[CentOS] CentOS 5 + Quagga + SELinux

Fri Mar 7 00:07:33 UTC 2014
SilverTip257 <silvertip257 at gmail.com>

On Wed, Mar 5, 2014 at 10:19 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:

>
> man zebra_selinux
>

Thank you for the quick reply.

~]# man zebra_selinux
No manual entry for zebra_selinux

This is a rather basic (headless) install of CentOS 5.10 from the
netinstall ISO.
I haven't ripped out any default selinux pieces, so should I really be
missing that manpage?

~]# cat /etc/*ele*
cat: /etc/lsb-release.d: Is a directory
CentOS release 5.10 (Final)

~]# apropos selinux | egrep 'zebra|quagga'

If I remove the pipe to egrep, I do see squid_selinux for example.


> ...
>        If  you want to allow zebra daemon to write it configuration files,
> you
>        must turn on the zebra_write_config boolean. Disabled by default.
>
>        setsebool -P zebra_write_config 1
>

// before
~]# getsebool -a | grep zebra
allow_zebra_write_config --> on
zebra_disable_trans --> off

Apparently the command from the Bugzilla ticket I linked to earlier took
and already had allow_zebra_write_config enabled.
setsebool -P allow_zebra_write_config=1

// trying to set that selinux boolean comes back with
~]# setsebool -P zebra_write_config 1
libsemanage.dbase_llist_set: record not found in the database
libsemanage.dbase_llist_set: could not set record value
Could not change boolean zebra_write_config
Could not change policy booleans

On an selinux, but different topic...
I had to modify the user (role and type were right) to allow dnsmasq to
write to /var/log/dnsmasq.log
~]# chcon -v --user=system_u --role=object_r --type=var_log_t
/var/log/dnsmasq.log
This may or may not be the best/proper way, but appears to have fixed the
dnsmasq logging + selinux clash.

And now to apply that to my quagga/zebra + selinux situation...
// before
~]# ls -Z /etc/quagga/ | egrep '(zebra|vtysh)\.conf'
-rw-r-----  quagga quaggavt root:object_r:zebra_conf_t   vtysh.conf
-rwxr-x---  quagga quaggavt system_u:object_r:zebra_conf_t
vtysh.conf.sample
-rw-------  quagga quagga   root:object_r:zebra_conf_t   zebra.conf
-rw-r--r--  root   root     system_u:object_r:zebra_conf_t
zebra.conf.sample
-rw-r-----  quagga quaggavt root:object_r:zebra_conf_t   zebra.conf.sav

~]# chcon -v --user=system_u /etc/quagga/vtysh.conf /etc/quagga/zebra.conf
/etc/quagga/zebra.conf.sav

// after
~]# ls -Z /etc/quagga/ | egrep '(zebra|vtysh)\.conf'
-rw-r-----  quagga quaggavt system_u:object_r:zebra_conf_t   vtysh.conf
-rwxr-x---  quagga quaggavt system_u:object_r:zebra_conf_t
vtysh.conf.sample
-rw-------  quagga quagga   system_u:object_r:zebra_conf_t   zebra.conf
-rw-r--r--  root   root     system_u:object_r:zebra_conf_t
zebra.conf.sample
-rw-r-----  quagga quaggavt system_u:object_r:zebra_conf_t   zebra.conf.sav

// but no dice ...
# write
Building Configuration...
Can't open configuration file /etc/quagga/zebra.conf.ZHwkuk.
[OK]



~]# tail /var/log/audit/audit.log | grep zebra | audit2why
...
type=AVC msg=audit(1394150156.203:30): avc:  denied  { add_name } for
 pid=3111 comm="zebra" name="zebra.conf.fT434c"
scontext=root:system_r:zebra_t:s0
tcontext=system_u:object_r:zebra_conf_t:s0 tclass=dir
        Was caused by:
                Missing or disabled TE allow rule.
                Allow rules may exist but be disabled by boolean settings;
check boolean settings.
                You can see the necessary allow rules by running
audit2allow with this audit message as input.

~]# tail /var/log/audit/audit.log | grep zebra | audit2allow


#============= zebra_t ==============
allow zebra_t zebra_conf_t:dir add_name;


What am I doing wrong here?
( missing manpage , still AVC denied )


I'm learning a thing or two about SELinux with each bump in the road it
presents to me.
Thanks for the help and for bearing with me. ;)


-- 
---~~.~~---
Mike
//  SilverTip257  //