Bug 1830170
| Summary: | SELinux labels OpenBGPD's /usr/sbin/bgpd process as zebra_t | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Robert Scheck <redhat-bugzilla> | |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | |
| Status: | CLOSED WONTFIX | QA Contact: | Milos Malik <mmalik> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | low | |||
| Version: | 8.2 | CC: | lagordon, lvrabec, mmalik, plautrba, rmullett, ssekidde, sujagtap | |
| Target Milestone: | rc | Keywords: | Reopened, Triaged | |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
|
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2055578 (view as bug list) | Environment: | ||
| Last Closed: | 2022-01-19 21:06:07 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2055578 | |||
Are OpenBGPD RPMs available somewhere? I cannot find them. Without a list of SELinux denials or the RPMs we cannot effectively solve the problem. If zebra policy does not work for you, you can disable the zebra policy module, but RHELs will be shipped with the zebra policy enabled. Services from the FRR component now run as initrc_t, but they will be confined in near future - https://bugzilla.redhat.com/show_bug.cgi?id=1714984. I believe that leaving the FRR or Quagga services run unconfined is not an option. That would mean weakening the security of the RHEL installations. > Are OpenBGPD RPMs available somewhere? I cannot find them. Without a list of SELinux denials or the RPMs we cannot effectively solve the problem. Not yet, still working on a suitable packaging. > I believe that leaving the FRR or Quagga services run unconfined is not an option. That would mean weakening the security of the RHEL installations. This is not my intention. But why do openbgpd.service (systemd_unit_file_t) and /usr/sbin/bgpd (zebra_exec_t) transition to zebra_t? I would have expected that the openbgpd.service needs to be labeled accordingly, too (e.g. zebra_unit_file_t, like it was for initscripts in former times). Okay, a preliminary package for the package review is at bug #1835023, obviously it might be still subjected to changes. (In reply to Robert Scheck from comment #2) > > I believe that leaving the FRR or Quagga services run unconfined is not an option. That would mean weakening the security of the RHEL installations. > > This is not my intention. But why do openbgpd.service (systemd_unit_file_t) > and /usr/sbin/bgpd (zebra_exec_t) transition to zebra_t? I would have > expected that the openbgpd.service needs to be labeled accordingly, too > (e.g. zebra_unit_file_t, like it was for initscripts in former times). Robert, The transition is defined for a binary. Confined unit files are used to handle managing these units, e. g. to allow some other service to start bgpd service. So, given the current SELinux policy covers /usr/sbin/bgpd, which is even not used by the frr RPM package as of writing (but openbgpd RPM), can we somehow get this addressed one or another way? Robert, This bz currently is under consideration for the next RHEL minor version inclusion. Cross-filed case 02800527 at the Red Hat customer portal to hopefully support this one or another way. There are currently no plans to improve the SELinux module for openbgpd, either in the zebra module or create a new one. You have 2 options how to make the service start as unconfined_service_t: - disable (or remove) zebra semodule -d zebra - label the binary with bin_t semanage fcontext -a -t bin_t /usr/sbin/bgpd Both the solutions persist reboot, but can be undone any time. FYI, in Fedora an active development is in place for frr. I am sorry, but this reply is not acceptable for us as a Red Hat customer and partner. We do not like FRR for different reasons but OpenBGPD - and thus we expect at least a non-discriminating behaviour by RHEL's default SELinux policy, especially as FRR does neither use /usr/sbin/bgpd nor /usr/lib/systemd/system/bgpd.service, but OpenBGPD does. We do not expect that Red Hat develops a SELinux policy module for OpenBGPD, but we do not tolerate that the default SELinux policy discriminates OpenBGPD installations using SELinux labels for the FRR service that actually even does not use them. As a conclusion our expectation is: Change the RHEL 8 and 9 (and Fedora) SELinux policy, so that /usr/sbin/bgpd and /usr/lib/systemd/system/bgpd.service are no longer labelled by default as zebra_exec_t/zebra_unit_file_t, reopening. The bgpd files have been zebra-labeled in refpolicy and Fedora policy since 2005, 2008, and 2013. RHEL branches off of Fedora policy at the beginning of the new major release development phase. Red Hat does not ship bgpd, so no support can be expected in selinux-policy either. Packages in EPEL are considered high-quality add-on packages that complement the Red Hat Enterprise Linux. The EPEL project is led by community-led volunteers, packages from this project are not provided by Red Hat though and therefore they are not supported. Please refer to #c10 for possible resolutions of the problem. Removing any module in the middle of the development cycle is not possible in selinux-policy. For these reasons, we need to close this BZ again. Links with more information: Stability of the SELinux Policy API https://access.redhat.com/articles/4854201 Production Support Scope of Coverage https://access.redhat.com/support/offerings/production/soc How to use Extra Packages for Enterprise Linux (EPEL) https://access.redhat.com/solutions/3358 $ git blame policy/modules/contrib/zebra.fc | grep bgpd e87221cefe policy/modules/services/zebra.fc (Chris PeBenito 2008-10-08 15:50:03 +0000 1) /etc/rc\.d/init\.d/bgpd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) 0edc4223a9 zebra.fc (Miroslav Grepl 2013-11-14 11:21:17 +0100 11) /usr/lib/systemd/system/bgpd.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0) e02c61cfa4 refpolicy/policy/modules/services/zebra.fc (Chris PeBenito 2005-10-06 19:33:06 +0000 20) /usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0) |
Description of problem: While trying to package OpenBGPD for EPEL 7 and 8, I had to learn that SELinux labels OpenBGPD's /usr/sbin/bgpd process as zebra_t, which makes OpenBGPD unusable as the SELinux Zebra policy forbids many things OpenBGPD needs to work. Given GNU Zebra seems to be dead software ("Zebra has been decommissioned", https://www.gnu.org/software/zebra/), I wonder if it's a good idea to still call it "zebra_t", given "bgpd" is a quite generic name unfortunately also being used by its successors Quagga and FRR. As I'm not sure if it's a good idea to extend the current semi-stale SELinux Zebra policy in RHEL 8 (because Red Hat historically refused various of my SELinux change requests/tickets, especially if a RHEL version starts aging after 5+ years lifetime, such as RHEL 7), I would already be satisfied if OpenBGPD /usr/sbin/bgpd could run be in unconfined_t, because it's started via systemd unit openbgpd.service rather bgpd.service (and I currently do not understand why openbgpd.service + /usr/sbin/bgpd lead to zebra_t rather to unconfined_t because the systemd unit file is not labelled as zebra_unit_file_t). Version-Release number of selected component (if applicable): selinux-policy-targeted-3.14.3-20.el8.noarch Actual results: SELinux labels OpenBGPD's /usr/sbin/bgpd process as zebra_t when started via openbgpd.service Expected results: SELinux labels OpenBGPD's /usr/sbin/bgpd process as unconfined_t when started via openbgpd.service