[CentOS] CentOS 5 + Quagga + SELinux

Wed Mar 5 15:18:59 UTC 2014
Daniel J Walsh <dwalsh at redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/04/2014 07:56 PM, SilverTip257 wrote:
> Hello All,
> 
> Does anyone happen to be running Quagga on CentOS 5 with SELinux in 
> enforcing mode? Have you had to create SELinux policies or did it "just
> work" out of the box?
> 
> (I'll get around to building this out on CentOS 6 as well.)
> 
> I'm simply trying to write my config (for the zebra daemon) and it can't
> be written...
> 
> 
> Looks like this bug from Fedora 8 in 2008 [0] remains (or one similar to
> it spawned). And the problem was present in 2010 per the CentOS forums
> [1].
> 
> I'm not opposed to creating SELinux policies and I may do just that (or
> run around in Permissive mode!).  But it'd be awesome if upstream included 
> policies for quagga since quagga is software they package.
> 
> Maybe Dan Walsh will hop in on this. ;-)
> 
> [0] https://bugzilla.redhat.com/show_bug.cgi?id=429252 [1]
> https://www.centos.org/forums/viewtopic.php?t=21040
> 
> 
> type=AVC msg=audit(1393980136.848:15): avc:  denied  { add_name } for 
> pid=2646 comm="zebra" name="zebra.conf.CxNsyz" 
> scontext=root:system_r:zebra_t:s0 
> tcontext=system_u:object_r:zebra_conf_t:s0 tclass=dir type=SYSCALL
> msg=audit(1393980136.848:15): arch=40000003 syscall=5 success=no exit=-13
> a0=8512960 a1=c2 a2=180 a3=1e6a6 items=0 ppid=1 pid=2646 auid=0 uid=92
> gid=92 euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 tty=(none) ses=1
> comm="zebra" exe="/usr/sbin/zebra" subj=root:system_r:zebra_t:s0
> key=(null)
> 
> ~]# ls -Z /etc/quagga/ -rw-r--r--  root   root
> system_u:object_r:zebra_conf_t bgpd.conf.sample -rw-r--r--  root   root
> system_u:object_r:zebra_conf_t bgpd.conf.sample2 -rw-r--r--  root   root
> system_u:object_r:zebra_conf_t ospf6d.conf.sample -rw-r--r--  root   root
> system_u:object_r:zebra_conf_t ospfd.conf.sample -rw-r--r--  root   root
> system_u:object_r:zebra_conf_t ripd.conf.sample -rw-r--r--  root   root
> system_u:object_r:zebra_conf_t ripngd.conf.sample -rw-r-----  quagga
> quaggavt root:object_r:zebra_conf_t       vtysh.conf -rwxr-x---  quagga
> quaggavt system_u:object_r:zebra_conf_t vtysh.conf.sample -rw-------
> quagga quagga   root:object_r:zebra_conf_t       zebra.conf -rw-r--r--
> root   root     system_u:object_r:zebra_conf_t zebra.conf.sample -rw-r-----
> quagga quaggavt root:object_r:zebra_conf_t       zebra.conf.sav
> 
> 
Does
setsebool -P zebra_write_conf 1

Fix your problem?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlMXQGMACgkQrlYvE4MpobOeiQCg53V7Sgi63GRsc8TMJIvnTg/J
FJMAn3ZpuvheeSodlzoikHyc+xJVPyqh
=biiO
-----END PGP SIGNATURE-----