Bug 180746 - SELinux won't allow Quagga's ripd management through telnet
SELinux won't allow Quagga's ripd management through telnet
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-02-09 20:03 EST by Razvan Sandu
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: 1.27.1-2.25
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-03-20 20:41:43 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Razvan Sandu 2006-02-09 20:03:39 EST
Description of problem:
On a stock Fedora Core 4 + all online updates, SELinux enabled, I've configured
Quagga (zebra and ripd) with basic parameters (passwords).

I've tried to do a:

telnet localhost 2604

to configure ripd through vty, but got a "connection refused". Disabling 
SELinux ("setenforce 0") solves the problem.


Version-Release number of selected component (if applicable):
quagga-0.98.3-2
selinux-policy-targeted-1.27.1-2.18
kernel-2.6.15-1.1830_FC4
(Fedora Core 4 + all updates 06.02.2006)


How reproducible:


Steps to Reproduce:
1. Install FC4 + online updates (full install), with SELinux in targeted mode.
2. Configure zebra
3. Configure basic parameters in /etc/quagga/ripd.conf (passwords)
4. Try a telnet localhost 2604 , in order to configure ripd. You will get 
a "Connection refused".
5. Disable SELinux ("setenforce 0")
6. Do a telnet localhost 2604 again. You will now succesfully connect to 
ripd's vty.

  
Actual results:
With SELinux enabled (in targeted mode) you can't connect to ripd's vty 
through telnet on port 2604 (not even on localhost, locally). 
Putting "setenforce 0" solves the problem.

Expected results:
SELinux is expected to allow connection for configuring all four daemons in 
Quagga.


Additional info:
Usage of ssh instead telnet would be desirable.
Comment 1 Daniel Walsh 2006-02-10 09:39:00 EST
Are  you seeing AVC Messages in the /var/log/audit/audit.log or /var/log/messages?
Comment 2 Razvan Sandu 2006-02-15 07:58:18 EST
(In reply to comment #1)
> Are  you seeing AVC Messages in the /var/log/audit/audit.log or /var/log/messages?

Hello,

I'm not a guru in SELinux ;-), but I noticed ripd won't start with SELinux in
enforcing mode ("service ripd restart" fails).

Here are the AVC messages (when doing "service ripd restart")

type=AVC msg=audit(1140008372.143:1152): avc:  denied  { name_bind } for 
pid=12520 comm="ripd" src=520 scontext=root:system_r:zebra_t
tcontext=system_u:object_r:reserved_port_t tclass=udp_socket
type=SYSCALL msg=audit(1140008372.143:1152): arch=40000003 syscall=102
success=no exit=-13 a0=2 a1=bfb67110 a2=bfb67120 a3=0 items=0 pid=12520 auid=500
uid=92 gid=92 euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 comm="ripd"
exe="/usr/sbin/ripd"
type=SOCKADDR msg=audit(1140008372.143:1152): saddr=02000208000000000000000000000000
type=SOCKETCALL msg=audit(1140008372.143:1152): nargs=3 a0=5 a1=bfb67120 a2=10

Regards,
Razvan

Comment 3 Daniel Walsh 2006-02-21 18:50:38 EST
Fixed in selinux-targeted-policy-1.27.1-2.25

Note You need to log in before you can comment on or make changes to this bug.