-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/06/2014 07:07 PM, SilverTip257 wrote: > On Wed, Mar 5, 2014 at 10:19 AM, Daniel J Walsh <dwalsh at redhat.com> wrote: > >> >> man zebra_selinux >> > > Thank you for the quick reply. > > ~]# man zebra_selinux No manual entry for zebra_selinux > > This is a rather basic (headless) install of CentOS 5.10 from the > netinstall ISO. I haven't ripped out any default selinux pieces, so should > I really be missing that manpage? > > ~]# cat /etc/*ele* cat: /etc/lsb-release.d: Is a directory CentOS release > 5.10 (Final) > > ~]# apropos selinux | egrep 'zebra|quagga' > > If I remove the pipe to egrep, I do see squid_selinux for example. > > >> ... If you want to allow zebra daemon to write it configuration files, >> you must turn on the zebra_write_config boolean. Disabled by default. >> >> setsebool -P zebra_write_config 1 >> > > // before ~]# getsebool -a | grep zebra allow_zebra_write_config --> on > zebra_disable_trans --> off > > Apparently the command from the Bugzilla ticket I linked to earlier took > and already had allow_zebra_write_config enabled. setsebool -P > allow_zebra_write_config=1 > > // trying to set that selinux boolean comes back with ~]# setsebool -P > zebra_write_config 1 libsemanage.dbase_llist_set: record not found in the > database libsemanage.dbase_llist_set: could not set record value Could not > change boolean zebra_write_config Could not change policy booleans > > On an selinux, but different topic... I had to modify the user (role and > type were right) to allow dnsmasq to write to /var/log/dnsmasq.log ~]# > chcon -v --user=system_u --role=object_r --type=var_log_t > /var/log/dnsmasq.log This may or may not be the best/proper way, but > appears to have fixed the dnsmasq logging + selinux clash. > > And now to apply that to my quagga/zebra + selinux situation... // before > ~]# ls -Z /etc/quagga/ | egrep '(zebra|vtysh)\.conf' -rw-r----- quagga > quaggavt root:object_r:zebra_conf_t vtysh.conf -rwxr-x--- quagga > quaggavt system_u:object_r:zebra_conf_t vtysh.conf.sample -rw------- > quagga quagga root:object_r:zebra_conf_t zebra.conf -rw-r--r-- root > root system_u:object_r:zebra_conf_t zebra.conf.sample -rw-r----- > quagga quaggavt root:object_r:zebra_conf_t zebra.conf.sav > > ~]# chcon -v --user=system_u /etc/quagga/vtysh.conf /etc/quagga/zebra.conf > /etc/quagga/zebra.conf.sav > > // after ~]# ls -Z /etc/quagga/ | egrep '(zebra|vtysh)\.conf' -rw-r----- > quagga quaggavt system_u:object_r:zebra_conf_t vtysh.conf -rwxr-x--- > quagga quaggavt system_u:object_r:zebra_conf_t vtysh.conf.sample -rw------- > quagga quagga system_u:object_r:zebra_conf_t zebra.conf -rw-r--r-- > root root system_u:object_r:zebra_conf_t zebra.conf.sample -rw-r----- > quagga quaggavt system_u:object_r:zebra_conf_t zebra.conf.sav > > // but no dice ... # write Building Configuration... Can't open > configuration file /etc/quagga/zebra.conf.ZHwkuk. [OK] > > > > ~]# tail /var/log/audit/audit.log | grep zebra | audit2why ... type=AVC > msg=audit(1394150156.203:30): avc: denied { add_name } for pid=3111 > comm="zebra" name="zebra.conf.fT434c" scontext=root:system_r:zebra_t:s0 > tcontext=system_u:object_r:zebra_conf_t:s0 tclass=dir Was caused by: > Missing or disabled TE allow rule. Allow rules may exist but be disabled by > boolean settings; check boolean settings. You can see the necessary allow > rules by running audit2allow with this audit message as input. > > ~]# tail /var/log/audit/audit.log | grep zebra | audit2allow > > > #============= zebra_t ============== allow zebra_t zebra_conf_t:dir > add_name; > > > What am I doing wrong here? ( missing manpage , still AVC denied ) > > > I'm learning a thing or two about SELinux with each bump in the road it > presents to me. Thanks for the help and for bearing with me. ;) > > Introduced in RHEL6 not in Rhel5 sorry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlMZzPQACgkQrlYvE4MpobPh3wCfd54pFCl3U5zamlcOobHO47fl npEAn2GdCQZnZbnzGu3mOr+G2rbR2nxp =E3uw -----END PGP SIGNATURE-----