[CentOS] CentOS 5 + Quagga + SELinux

Sat Mar 8 02:53:51 UTC 2014
SilverTip257 <silvertip257 at gmail.com>

On Thu, Mar 6, 2014 at 7:07 PM, SilverTip257 <silvertip257 at gmail.com> wrote:

> On Wed, Mar 5, 2014 at 10:19 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>
>>
>> ...
>>        If  you want to allow zebra daemon to write it configuration
>> files, you
>>        must turn on the zebra_write_config boolean. Disabled by default.
>>
>>        setsebool -P zebra_write_config 1
>>
>
> // before
> ~]# getsebool -a | grep zebra
> allow_zebra_write_config --> on
> zebra_disable_trans --> off
>
> Apparently the command from the Bugzilla ticket I linked to earlier took
> and already had allow_zebra_write_config enabled.
> setsebool -P allow_zebra_write_config=1
>
> // trying to set that selinux boolean comes back with
> ~]# setsebool -P zebra_write_config 1
> libsemanage.dbase_llist_set: record not found in the database
> libsemanage.dbase_llist_set: could not set record value
> Could not change boolean zebra_write_config
> Could not change policy booleans
>

* What should I try next after this failure?


>
> ~]# tail /var/log/audit/audit.log | grep zebra | audit2why
> ...
> type=AVC msg=audit(1394150156.203:30): avc:  denied  { add_name } for
>  pid=3111 comm="zebra" name="zebra.conf.fT434c"
> scontext=root:system_r:zebra_t:s0
> tcontext=system_u:object_r:zebra_conf_t:s0 tclass=dir
>         Was caused by:
>                 Missing or disabled TE allow rule.
>                 Allow rules may exist but be disabled by boolean settings;
> check boolean settings.
>                 You can see the necessary allow rules by running
> audit2allow with this audit message as input.
>
> ~]# tail /var/log/audit/audit.log | grep zebra | audit2allow
>
>
> #============= zebra_t ==============
> allow zebra_t zebra_conf_t:dir add_name;
>
>
* So I'm at the point where I may just as well create a custom policy file?

I plan on following the steps on the wiki (unless there's a better
source/write-up).
http://wiki.centos.org/HowTos/SELinux

Looks like this will be a fun one ... I'll have rules for each routing
daemon to create.
[At least that's the impression I got from mailing lists/bug tickets.]


Thanks,
-- 
---~~.~~---
Mike
//  SilverTip257  //