197819 – selinux-policy-targeted enforcing stops quagga bgpd connecting to peers

Bug 197819 - selinux-policy-targeted enforcing stops quagga bgpd connecting to peers

Summary: selinux-policy-targeted enforcing stops quagga bgpd connecting to peers

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	5
Hardware:	i686
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-07-06 17:05 UTC by J. David Rye
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-07-11 14:13:45 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description J. David Rye 2006-07-06 17:05:59 UTC

Description of problem:

After upgrading a working server with a working bgp configuration to
Fedora 5, and running yum update to bring up to the latest level
bgpg part of the quagga package could nolonger connect to its peers.

/var/log/quagga/bgpd.log filled with permission denied messages relating to
network connection attempts.

Rebooting with selinux set to permissive rather than enforcing allows
bgpd to work.

When running in permisive mode the following enteries are loged to audit log in
respect of bgpd.

type=AVC msg=audit(1152201967.828:11): avc:  denied  { name_bind } for  pid=4004
comm="bgpd" src=179 scontext=system_u:system_r:zebra_t:s0
tcontext=system_u:object_r:bgp_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1152201967.828:11): arch=40000003 syscall=102 success=yes
exit=0 a0=2 a1=bff36d40 a2=afa234 a3=bff36d98 items=0 pid=4004 auid=4294967295
uid=92 gid=92 euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 tty=(none)
comm="bgpd" exe="/usr/sbin/bgpd" subj=system_u:system_r:zebra_t:s0

type=AVC msg=audit(1152201967.856:12): avc:  denied  { name_bind } for  pid=4005
comm="bgpd" src=2605 scontext=system_u:system_r:zebra_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1152201967.856:12): arch=40000003 syscall=102 success=yes
exit=0 a0=2 a1=bff36d50 a2=57f654 a3=7 items=0 pid=4005 auid=4294967295 uid=92
gid=92 euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 tty=(none) comm="bgpd"
exe="/usr/sbin/bgpd" subj=system_u:system_r:zebra_t:s0

type=AVC msg=audit(1152201971.854:13): avc:  denied  { name_connect } for 
pid=4005 comm="bgpd" dest=179 scontext=system_u:system_r:zebra_t:s0
tcontext=system_u:object_r:bgp_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1152201971.854:13): arch=40000003 syscall=102 success=no
exit=-115 a0=3 a1=bff38bf0 a2=57f654 a3=2 items=0 pid=4005 auid=4294967295
uid=92 gid=92 euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 tty=(none)
comm="bgpd" exe="/usr/sbin/bgpd" subj=system_u:system_r:zebra_t:s0





Version-Release number of selected component (if applicable):

libselinux-1.30.3-3.fc5
selinux-policy-targeted-2.2.43-4.fc5
quagga-contrib-0.98.5-4
quagga-devel-0.98.5-4
quagga-0.98.5-4
libselinux-python-1.30.3-3.fc5
selinux-policy-2.2.43-4.fc5


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Daniel Walsh 2006-07-10 14:44:23 UTC

You can create a loadable module with these rules using 

audit2allow -M bgp < AUDITMESG

And then allow the app to run with SELinux in enforcing mode.  I will add the
rules to allow zebra to work with the bgp ports, but what is it trying to do
with port 2605?

Comment 2 J. David Rye 2006-07-10 15:28:10 UTC

Thankyou

I will have a look for the documentation on audit2allow

The daemons in the Quagga/Zebra Listen on a control port. usualy only on the
loopback interface.

Zebra listens on 2601, ripd on 2602, bgpd on 2605, 
These ports are listed as service aliases in the /etc/services file.

The allow you to connect (Telnet) to the zebra, ripd, and bgpd daemons 
and run diagnostics or make minor on the fly configuration changes. 

Have not used the other protocols but beleve the behave the same.

----snip----
hpstgmgr        2600/tcp        zebrasrv        # HPSTGMGR
hpstgmgr        2600/udp                        # HPSTGMGR
discp-client    2601/tcp        zebra           # discp client
discp-client    2601/udp                        # discp client
discp-server    2602/tcp        ripd            # discp server
discp-server    2602/udp                        # discp server
servicemeter    2603/tcp        ripngd          # Service Meter
servicemeter    2603/udp                        # Service Meter
nsc-ccs         2604/tcp        ospfd           # NSC CCS
nsc-ccs         2604/udp                        # NSC CCS
nsc-posa        2605/tcp        bgpd            # NSC POSA
nsc-posa        2605/udp                        # NSC POSA
netmon          2606/tcp        ospf6d          # Dell Netmon
netmon          2606/udp                        # Dell Netmon
----snip----

Comment 3 Daniel Walsh 2006-07-11 14:13:45 UTC

Ok adding these to rawhide policy,   You can also add these locally using
semanage if necessry.  Eventually these will show up in FC5.

Note You need to log in before you can comment on or make changes to this bug.