Description of problem: After upgrading a working server with a working bgp configuration to Fedora 5, and running yum update to bring up to the latest level bgpg part of the quagga package could nolonger connect to its peers. /var/log/quagga/bgpd.log filled with permission denied messages relating to network connection attempts. Rebooting with selinux set to permissive rather than enforcing allows bgpd to work. When running in permisive mode the following enteries are loged to audit log in respect of bgpd. type=AVC msg=audit(1152201967.828:11): avc: denied { name_bind } for pid=4004 comm="bgpd" src=179 scontext=system_u:system_r:zebra_t:s0 tcontext=system_u:object_r:bgp_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1152201967.828:11): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bff36d40 a2=afa234 a3=bff36d98 items=0 pid=4004 auid=4294967295 uid=92 gid=92 euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 tty=(none) comm="bgpd" exe="/usr/sbin/bgpd" subj=system_u:system_r:zebra_t:s0 type=AVC msg=audit(1152201967.856:12): avc: denied { name_bind } for pid=4005 comm="bgpd" src=2605 scontext=system_u:system_r:zebra_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1152201967.856:12): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bff36d50 a2=57f654 a3=7 items=0 pid=4005 auid=4294967295 uid=92 gid=92 euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 tty=(none) comm="bgpd" exe="/usr/sbin/bgpd" subj=system_u:system_r:zebra_t:s0 type=AVC msg=audit(1152201971.854:13): avc: denied { name_connect } for pid=4005 comm="bgpd" dest=179 scontext=system_u:system_r:zebra_t:s0 tcontext=system_u:object_r:bgp_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1152201971.854:13): arch=40000003 syscall=102 success=no exit=-115 a0=3 a1=bff38bf0 a2=57f654 a3=2 items=0 pid=4005 auid=4294967295 uid=92 gid=92 euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 tty=(none) comm="bgpd" exe="/usr/sbin/bgpd" subj=system_u:system_r:zebra_t:s0 Version-Release number of selected component (if applicable): libselinux-1.30.3-3.fc5 selinux-policy-targeted-2.2.43-4.fc5 quagga-contrib-0.98.5-4 quagga-devel-0.98.5-4 quagga-0.98.5-4 libselinux-python-1.30.3-3.fc5 selinux-policy-2.2.43-4.fc5 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
You can create a loadable module with these rules using audit2allow -M bgp < AUDITMESG And then allow the app to run with SELinux in enforcing mode. I will add the rules to allow zebra to work with the bgp ports, but what is it trying to do with port 2605?
Thankyou I will have a look for the documentation on audit2allow The daemons in the Quagga/Zebra Listen on a control port. usualy only on the loopback interface. Zebra listens on 2601, ripd on 2602, bgpd on 2605, These ports are listed as service aliases in the /etc/services file. The allow you to connect (Telnet) to the zebra, ripd, and bgpd daemons and run diagnostics or make minor on the fly configuration changes. Have not used the other protocols but beleve the behave the same. ----snip---- hpstgmgr 2600/tcp zebrasrv # HPSTGMGR hpstgmgr 2600/udp # HPSTGMGR discp-client 2601/tcp zebra # discp client discp-client 2601/udp # discp client discp-server 2602/tcp ripd # discp server discp-server 2602/udp # discp server servicemeter 2603/tcp ripngd # Service Meter servicemeter 2603/udp # Service Meter nsc-ccs 2604/tcp ospfd # NSC CCS nsc-ccs 2604/udp # NSC CCS nsc-posa 2605/tcp bgpd # NSC POSA nsc-posa 2605/udp # NSC POSA netmon 2606/tcp ospf6d # Dell Netmon netmon 2606/udp # Dell Netmon ----snip----
Ok adding these to rawhide policy, You can also add these locally using semanage if necessry. Eventually these will show up in FC5.