Bug 1204920

Summary: SELinux prevents quagga from writing it's config
Product: Red Hat Enterprise Linux 7 Reporter: William Taylor <williamt>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Milos Malik <mmalik>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 7.0CC: lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-09 09:02:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description William Taylor 2015-03-23 18:36:52 UTC 
Description of problem:When you try to save your config inside vtysh with the write command, SELinux denies it.


Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.12.1-153.el7_0.13.noarch
selinux-policy-3.12.1-153.el7_0.13.noarch
quagga-0.99.22.4-4.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1.install quagga
2.start zebra, bgpd
3.enter console with vtysh
4. type "write" and press enter

Actual results:
Quagga can not save it's config files

Expected results:
Quagga should be able to save it's config files

Additional info:
# grep quagga /var/log/audit/audit.log 
type=AVC msg=audit(1427132821.768:4684): avc:  denied  { write } for  pid=25684 comm="zebra" name="quagga" dev="dm-1" ino=134467108 scontext=system_u:system_r:zebra_t:s0 tcontext=system_u:object_r:zebra_conf_t:s0 tclass=dir
type=AVC msg=audit(1427132821.769:4685): avc:  denied  { write } for  pid=25686 comm="bgpd" name="quagga" dev="dm-1" ino=134467108 scontext=system_u:system_r:zebra_t:s0 tcontext=system_u:object_r:zebra_conf_t:s0 tclass=dir

# ls -laZ /etc/quagga/  
drwxr-x---. quagga quagga   system_u:object_r:zebra_conf_t:s0 .
drwxr-xr-x. root   root     system_u:object_r:etc_t:s0       ..
-rw-r--r--. root   root     unconfined_u:object_r:zebra_conf_t:s0 bgpd.conf
-rw-r-----. quagga quaggavt unconfined_u:object_r:zebra_conf_t:s0 vtysh.conf
-rw-r-----. quagga quagga   unconfined_u:object_r:zebra_conf_t:s0 zebra.conf

# restorecon -R -v /etc/quagga                                  
# ls -laZ /etc/quagga/        
drwxr-x---. quagga quagga   system_u:object_r:zebra_conf_t:s0 .
drwxr-xr-x. root   root     system_u:object_r:etc_t:s0       ..
-rw-r--r--. root   root     unconfined_u:object_r:zebra_conf_t:s0 bgpd.conf
-rw-r-----. quagga quaggavt unconfined_u:object_r:zebra_conf_t:s0 vtysh.conf
-rw-r-----. quagga quagga   unconfined_u:object_r:zebra_conf_t:s0 zebra.conf
Comment 2 Milos Malik 2015-03-23 22:56:28 UTC 
# getsebool zebra_write_config
zebra_write_config --> off
# vtysh 

Hello, this is Quagga (version 0.99.22.4).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

rhel71.localdomain# write
Building Configuration...
Can't open configuration file /etc/quagga/zebra.conf.93FuHC.
Can't open configuration file /etc/quagga/bgpd.conf.7sj2bD.
[OK]
# 

If you enable the zebra_write_config boolean then bgpd and zebra will be able to write their configuration files.

# getsebool zebra_write_config
zebra_write_config --> on
# vtysh 

Hello, this is Quagga (version 0.99.22.4).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

rhel71.localdomain# write
Building Configuration...
Configuration saved to /etc/quagga/zebra.conf
Can't backup old configuration file /etc/quagga/bgpd.conf.sav.
[OK]
#
Comment 3 William Taylor 2015-03-23 22:59:21 UTC 
Why is it by default not allowed to write it's config?
Comment 4 Miroslav Grepl 2015-04-09 09:02:32 UTC 
We don't want to allow daemons to write own config files by default if possible.

You can read more using

man zebra_selinux