[CentOS] CentOS 5 + Quagga + SELinux
Daniel J Walsh
dwalsh at redhat.com
Wed Mar 5 15:18:59 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/04/2014 07:56 PM, SilverTip257 wrote:
> Hello All,
>
> Does anyone happen to be running Quagga on CentOS 5 with SELinux in
> enforcing mode? Have you had to create SELinux policies or did it "just
> work" out of the box?
>
> (I'll get around to building this out on CentOS 6 as well.)
>
> I'm simply trying to write my config (for the zebra daemon) and it can't
> be written...
>
>
> Looks like this bug from Fedora 8 in 2008 [0] remains (or one similar to
> it spawned). And the problem was present in 2010 per the CentOS forums
> [1].
>
> I'm not opposed to creating SELinux policies and I may do just that (or
> run around in Permissive mode!). But it'd be awesome if upstream included
> policies for quagga since quagga is software they package.
>
> Maybe Dan Walsh will hop in on this. ;-)
>
> [0] https://bugzilla.redhat.com/show_bug.cgi?id=429252 [1]
> https://www.centos.org/forums/viewtopic.php?t=21040
>
>
> type=AVC msg=audit(1393980136.848:15): avc: denied { add_name } for
> pid=2646 comm="zebra" name="zebra.conf.CxNsyz"
> scontext=root:system_r:zebra_t:s0
> tcontext=system_u:object_r:zebra_conf_t:s0 tclass=dir type=SYSCALL
> msg=audit(1393980136.848:15): arch=40000003 syscall=5 success=no exit=-13
> a0=8512960 a1=c2 a2=180 a3=1e6a6 items=0 ppid=1 pid=2646 auid=0 uid=92
> gid=92 euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 tty=(none) ses=1
> comm="zebra" exe="/usr/sbin/zebra" subj=root:system_r:zebra_t:s0
> key=(null)
>
> ~]# ls -Z /etc/quagga/ -rw-r--r-- root root
> system_u:object_r:zebra_conf_t bgpd.conf.sample -rw-r--r-- root root
> system_u:object_r:zebra_conf_t bgpd.conf.sample2 -rw-r--r-- root root
> system_u:object_r:zebra_conf_t ospf6d.conf.sample -rw-r--r-- root root
> system_u:object_r:zebra_conf_t ospfd.conf.sample -rw-r--r-- root root
> system_u:object_r:zebra_conf_t ripd.conf.sample -rw-r--r-- root root
> system_u:object_r:zebra_conf_t ripngd.conf.sample -rw-r----- quagga
> quaggavt root:object_r:zebra_conf_t vtysh.conf -rwxr-x--- quagga
> quaggavt system_u:object_r:zebra_conf_t vtysh.conf.sample -rw-------
> quagga quagga root:object_r:zebra_conf_t zebra.conf -rw-r--r--
> root root system_u:object_r:zebra_conf_t zebra.conf.sample -rw-r-----
> quagga quaggavt root:object_r:zebra_conf_t zebra.conf.sav
>
>
Does
setsebool -P zebra_write_conf 1
Fix your problem?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlMXQGMACgkQrlYvE4MpobOeiQCg53V7Sgi63GRsc8TMJIvnTg/J
FJMAn3ZpuvheeSodlzoikHyc+xJVPyqh
=biiO
-----END PGP SIGNATURE-----
More information about the CentOS
mailing list