Bug 429256 - quagga ripngd does not work with selinux enforcing
Summary: quagga ripngd does not work with selinux enforcing
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 8
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-01-18 10:04 UTC by Tomasz Kepczynski
Modified: 2008-03-05 22:17 UTC (History)
0 users

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-03-05 22:17:19 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Tomasz Kepczynski 2008-01-18 10:04:29 UTC 
Description of problem:
As in title really. With selinux enforcing I get this
from ripngd:

Jan 18 10:56:29 gklab-59-001 ripngd[27268]: Can't bind ripng socket: Permission
denied.
Jan 18 10:56:29 gklab-59-001 ripngd[27268]: can't create RIPng
Jan 18 10:56:29 gklab-59-001 ripngd[27269]: RIPNGd 0.99.9 starting: vty@2603
Jan 18 10:56:29 gklab-59-001 ripngd[27269]: Interface eth1 does not have any
link-local address
Jan 18 10:56:29 gklab-59-001 ripngd[27269]: Interface eth1 does not have any
link-local address
Jan 18 10:56:30 gklab-59-001 ripngd[27269]: can't setsockopt IPV6_JOIN_GROUP:
Bad file descriptor
Jan 18 10:56:30 gklab-59-001 ripngd[27269]: multicast join failed, interface
eth1 not running

No selinux denials, nothing in audit.log. When I change to
permissive mode everything works OK.

Version-Release number of selected component (if applicable):
quagga-0.99.9-3.fc8.x86_64
selinux-policy-targeted-3.0.8-74.fc8.noarch


How reproducible:
always

Steps to Reproduce:
1. configure ripngd to send advertisements
2. with selinux enforcing they are not sent
3. also setup logging and watch for messages above
  
Actual results:
ripngd does not work

Expected results:
ripngd works

Additional info:
Comment 1 Daniel Walsh 2008-01-18 21:06:09 UTC 
setsebool -P  allow_zebra_write_config=1

should allow it.
Comment 2 Tomasz Kepczynski 2008-01-19 06:40:17 UTC 
This bug is not about writing configuration file, so I reopen it.
ripngd simply does not work with selinux enforing and as far as
I can see it - under selinux enforcing it does not open IPv6
socket and cannot send and receive multicast announcements.
And as I wrote - no avc messages but selinux permissive
fixes the problem.

I have that line in selinux permissive from lsof -c ripngd -P
output:
ripngd  4458 quagga    5u  IPv6              31444             UDP *:521
When I switch to selinux enforing, that line is gone.
Comment 3 Daniel Walsh 2008-01-21 20:11:09 UTC 
Then please show me the avc messages from /var/log/audit/audit.log.
Comment 4 Tomasz Kepczynski 2008-01-22 07:16:03 UTC 
As I wrote in comment #1 - there are absolutely NO avc messages in
audit.log and this puzzles me a lot. To be absolutely sure I deleted
audit.log and restarted auditd but that did not help.
With selinux permissive I also do not see any avc messages.
The only log I get is the one I already posted and my guess is
that the main problem is with:
Jan 18 10:56:30 gklab-59-001 ripngd[27269]: can't setsockopt IPV6_JOIN_GROUP:
Bad file descriptor
as ripng is multicast protocol.
It probably also can't read link-local addresses off the interfaces in a system.
Comment 5 Daniel Walsh 2008-01-22 14:10:53 UTC 
Ok, I believe the problem is zebra policy does not allow it to listen on port 521.

You can modify policy by executing

# semanage port -a -t router_port_t -p udp 521

If this works for you I will ship it in selinux-policy-3.0.8-81.fc8
Comment 6 Tomasz Kepczynski 2008-01-23 10:37:13 UTC 
It seems to work.
Comment 7 Daniel Walsh 2008-03-05 22:17:19 UTC 
Bugs have been in modified for over one month.  Closing as fixed in current
release please reopen if the problem still persists.
Note You need to log in before you can comment on or make changes to this bug.