[CentOS] CentOS 5 + Quagga + SELinux

Fri Mar 7 13:43:16 UTC 2014
Daniel J Walsh <dwalsh at redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/06/2014 07:07 PM, SilverTip257 wrote:
> On Wed, Mar 5, 2014 at 10:19 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
> 
>> 
>> man zebra_selinux
>> 
> 
> Thank you for the quick reply.
> 
> ~]# man zebra_selinux No manual entry for zebra_selinux
> 
> This is a rather basic (headless) install of CentOS 5.10 from the 
> netinstall ISO. I haven't ripped out any default selinux pieces, so should
> I really be missing that manpage?
> 
> ~]# cat /etc/*ele* cat: /etc/lsb-release.d: Is a directory CentOS release
> 5.10 (Final)
> 
> ~]# apropos selinux | egrep 'zebra|quagga'
> 
> If I remove the pipe to egrep, I do see squid_selinux for example.
> 
> 
>> ... If  you want to allow zebra daemon to write it configuration files, 
>> you must turn on the zebra_write_config boolean. Disabled by default.
>> 
>> setsebool -P zebra_write_config 1
>> 
> 
> // before ~]# getsebool -a | grep zebra allow_zebra_write_config --> on 
> zebra_disable_trans --> off
> 
> Apparently the command from the Bugzilla ticket I linked to earlier took 
> and already had allow_zebra_write_config enabled. setsebool -P
> allow_zebra_write_config=1
> 
> // trying to set that selinux boolean comes back with ~]# setsebool -P
> zebra_write_config 1 libsemanage.dbase_llist_set: record not found in the
> database libsemanage.dbase_llist_set: could not set record value Could not
> change boolean zebra_write_config Could not change policy booleans
> 
> On an selinux, but different topic... I had to modify the user (role and
> type were right) to allow dnsmasq to write to /var/log/dnsmasq.log ~]#
> chcon -v --user=system_u --role=object_r --type=var_log_t 
> /var/log/dnsmasq.log This may or may not be the best/proper way, but
> appears to have fixed the dnsmasq logging + selinux clash.
> 
> And now to apply that to my quagga/zebra + selinux situation... // before 
> ~]# ls -Z /etc/quagga/ | egrep '(zebra|vtysh)\.conf' -rw-r-----  quagga
> quaggavt root:object_r:zebra_conf_t   vtysh.conf -rwxr-x---  quagga
> quaggavt system_u:object_r:zebra_conf_t vtysh.conf.sample -rw-------
> quagga quagga   root:object_r:zebra_conf_t   zebra.conf -rw-r--r--  root
> root     system_u:object_r:zebra_conf_t zebra.conf.sample -rw-r-----
> quagga quaggavt root:object_r:zebra_conf_t   zebra.conf.sav
> 
> ~]# chcon -v --user=system_u /etc/quagga/vtysh.conf /etc/quagga/zebra.conf 
> /etc/quagga/zebra.conf.sav
> 
> // after ~]# ls -Z /etc/quagga/ | egrep '(zebra|vtysh)\.conf' -rw-r-----
> quagga quaggavt system_u:object_r:zebra_conf_t   vtysh.conf -rwxr-x---
> quagga quaggavt system_u:object_r:zebra_conf_t vtysh.conf.sample -rw-------
> quagga quagga   system_u:object_r:zebra_conf_t   zebra.conf -rw-r--r--
> root   root     system_u:object_r:zebra_conf_t zebra.conf.sample -rw-r-----
> quagga quaggavt system_u:object_r:zebra_conf_t   zebra.conf.sav
> 
> // but no dice ... # write Building Configuration... Can't open
> configuration file /etc/quagga/zebra.conf.ZHwkuk. [OK]
> 
> 
> 
> ~]# tail /var/log/audit/audit.log | grep zebra | audit2why ... type=AVC
> msg=audit(1394150156.203:30): avc:  denied  { add_name } for pid=3111
> comm="zebra" name="zebra.conf.fT434c" scontext=root:system_r:zebra_t:s0 
> tcontext=system_u:object_r:zebra_conf_t:s0 tclass=dir Was caused by: 
> Missing or disabled TE allow rule. Allow rules may exist but be disabled by
> boolean settings; check boolean settings. You can see the necessary allow
> rules by running audit2allow with this audit message as input.
> 
> ~]# tail /var/log/audit/audit.log | grep zebra | audit2allow
> 
> 
> #============= zebra_t ============== allow zebra_t zebra_conf_t:dir
> add_name;
> 
> 
> What am I doing wrong here? ( missing manpage , still AVC denied )
> 
> 
> I'm learning a thing or two about SELinux with each bump in the road it 
> presents to me. Thanks for the help and for bearing with me. ;)
> 
> 
Introduced in RHEL6 not in Rhel5 sorry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlMZzPQACgkQrlYvE4MpobPh3wCfd54pFCl3U5zamlcOobHO47fl
npEAn2GdCQZnZbnzGu3mOr+G2rbR2nxp
=E3uw
-----END PGP SIGNATURE-----