1830170 – SELinux labels OpenBGPD's /usr/sbin/bgpd process as zebra_t

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1830170 - SELinux labels OpenBGPD's /usr/sbin/bgpd process as zebra_t

Summary: SELinux labels OpenBGPD's /usr/sbin/bgpd process as zebra_t

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.2
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2055578
TreeView+	depends on / blocked

Reported:	2020-05-01 00:43 UTC by Robert Scheck
Modified:	2022-04-28 11:31 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2055578 (view as bug list)
Environment:
Last Closed:	2022-01-19 21:06:07 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Description Robert Scheck 2020-05-01 00:43:32 UTC

Description of problem:
While trying to package OpenBGPD for EPEL 7 and 8, I had to learn that SELinux labels OpenBGPD's /usr/sbin/bgpd process as zebra_t, which makes OpenBGPD unusable as the SELinux Zebra policy forbids many things OpenBGPD needs to work.

Given GNU Zebra seems to be dead software ("Zebra has been decommissioned", https://www.gnu.org/software/zebra/), I wonder if it's a good idea to still call it "zebra_t", given "bgpd" is a quite generic name unfortunately also being used by its successors Quagga and FRR.

As I'm not sure if it's a good idea to extend the current semi-stale SELinux Zebra policy in RHEL 8 (because Red Hat historically refused various of my SELinux change requests/tickets, especially if a RHEL version starts aging after 5+ years lifetime, such as RHEL 7), I would already be satisfied if OpenBGPD /usr/sbin/bgpd could run be in unconfined_t, because it's started via systemd unit openbgpd.service rather bgpd.service (and I currently do not understand why openbgpd.service + /usr/sbin/bgpd lead to zebra_t rather to unconfined_t because the systemd unit file is not labelled as zebra_unit_file_t).

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.14.3-20.el8.noarch

Actual results:
SELinux labels OpenBGPD's /usr/sbin/bgpd process as zebra_t when started via openbgpd.service

Expected results:
SELinux labels OpenBGPD's /usr/sbin/bgpd process as unconfined_t when started via openbgpd.service

Comment 1 Milos Malik 2020-05-01 07:06:30 UTC

Are OpenBGPD RPMs available somewhere? I cannot find them. Without a list of SELinux denials or the RPMs we cannot effectively solve the problem.

If zebra policy does not work for you, you can disable the zebra policy module, but RHELs will be shipped with the zebra policy enabled.

Services from the FRR component now run as initrc_t, but they will be confined in near future - https://bugzilla.redhat.com/show_bug.cgi?id=1714984.

I believe that leaving the FRR or Quagga services run unconfined is not an option. That would mean weakening the security of the RHEL installations.

Comment 2 Robert Scheck 2020-05-03 22:06:58 UTC

> Are OpenBGPD RPMs available somewhere? I cannot find them. Without a list of SELinux denials or the RPMs we cannot effectively solve the problem.

Not yet, still working on a suitable packaging.

> I believe that leaving the FRR or Quagga services run unconfined is not an option. That would mean weakening the security of the RHEL installations.

This is not my intention. But why do openbgpd.service (systemd_unit_file_t) and /usr/sbin/bgpd (zebra_exec_t) transition to zebra_t? I would have expected that the openbgpd.service needs to be labeled accordingly, too (e.g. zebra_unit_file_t, like it was for initscripts in former times).

Comment 3 Robert Scheck 2020-05-12 23:53:00 UTC

Okay, a preliminary package for the package review is at bug #1835023, obviously it might be still subjected to changes.

Comment 4 Zdenek Pytela 2020-05-20 16:13:12 UTC

(In reply to Robert Scheck from comment #2)
> > I believe that leaving the FRR or Quagga services run unconfined is not an option. That would mean weakening the security of the RHEL installations.
> 
> This is not my intention. But why do openbgpd.service (systemd_unit_file_t)
> and /usr/sbin/bgpd (zebra_exec_t) transition to zebra_t? I would have
> expected that the openbgpd.service needs to be labeled accordingly, too
> (e.g. zebra_unit_file_t, like it was for initscripts in former times).
Robert,

The transition is defined for a binary. Confined unit files are used to handle managing these units, e. g. to allow some other service to start bgpd service.

