Bug 173517 - Zebra/quagga policy doesn't allow BGP to connect or quagga to set routes
Zebra/quagga policy doesn't allow BGP to connect or quagga to set routes
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-11-17 15:13 EST by Chris Adams
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-05 11:06:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chris Adams 2005-11-17 15:13:37 EST
With zebra_disable_trans=0, the BGP daemon is unable to open its socket.  Also,
quagga doesn't appear to be able to add routes via netlink.  I get:

type=AVC msg=audit(1132257722.373:3416750): avc:  denied  { name_bind } for  pid
=3329 comm="bgpd" src=2605 scontext=root:system_r:zebra_t tcontext=system_u:obje
ct_r:port_t tclass=tcp_socket
type=AVC msg=audit(1132257728.353:3417439): avc:  denied  { connect } for  pid=3
329 comm="bgpd" scontext=root:system_r:zebra_t tcontext=root:system_r:zebra_t tc
lass=tcp_socket
type=AVC msg=audit(1132258321.252:3479915): avc:  denied  { nlmsg_write } for  p
id=1863 comm="zebra" scontext=system_u:system_r:zebra_t tcontext=system_u:system
_r:zebra_t tclass=netlink_route_socket
Comment 1 Daniel Walsh 2005-11-30 15:22:23 EST
Fixed in  selinux-policy-targeted-1.27.1-2.15
Comment 2 Chris Adams 2006-02-04 08:49:48 EST
I have selinux-policy-targeted-1.27.1-2.16 and it is not fixed; bgpd is still
unable to open its socket:

type=AVC msg=audit(1139061094.618:163): avc:  denied  { connect } for  pid=8251
comm="bgpd" scontext=root:system_r:zebra_t tcontext=root:system_r:zebra_t
tclass=tcp_socket
type=SYSCALL msg=audit(1139061094.618:163): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bf883d40 a2=830ab4 a3=2 items=0 pid=8251 auid=500 uid=92 gid=92
euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 comm="bgpd" exe="/usr/sbin/bgpd"
type=SOCKADDR msg=audit(1139061094.618:163): saddr=020000B3D8B463DE0000000000000000
type=SOCKETCALL msg=audit(1139061094.618:163): nargs=3 a0=9 a1=bf883d60 a2=10
Comment 3 Chris Adams 2006-02-04 09:15:15 EST
I tried selinux-policy-targeted-1.27.1-2.18 and it didn't work:

type=AVC msg=audit(1139062676.766:238): avc:  denied  { name_bind } for 
pid=11075 comm="bgpd" src=179 scontext=root:system_r:zebra_t
tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
type=SYSCALL msg=audit(1139062676.766:238): arch=40000003 syscall=102 success=no
exit=-13 a0=2 a1=bfb313d0 a2=8c7224 a3=2 items=0 pid=11075 auid=500 uid=92
gid=92 euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 comm="bgpd"
exe="/usr/sbin/bgpd"
type=SOCKADDR msg=audit(1139062676.766:238): saddr=020000B3000000000000000000000000
type=SOCKETCALL msg=audit(1139062676.766:238): nargs=3 a0=4 a1=8555b48 a2=10
Comment 4 Chris Adams 2006-02-08 18:14:42 EST
selinux-policy-targeted-1.27.1-2.21 from updates-testing gives:

type=AVC msg=audit(1139440488.615:15): avc:  denied  { name_connect } for 
pid=1889 comm="bgpd" dest=179 scontext=root:system_r:zebra_t
tcontext=system_u:object_r:zebra_port_t tclass=tcp_socket
type=SYSCALL msg=audit(1139440488.615:15): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfe048c0 a2=cbaab4 a3=2 items=0 pid=1889 auid=500 uid=92 gid=92
euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 comm="bgpd" exe="/usr/sbin/bgpd"
type=SOCKADDR msg=audit(1139440488.615:15): saddr=020000B3D8B463DE0000000000000000
type=SOCKETCALL msg=audit(1139440488.615:15): nargs=3 a0=a a1=bfe048e0 a2=10
Comment 5 Chris Adams 2006-02-10 11:19:54 EST
selinux-policy-targeted-1.27.1-2.22 from updates-testing gives:

type=AVC msg=audit(1139588495.455:2163): avc:  denied  { name_bind } for 
pid=31091 comm="bgpd" src=179 scontext=root:system_r:zebra_t
tcontext=system_u:object_r:bgp_port_t tclass=tcp_socket
type=SYSCALL msg=audit(1139588495.455:2163): arch=40000003 syscall=102
success=no exit=-13 a0=2 a1=bfe60c90 a2=d57224 a3=2 items=0 pid=31091 auid=500
uid=92 gid=92 euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 comm="bgpd"
exe="/usr/sbin/bgpd"
type=SOCKADDR msg=audit(1139588495.455:2163): saddr=020000B3000000000000000000000000
type=SOCKETCALL msg=audit(1139588495.455:2163): nargs=3 a0=4 a1=816fb58 a2=10
Comment 6 Daniel Walsh 2006-02-10 13:09:55 EST
Ok we are getting closer.  Rather than building another test.  I have built
selinux-policy-targeted-1.27.1-2.23

And placed it on 

ftp://people.redhat.com/dwalsh/SELinux/FC4

Please try it out and if it finally fixes the problem I will release another update.

Comment 7 Chris Adams 2006-02-10 14:26:08 EST
I think that has got it.  The trick with BGP (which it probably would have been
more helpful if I'd said earlier) is that it has to:

- talk to the zebra daemon (however they communicate)
- accept inbound BGP connection requests (so listen on TCP port 179)
- make outbound BGP connection requests (so make connectios to TCP port 179)

Anyway, thanks for sticking with this.  My BGP table has loaded fully now.
Comment 8 Daniel Walsh 2006-05-05 11:06:47 EDT
Closing as these have been marked as modified, for a while.  Feel free to reopen
if not fixed

Note You need to log in before you can comment on or make changes to this bug.