On Thu, Mar 6, 2014 at 7:07 PM, SilverTip257 silvertip257@gmail.com wrote:
On Wed, Mar 5, 2014 at 10:19 AM, Daniel J Walsh dwalsh@redhat.com wrote:
... If you want to allow zebra daemon to write it configuration files, you must turn on the zebra_write_config boolean. Disabled by default.
setsebool -P zebra_write_config 1// before ~]# getsebool -a | grep zebra allow_zebra_write_config --> on zebra_disable_trans --> off
Apparently the command from the Bugzilla ticket I linked to earlier took and already had allow_zebra_write_config enabled. setsebool -P allow_zebra_write_config=1
// trying to set that selinux boolean comes back with ~]# setsebool -P zebra_write_config 1 libsemanage.dbase_llist_set: record not found in the database libsemanage.dbase_llist_set: could not set record value Could not change boolean zebra_write_config Could not change policy booleans
* What should I try next after this failure?
~]# tail /var/log/audit/audit.log | grep zebra | audit2why ... type=AVC msg=audit(1394150156.203:30): avc: denied { add_name } for pid=3111 comm="zebra" name="zebra.conf.fT434c" scontext=root:system_r:zebra_t:s0 tcontext=system_u:object_r:zebra_conf_t:s0 tclass=dir Was caused by: Missing or disabled TE allow rule. Allow rules may exist but be disabled by boolean settings; check boolean settings. You can see the necessary allow rules by running audit2allow with this audit message as input.
~]# tail /var/log/audit/audit.log | grep zebra | audit2allow
#============= zebra_t ============== allow zebra_t zebra_conf_t:dir add_name;
* So I'm at the point where I may just as well create a custom policy file?
I plan on following the steps on the wiki (unless there's a better source/write-up). http://wiki.centos.org/HowTos/SELinux
Looks like this will be a fun one ... I'll have rules for each routing daemon to create. [At least that's the impression I got from mailing lists/bug tickets.]
Thanks,