173517 – Zebra/quagga policy doesn't allow BGP to connect or quagga to set routes

Bug 173517 - Zebra/quagga policy doesn't allow BGP to connect or quagga to set routes

Summary: Zebra/quagga policy doesn't allow BGP to connect or quagga to set routes

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	4
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-11-17 20:13 UTC by Chris Adams
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-05-05 15:06:47 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Chris Adams 2005-11-17 20:13:37 UTC

With zebra_disable_trans=0, the BGP daemon is unable to open its socket.  Also,
quagga doesn't appear to be able to add routes via netlink.  I get:

type=AVC msg=audit(1132257722.373:3416750): avc:  denied  { name_bind } for  pid
=3329 comm="bgpd" src=2605 scontext=root:system_r:zebra_t tcontext=system_u:obje
ct_r:port_t tclass=tcp_socket
type=AVC msg=audit(1132257728.353:3417439): avc:  denied  { connect } for  pid=3
329 comm="bgpd" scontext=root:system_r:zebra_t tcontext=root:system_r:zebra_t tc
lass=tcp_socket
type=AVC msg=audit(1132258321.252:3479915): avc:  denied  { nlmsg_write } for  p
id=1863 comm="zebra" scontext=system_u:system_r:zebra_t tcontext=system_u:system
_r:zebra_t tclass=netlink_route_socket

Comment 1 Daniel Walsh 2005-11-30 20:22:23 UTC

Fixed in  selinux-policy-targeted-1.27.1-2.15

Comment 2 Chris Adams 2006-02-04 13:49:48 UTC

I have selinux-policy-targeted-1.27.1-2.16 and it is not fixed; bgpd is still
unable to open its socket:

type=AVC msg=audit(1139061094.618:163): avc:  denied  { connect } for  pid=8251
comm="bgpd" scontext=root:system_r:zebra_t tcontext=root:system_r:zebra_t
tclass=tcp_socket
type=SYSCALL msg=audit(1139061094.618:163): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bf883d40 a2=830ab4 a3=2 items=0 pid=8251 auid=500 uid=92 gid=92
euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 comm="bgpd" exe="/usr/sbin/bgpd"
type=SOCKADDR msg=audit(1139061094.618:163): saddr=020000B3D8B463DE0000000000000000
type=SOCKETCALL msg=audit(1139061094.618:163): nargs=3 a0=9 a1=bf883d60 a2=10

Comment 3 Chris Adams 2006-02-04 14:15:15 UTC

I tried selinux-policy-targeted-1.27.1-2.18 and it didn't work:

type=AVC msg=audit(1139062676.766:238): avc:  denied  { name_bind } for 
pid=11075 comm="bgpd" src=179 scontext=root:system_r:zebra_t
tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
type=SYSCALL msg=audit(1139062676.766:238): arch=40000003 syscall=102 success=no
exit=-13 a0=2 a1=bfb313d0 a2=8c7224 a3=2 items=0 pid=11075 auid=500 uid=92
gid=92 euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 comm="bgpd"
exe="/usr/sbin/bgpd"
type=SOCKADDR msg=audit(1139062676.766:238): saddr=020000B3000000000000000000000000
type=SOCKETCALL msg=audit(1139062676.766:238): nargs=3 a0=4 a1=8555b48 a2=10

Comment 4 Chris Adams 2006-02-08 23:14:42 UTC

selinux-policy-targeted-1.27.1-2.21 from updates-testing gives:

type=AVC msg=audit(1139440488.615:15): avc:  denied  { name_connect } for 
pid=1889 comm="bgpd" dest=179 scontext=root:system_r:zebra_t
tcontext=system_u:object_r:zebra_port_t tclass=tcp_socket
type=SYSCALL msg=audit(1139440488.615:15): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfe048c0 a2=cbaab4 a3=2 items=0 pid=1889 auid=500 uid=92 gid=92
euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 comm="bgpd" exe="/usr/sbin/bgpd"
type=SOCKADDR msg=audit(1139440488.615:15): saddr=020000B3D8B463DE0000000000000000
type=SOCKETCALL msg=audit(1139440488.615:15): nargs=3 a0=a a1=bfe048e0 a2=10

Comment 5 Chris Adams 2006-02-10 16:19:54 UTC

selinux-policy-targeted-1.27.1-2.22 from updates-testing gives:

type=AVC msg=audit(1139588495.455:2163): avc:  denied  { name_bind } for 
pid=31091 comm="bgpd" src=179 scontext=root:system_r:zebra_t
tcontext=system_u:object_r:bgp_port_t tclass=tcp_socket
type=SYSCALL msg=audit(1139588495.455:2163): arch=40000003 syscall=102
success=no exit=-13 a0=2 a1=bfe60c90 a2=d57224 a3=2 items=0 pid=31091 auid=500
uid=92 gid=92 euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 comm="bgpd"
exe="/usr/sbin/bgpd"
type=SOCKADDR msg=audit(1139588495.455:2163): saddr=020000B3000000000000000000000000
type=SOCKETCALL msg=audit(1139588495.455:2163): nargs=3 a0=4 a1=816fb58 a2=10

Comment 6 Daniel Walsh 2006-02-10 18:09:55 UTC

Ok we are getting closer.  Rather than building another test.  I have built
selinux-policy-targeted-1.27.1-2.23

And placed it on 

ftp://people.redhat.com/dwalsh/SELinux/FC4

Please try it out and if it finally fixes the problem I will release another update.

Comment 7 Chris Adams 2006-02-10 19:26:08 UTC

I think that has got it.  The trick with BGP (which it probably would have been
more helpful if I'd said earlier) is that it has to:

- talk to the zebra daemon (however they communicate)
- accept inbound BGP connection requests (so listen on TCP port 179)
- make outbound BGP connection requests (so make connectios to TCP port 179)

Anyway, thanks for sticking with this.  My BGP table has loaded fully now.

Comment 8 Daniel Walsh 2006-05-05 15:06:47 UTC

Closing as these have been marked as modified, for a while.  Feel free to reopen
if not fixed

Note You need to log in before you can comment on or make changes to this bug.