463DE0000000000000000 type=SOCKETCALL msg=audit(1139061094.618:163): nargs=3 a0=9 a1=bf883d60 a2=10
I tried selinux-policy-targeted-1.27.1-2.18 and it didn't work: type=AVC msg=audit(1139062676.766:238): avc: denied { name_bind } for pid=11075 comm="bgpd" src=179 scontext=root:system_r:zebra_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket type=SYSCALL msg=audit(1139062676.766:238): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfb313d0 a2=8c7224 a3=2 items=0 pid=11075 auid=500 uid=92 gid=92 euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 comm="bgpd" exe="/usr/sbin/bgpd" type=SOCKADDR msg=audit(1139062676.766:238): saddr=020000B3000000000000000000000000 type=SOCKETCALL msg=audit(1139062676.766:238): nargs=3 a0=4 a1=8555b48 a2=10
selinux-policy-targeted-1.27.1-2.21 from updates-testing gives: type=AVC msg=audit(1139440488.615:15): avc: denied { name_connect } for pid=1889 comm="bgpd" dest=179 scontext=root:system_r:zebra_t tcontext=system_u:object_r:zebra_port_t tclass=tcp_socket type=SYSCALL msg=audit(1139440488.615:15): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfe048c0 a2=cbaab4 a3=2 items=0 pid=1889 auid=500 uid=92 gid=92 euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 comm="bgpd" exe="/usr/sbin/bgpd" type=SOCKADDR msg=audit(1139440488.615:15): saddr=020000B3D8B463DE0000000000000000 type=SOCKETCALL msg=audit(1139440488.615:15): nargs=3 a0=a a1=bfe048e0 a2=10
selinux-policy-targeted-1.27.1-2.22 from updates-testing gives: type=AVC msg=audit(1139588495.455:2163): avc: denied { name_bind } for pid=31091 comm="bgpd" src=179 scontext=root:system_r:zebra_t tcontext=system_u:object_r:bgp_port_t tclass=tcp_socket type=SYSCALL msg=audit(1139588495.455:2163): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfe60c90 a2=d57224 a3=2 items=0 pid=31091 auid=500 uid=92 gid=92 euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 comm="bgpd" exe="/usr/sbin/bgpd" type=SOCKADDR msg=audit(1139588495.455:2163): saddr=020000B3000000000000000000000000 type=SOCKETCALL msg=audit(1139588495.455:2163): nargs=3 a0=4 a1=816fb58 a2=10
Ok we are getting closer. Rather than building another test. I have built selinux-policy-targeted-1.27.1-2.23 And placed it on ftp://people.redhat.com/dwalsh/SELinux/FC4 Please try it out and if it finally fixes the problem I will release another update.
I think that has got it. The trick with BGP (which it probably would have been more helpful if I'd said earlier) is that it has to: - talk to the zebra daemon (however they communicate) - accept inbound BGP connection requests (so listen on TCP port 179) - make outbound BGP connection requests (so make connectios to TCP port 179) Anyway, thanks for sticking with this. My BGP table has loaded fully now.
Closing as these have been marked as modified, for a while. Feel free to reopen if not fixed