On Thu, Mar 6, 2014 at 7:07 PM, SilverTip257 <silvertip257 at gmail.com> wrote: > On Wed, Mar 5, 2014 at 10:19 AM, Daniel J Walsh <dwalsh at redhat.com> wrote: > >> >> ... >> If you want to allow zebra daemon to write it configuration >> files, you >> must turn on the zebra_write_config boolean. Disabled by default. >> >> setsebool -P zebra_write_config 1 >> > > // before > ~]# getsebool -a | grep zebra > allow_zebra_write_config --> on > zebra_disable_trans --> off > > Apparently the command from the Bugzilla ticket I linked to earlier took > and already had allow_zebra_write_config enabled. > setsebool -P allow_zebra_write_config=1 > > // trying to set that selinux boolean comes back with > ~]# setsebool -P zebra_write_config 1 > libsemanage.dbase_llist_set: record not found in the database > libsemanage.dbase_llist_set: could not set record value > Could not change boolean zebra_write_config > Could not change policy booleans > * What should I try next after this failure? > > ~]# tail /var/log/audit/audit.log | grep zebra | audit2why > ... > type=AVC msg=audit(1394150156.203:30): avc: denied { add_name } for > pid=3111 comm="zebra" name="zebra.conf.fT434c" > scontext=root:system_r:zebra_t:s0 > tcontext=system_u:object_r:zebra_conf_t:s0 tclass=dir > Was caused by: > Missing or disabled TE allow rule. > Allow rules may exist but be disabled by boolean settings; > check boolean settings. > You can see the necessary allow rules by running > audit2allow with this audit message as input. > > ~]# tail /var/log/audit/audit.log | grep zebra | audit2allow > > > #============= zebra_t ============== > allow zebra_t zebra_conf_t:dir add_name; > > * So I'm at the point where I may just as well create a custom policy file? I plan on following the steps on the wiki (unless there's a better source/write-up). http://wiki.centos.org/HowTos/SELinux Looks like this will be a fun one ... I'll have rules for each routing daemon to create. [At least that's the impression I got from mailing lists/bug tickets.] Thanks, -- ---~~.~~--- Mike // SilverTip257 //