-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/04/2014 07:56 PM, SilverTip257 wrote: > Hello All, > > Does anyone happen to be running Quagga on CentOS 5 with SELinux in > enforcing mode? Have you had to create SELinux policies or did it "just > work" out of the box? > > (I'll get around to building this out on CentOS 6 as well.) > > I'm simply trying to write my config (for the zebra daemon) and it can't > be written... > > > Looks like this bug from Fedora 8 in 2008 [0] remains (or one similar to > it spawned). And the problem was present in 2010 per the CentOS forums > [1]. > > I'm not opposed to creating SELinux policies and I may do just that (or > run around in Permissive mode!). But it'd be awesome if upstream included > policies for quagga since quagga is software they package. > > Maybe Dan Walsh will hop in on this. ;-) > > [0] https://bugzilla.redhat.com/show_bug.cgi?id=429252 [1] > https://www.centos.org/forums/viewtopic.php?t=21040 > > > type=AVC msg=audit(1393980136.848:15): avc: denied { add_name } for > pid=2646 comm="zebra" name="zebra.conf.CxNsyz" > scontext=root:system_r:zebra_t:s0 > tcontext=system_u:object_r:zebra_conf_t:s0 tclass=dir type=SYSCALL > msg=audit(1393980136.848:15): arch=40000003 syscall=5 success=no exit=-13 > a0=8512960 a1=c2 a2=180 a3=1e6a6 items=0 ppid=1 pid=2646 auid=0 uid=92 > gid=92 euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 tty=(none) ses=1 > comm="zebra" exe="/usr/sbin/zebra" subj=root:system_r:zebra_t:s0 > key=(null) > > ~]# ls -Z /etc/quagga/ -rw-r--r-- root root > system_u:object_r:zebra_conf_t bgpd.conf.sample -rw-r--r-- root root > system_u:object_r:zebra_conf_t bgpd.conf.sample2 -rw-r--r-- root root > system_u:object_r:zebra_conf_t ospf6d.conf.sample -rw-r--r-- root root > system_u:object_r:zebra_conf_t ospfd.conf.sample -rw-r--r-- root root > system_u:object_r:zebra_conf_t ripd.conf.sample -rw-r--r-- root root > system_u:object_r:zebra_conf_t ripngd.conf.sample -rw-r----- quagga > quaggavt root:object_r:zebra_conf_t vtysh.conf -rwxr-x--- quagga > quaggavt system_u:object_r:zebra_conf_t vtysh.conf.sample -rw------- > quagga quagga root:object_r:zebra_conf_t zebra.conf -rw-r--r-- > root root system_u:object_r:zebra_conf_t zebra.conf.sample -rw-r----- > quagga quaggavt root:object_r:zebra_conf_t zebra.conf.sav > > man zebra_selinux ... If you want to allow zebra daemon to write it configuration files, you must turn on the zebra_write_config boolean. Disabled by default. setsebool -P zebra_write_config 1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlMXQJUACgkQrlYvE4MpobMV3wCbBlasOQtoQWQZ1dchVAPTgWz0 xe4AoIimsQko9yw3qXzwyNTF2J0Reish =NCas -----END PGP SIGNATURE----- _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos