-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/04/2014 07:56 PM, SilverTip257 wrote:
Hello All,
Does anyone happen to be running Quagga on CentOS 5 with SELinux in enforcing mode? Have you had to create SELinux policies or did it "just work" out of the box?
(I'll get around to building this out on CentOS 6 as well.)
I'm simply trying to write my config (for the zebra daemon) and it can't be written...
Looks like this bug from Fedora 8 in 2008 [0] remains (or one similar to it spawned). And the problem was present in 2010 per the CentOS forums [1].
I'm not opposed to creating SELinux policies and I may do just that (or run around in Permissive mode!). But it'd be awesome if upstream included policies for quagga since quagga is software they package.
Maybe Dan Walsh will hop in on this. ;-)
[0] https://bugzilla.redhat.com/show_bug.cgi?id=429252 [1] https://www.centos.org/forums/viewtopic.php?t=21040
type=AVC msg=audit(1393980136.848:15): avc: denied { add_name } for pid=2646 comm="zebra" name="zebra.conf.CxNsyz" scontext=root:system_r:zebra_t:s0 tcontext=system_u:object_r:zebra_conf_t:s0 tclass=dir type=SYSCALL msg=audit(1393980136.848:15): arch=40000003 syscall=5 success=no exit=-13 a0=8512960 a1=c2 a2=180 a3=1e6a6 items=0 ppid=1 pid=2646 auid=0 uid=92 gid=92 euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 tty=(none) ses=1 comm="zebra" exe="/usr/sbin/zebra" subj=root:system_r:zebra_t:s0 key=(null)
~]# ls -Z /etc/quagga/ -rw-r--r-- root root system_u:object_r:zebra_conf_t bgpd.conf.sample -rw-r--r-- root root system_u:object_r:zebra_conf_t bgpd.conf.sample2 -rw-r--r-- root root system_u:object_r:zebra_conf_t ospf6d.conf.sample -rw-r--r-- root root system_u:object_r:zebra_conf_t ospfd.conf.sample -rw-r--r-- root root system_u:object_r:zebra_conf_t ripd.conf.sample -rw-r--r-- root root system_u:object_r:zebra_conf_t ripngd.conf.sample -rw-r----- quagga quaggavt root:object_r:zebra_conf_t vtysh.conf -rwxr-x--- quagga quaggavt system_u:object_r:zebra_conf_t vtysh.conf.sample -rw------- quagga quagga root:object_r:zebra_conf_t zebra.conf -rw-r--r-- root root system_u:object_r:zebra_conf_t zebra.conf.sample -rw-r----- quagga quaggavt root:object_r:zebra_conf_t zebra.conf.sav
man zebra_selinux ... If you want to allow zebra daemon to write it configuration files, you must turn on the zebra_write_config boolean. Disabled by default.
setsebool -P zebra_write_config 1