Description of problem: As in title really. With selinux enforcing I get this from ripngd: Jan 18 10:56:29 gklab-59-001 ripngd[27268]: Can't bind ripng socket: Permission denied. Jan 18 10:56:29 gklab-59-001 ripngd[27268]: can't create RIPng Jan 18 10:56:29 gklab-59-001 ripngd[27269]: RIPNGd 0.99.9 starting: vty@2603 Jan 18 10:56:29 gklab-59-001 ripngd[27269]: Interface eth1 does not have any link-local address Jan 18 10:56:29 gklab-59-001 ripngd[27269]: Interface eth1 does not have any link-local address Jan 18 10:56:30 gklab-59-001 ripngd[27269]: can't setsockopt IPV6_JOIN_GROUP: Bad file descriptor Jan 18 10:56:30 gklab-59-001 ripngd[27269]: multicast join failed, interface eth1 not running No selinux denials, nothing in audit.log. When I change to permissive mode everything works OK. Version-Release number of selected component (if applicable): quagga-0.99.9-3.fc8.x86_64 selinux-policy-targeted-3.0.8-74.fc8.noarch How reproducible: always Steps to Reproduce: 1. configure ripngd to send advertisements 2. with selinux enforcing they are not sent 3. also setup logging and watch for messages above Actual results: ripngd does not work Expected results: ripngd works Additional info:
setsebool -P allow_zebra_write_config=1 should allow it.
This bug is not about writing configuration file, so I reopen it. ripngd simply does not work with selinux enforing and as far as I can see it - under selinux enforcing it does not open IPv6 socket and cannot send and receive multicast announcements. And as I wrote - no avc messages but selinux permissive fixes the problem. I have that line in selinux permissive from lsof -c ripngd -P output: ripngd 4458 quagga 5u IPv6 31444 UDP *:521 When I switch to selinux enforing, that line is gone.
Then please show me the avc messages from /var/log/audit/audit.log.
As I wrote in comment #1 - there are absolutely NO avc messages in audit.log and this puzzles me a lot. To be absolutely sure I deleted audit.log and restarted auditd but that did not help. With selinux permissive I also do not see any avc messages. The only log I get is the one I already posted and my guess is that the main problem is with: Jan 18 10:56:30 gklab-59-001 ripngd[27269]: can't setsockopt IPV6_JOIN_GROUP: Bad file descriptor as ripng is multicast protocol. It probably also can't read link-local addresses off the interfaces in a system.
Ok, I believe the problem is zebra policy does not allow it to listen on port 521. You can modify policy by executing # semanage port -a -t router_port_t -p udp 521 If this works for you I will ship it in selinux-policy-3.0.8-81.fc8
It seems to work.
Bugs have been in modified for over one month. Closing as fixed in current release please reopen if the problem still persists.