Hello All,
Does anyone happen to be running Quagga on CentOS 5 with SELinux in
enforcing mode?
Have you had to create SELinux policies or did it "just work" out of
the
box?
(I'll get around to building this out on CentOS 6 as well.)
I'm simply trying to write my config (for the zebra daemon) and it can't
be
written...
Looks like this bug from Fedora 8 in 2008 [0] remains (or one similar to it
spawned).
And the problem was present in 2010 per the CentOS forums [1].
I'm not opposed to creating SELinux policies and I may do just that (or run
around in Permissive mode!). But it'd be awesome if upstream included
policies for quagga since quagga is software they package.
Maybe Dan Walsh will hop in on this. ;-)
[0] https://bugzilla.redhat.com/show_bug.cgi?id=429252
[1] https://www.centos.org/forums/viewtopic.php?t=21040
type=AVC msg=audit(1393980136.848:15): avc: denied { add_name } for
pid=2646 comm="zebra" name="zebra.conf.CxNsyz"
scontext=root:system_r:zebra_t:s0
tcontext=system_u:object_r:zebra_conf_t:s0 tclass=dir
type=SYSCALL msg=audit(1393980136.848:15): arch=40000003 syscall=5
success=no exit=-13 a0=8512960 a1=c2 a2=180 a3=1e6a6 items=0 ppid=1
pid=2646 auid=0 uid=92 gid=92 euid=92 suid=92 fsuid=92 egid=92 sgid=92
fsgid=92 tty=(none) ses=1 comm="zebra" exe="/usr/sbin/zebra"
subj=root:system_r:zebra_t:s0 key=(null)
~]# ls -Z /etc/quagga/
-rw-r--r-- root root system_u:object_r:zebra_conf_t
bgpd.conf.sample
-rw-r--r-- root root system_u:object_r:zebra_conf_t
bgpd.conf.sample2
-rw-r--r-- root root system_u:object_r:zebra_conf_t
ospf6d.conf.sample
-rw-r--r-- root root system_u:object_r:zebra_conf_t
ospfd.conf.sample
-rw-r--r-- root root system_u:object_r:zebra_conf_t
ripd.conf.sample
-rw-r--r-- root root system_u:object_r:zebra_conf_t
ripngd.conf.sample
-rw-r----- quagga quaggavt root:object_r:zebra_conf_t vtysh.conf
-rwxr-x--- quagga quaggavt system_u:object_r:zebra_conf_t
vtysh.conf.sample
-rw------- quagga quagga root:object_r:zebra_conf_t zebra.conf
-rw-r--r-- root root system_u:object_r:zebra_conf_t
zebra.conf.sample
-rw-r----- quagga quaggavt root:object_r:zebra_conf_t zebra.conf.sav
--
---~~.~~---
Mike
// SilverTip257 //
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/04/2014 07:56 PM, SilverTip257 wrote:> Hello All, > > Does anyone happen to be running Quagga on CentOS 5 with SELinux in > enforcing mode? Have you had to create SELinux policies or did it "just > work" out of the box? > > (I'll get around to building this out on CentOS 6 as well.) > > I'm simply trying to write my config (for the zebra daemon) and it can't > be written... > > > Looks like this bug from Fedora 8 in 2008 [0] remains (or one similar to > it spawned). And the problem was present in 2010 per the CentOS forums > [1]. > > I'm not opposed to creating SELinux policies and I may do just that (or > run around in Permissive mode!). But it'd be awesome if upstream included > policies for quagga since quagga is software they package. > > Maybe Dan Walsh will hop in on this. ;-) > > [0] https://bugzilla.redhat.com/show_bug.cgi?id=429252 [1] > https://www.centos.org/forums/viewtopic.php?t=21040 > > > type=AVC msg=audit(1393980136.848:15): avc: denied { add_name } for > pid=2646 comm="zebra" name="zebra.conf.CxNsyz" > scontext=root:system_r:zebra_t:s0 > tcontext=system_u:object_r:zebra_conf_t:s0 tclass=dir type=SYSCALL > msg=audit(1393980136.848:15): arch=40000003 syscall=5 success=no exit=-13 > a0=8512960 a1=c2 a2=180 a3=1e6a6 items=0 ppid=1 pid=2646 auid=0 uid=92 > gid=92 euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 tty=(none) ses=1 > comm="zebra" exe="/usr/sbin/zebra" subj=root:system_r:zebra_t:s0 > key=(null) > > ~]# ls -Z /etc/quagga/ -rw-r--r-- root root > system_u:object_r:zebra_conf_t bgpd.conf.sample -rw-r--r-- root root > system_u:object_r:zebra_conf_t bgpd.conf.sample2 -rw-r--r-- root root > system_u:object_r:zebra_conf_t ospf6d.conf.sample -rw-r--r-- root root > system_u:object_r:zebra_conf_t ospfd.conf.sample -rw-r--r-- root root > system_u:object_r:zebra_conf_t ripd.conf.sample -rw-r--r-- root root > system_u:object_r:zebra_conf_t ripngd.conf.sample -rw-r----- quagga > quaggavt root:object_r:zebra_conf_t vtysh.conf -rwxr-x--- quagga > quaggavt system_u:object_r:zebra_conf_t vtysh.conf.sample -rw------- > quagga quagga root:object_r:zebra_conf_t zebra.conf -rw-r--r-- > root root system_u:object_r:zebra_conf_t zebra.conf.sample -rw-r----- > quagga quaggavt root:object_r:zebra_conf_t zebra.conf.sav > >Does setsebool -P zebra_write_conf 1 Fix your problem? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlMXQGMACgkQrlYvE4MpobOeiQCg53V7Sgi63GRsc8TMJIvnTg/J FJMAn3ZpuvheeSodlzoikHyc+xJVPyqh =biiO -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/04/2014 07:56 PM, SilverTip257 wrote:> Hello All, > > Does anyone happen to be running Quagga on CentOS 5 with SELinux in > enforcing mode? Have you had to create SELinux policies or did it "just > work" out of the box? > > (I'll get around to building this out on CentOS 6 as well.) > > I'm simply trying to write my config (for the zebra daemon) and it can't > be written... > > > Looks like this bug from Fedora 8 in 2008 [0] remains (or one similar to > it spawned). And the problem was present in 2010 per the CentOS forums > [1]. > > I'm not opposed to creating SELinux policies and I may do just that (or > run around in Permissive mode!). But it'd be awesome if upstream included > policies for quagga since quagga is software they package. > > Maybe Dan Walsh will hop in on this. ;-) > > [0] https://bugzilla.redhat.com/show_bug.cgi?id=429252 [1] > https://www.centos.org/forums/viewtopic.php?t=21040 > > > type=AVC msg=audit(1393980136.848:15): avc: denied { add_name } for > pid=2646 comm="zebra" name="zebra.conf.CxNsyz" > scontext=root:system_r:zebra_t:s0 > tcontext=system_u:object_r:zebra_conf_t:s0 tclass=dir type=SYSCALL > msg=audit(1393980136.848:15): arch=40000003 syscall=5 success=no exit=-13 > a0=8512960 a1=c2 a2=180 a3=1e6a6 items=0 ppid=1 pid=2646 auid=0 uid=92 > gid=92 euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 tty=(none) ses=1 > comm="zebra" exe="/usr/sbin/zebra" subj=root:system_r:zebra_t:s0 > key=(null) > > ~]# ls -Z /etc/quagga/ -rw-r--r-- root root > system_u:object_r:zebra_conf_t bgpd.conf.sample -rw-r--r-- root root > system_u:object_r:zebra_conf_t bgpd.conf.sample2 -rw-r--r-- root root > system_u:object_r:zebra_conf_t ospf6d.conf.sample -rw-r--r-- root root > system_u:object_r:zebra_conf_t ospfd.conf.sample -rw-r--r-- root root > system_u:object_r:zebra_conf_t ripd.conf.sample -rw-r--r-- root root > system_u:object_r:zebra_conf_t ripngd.conf.sample -rw-r----- quagga > quaggavt root:object_r:zebra_conf_t vtysh.conf -rwxr-x--- quagga > quaggavt system_u:object_r:zebra_conf_t vtysh.conf.sample -rw------- > quagga quagga root:object_r:zebra_conf_t zebra.conf -rw-r--r-- > root root system_u:object_r:zebra_conf_t zebra.conf.sample -rw-r----- > quagga quaggavt root:object_r:zebra_conf_t zebra.conf.sav > >man zebra_selinux ... If you want to allow zebra daemon to write it configuration files, you must turn on the zebra_write_config boolean. Disabled by default. setsebool -P zebra_write_config 1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlMXQJUACgkQrlYvE4MpobMV3wCbBlasOQtoQWQZ1dchVAPTgWz0 xe4AoIimsQko9yw3qXzwyNTF2J0Reish =NCas -----END PGP SIGNATURE-----
Apparently Analagous Threads
- Quagga ECMP
- Bug#441249: Bug#441249: xen-hypervisor-3.0.3-1-i386-pae: "Problems using XEN when Quagga is running"
- Bug#441249: xen-hypervisor-3.0.3-1-i386-pae: "Problems using XEN when Quagga is running"
- Correct way to use quagga and shorewall
- Weird custom type behaviour