Comment 6 Robert Scheck 2020-11-11 01:08:03 UTC

So, given the current SELinux policy covers /usr/sbin/bgpd, which is even not used by the frr RPM package as of writing (but openbgpd RPM), can we somehow get this addressed one or another way?

Comment 7 Zdenek Pytela 2020-11-11 08:49:14 UTC

Robert,

This bz currently is under consideration for the next RHEL minor version inclusion.

Comment 8 Robert Scheck 2020-11-11 22:26:00 UTC

Cross-filed case 02800527 at the Red Hat customer portal to hopefully support this one or another way.

Comment 10 Zdenek Pytela 2021-06-04 15:48:23 UTC

There are currently no plans to improve the SELinux module for openbgpd, either in the zebra module or create a new one.

You have 2 options how to make the service start as unconfined_service_t:
- disable (or remove) zebra
semodule -d zebra
- label the binary with bin_t
semanage fcontext -a -t bin_t /usr/sbin/bgpd

Both the solutions persist reboot, but can be undone any time.

FYI, in Fedora an active development is in place for frr.

Comment 11 Robert Scheck 2021-06-10 09:37:23 UTC

I am sorry, but this reply is not acceptable for us as a Red Hat customer and partner. We do not like FRR for different reasons but OpenBGPD - and thus we expect at least a non-discriminating behaviour by RHEL's default SELinux policy, especially as FRR does neither use /usr/sbin/bgpd nor /usr/lib/systemd/system/bgpd.service, but OpenBGPD does. We do not expect that Red Hat develops a SELinux policy module for OpenBGPD, but we do not tolerate that the default SELinux policy discriminates OpenBGPD installations using SELinux labels for the FRR service that actually even does not use them. As a conclusion our expectation is: Change the RHEL 8 and 9 (and Fedora) SELinux policy, so that /usr/sbin/bgpd and /usr/lib/systemd/system/bgpd.service are no longer labelled by default as zebra_exec_t/zebra_unit_file_t, reopening.

Comment 15 Zdenek Pytela 2022-01-19 21:06:07 UTC

The bgpd files have been zebra-labeled in refpolicy and Fedora policy since 2005, 2008, and 2013. RHEL branches off of Fedora policy at the beginning of the new major release development phase. Red Hat does not ship bgpd, so no support can be expected in selinux-policy either.

Packages in EPEL are considered high-quality add-on packages that complement the Red Hat Enterprise Linux. The EPEL project is led by community-led volunteers, packages from this project are not provided by Red Hat though and therefore they are not supported.

Please refer to #c10 for possible resolutions of the problem. Removing any module in the middle of the development cycle is not possible in selinux-policy.


For these reasons, we need to close this BZ again.


Links with more information:
Stability of the SELinux Policy API
https://access.redhat.com/articles/4854201

Production Support Scope of Coverage
https://access.redhat.com/support/offerings/production/soc

How to use Extra Packages for Enterprise Linux (EPEL)
https://access.redhat.com/solutions/3358

$ git blame policy/modules/contrib/zebra.fc | grep bgpd
e87221cefe policy/modules/services/zebra.fc           (Chris PeBenito 2008-10-08 15:50:03 +0000  1) /etc/rc\.d/init\.d/bgpd        --      gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
0edc4223a9 zebra.fc                                   (Miroslav Grepl 2013-11-14 11:21:17 +0100 11) /usr/lib/systemd/system/bgpd.*      --  gen_context(system_u:object_r:zebra_unit_file_t,s0)
e02c61cfa4 refpolicy/policy/modules/services/zebra.fc (Chris PeBenito 2005-10-06 19:33:06 +0000 20) /usr/sbin/bgpd         --      gen_context(system_u:object_r:zebra_exec_t,s0)

Note You need to log in before you can comment on or make changes to this bug.