Bug 429252

Summary: RIPd and zebra cannot save their configuration
Product: [Fedora] Fedora Reporter: Tomasz Kepczynski <tomek>
Component: quaggaAssignee: Martin Nagy <mnagy>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 8CC: dwalsh, hripps, infrastructure
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-22 10:08:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomasz Kepczynski 2008-01-18 09:30:49 UTC 
I clone the below bug for Fedora 8 as the functionality
is broken. My guess is that it was designed for a case
where quagga daemons write directly to config file. Now
they create first temporary file in /etc/quagga and that
operation is denied by selinux. See below:

gklab-59-001:~# telnet localhost6 ripngd
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
Trying ::1...
Connected to localhost6.
Escape character is '^]'.

Hello, this is Quagga (version 0.99.9).
Copyright 1996-2005 Kunihiro Ishiguro, et al.


User Access Verification

Password:
gklab-59-001> enable
gklab-59-001# write file
Can't open configuration file /etc/quagga/ripngd.conf.PIlkEG.

No such problem with selinux permissive.

Currently used:
quagga-0.99.9-3.fc8.x86_64
selinux-policy-3.0.8-74.fc8.noarch

Boolean mentioned at the end of original bug report is on:
gklab-59-001:~> getsebool  allow_zebra_write_config
allow_zebra_write_config --> on

+++ This bug was initially created as a clone of Bug #197195 +++

Description of problem:
RIPd cannot save its configuration when ordered to by
"write file" command.

Version-Release number of selected component (if applicable):
selinux-policy-2.2.43-4.fc5
selinux-policy-targeted-2.2.43-4.fc5
quagga-0.98.5-4

How reproducible:
always

Steps to Reproduce:
1. start ripd
2. connect to ripd: telnet localhost 2602
3. enter enable mode: enable
4. order it to write configuration to file: write file
  
Actual results:
ripd# write file
Can't open configuration file /etc/quagga/ripd.conf.zPv5wh.

Expected results:
ripd saves its configuration

Additional info:
This is probably due to selinux targeted policy.
ausearch -x ripd shows this:
time->Thu Jun 29 08:13:43 2006
type=PATH msg=audit(1151561623.801:1112): item=0
name="/etc/quagga/ripd.conf.zPv5wh" parent=2525226 dev=fd:00 mode=040751 ouid=92
ogid=92 rdev=00:00 obj=system_u:object_r:zebra_conf_t:s0
type=CWD msg=audit(1151561623.801:1112):  cwd="/"
type=SYSCALL msg=audit(1151561623.801:1112): arch=40000003 syscall=5 success=no
exit=-13 a0=88d51a0 a1=c2 a2=180 a3=4272f00 items=1 pid=11654 auid=43270 uid=92
gid=92 euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 tty=(none) comm="ripd"
exe="/usr/sbin/ripd" subj=user_u:system_r:zebra_t:s0
type=AVC msg=audit(1151561623.801:1112): avc:  denied  { write } for  pid=11654
comm="ripd" name="quagga" dev=dm-0 ino=2525226
scontext=user_u:system_r:zebra_t:s0 tcontext=system_u:object_r:zebra_conf_t:s0
tclass=dir

Please also note that on one system I was also unable to connect to ripd
(zebra was OK), also due to selinux (the question is why, both boxes run
on FC5). If this is the case try:
semanage port -a -t zebra_port_t -p tcp 2602

-- Additional comment from tomek on 2006-06-29 04:26 EST --
Zebra also has this problem:

gklab-59-001.igk.intel.com# write file
Can't open configuration file /etc/quagga/zebra.conf.J62Xgg.

gklab-59-001:/etc/quagga# ausearch -x zebra
----
time->Thu Jun 29 10:28:24 2006
type=PATH msg=audit(1151569704.894:101): item=0
name="/etc/quagga/zebra.conf.J62Xgg" parent=2525226 dev=fd:00 mode=040751
ouid=92 ogid=92 rdev=00:00 obj=system_u:object_r:zebra_conf_t:s0
type=CWD msg=audit(1151569704.894:101):  cwd="/"
type=SYSCALL msg=audit(1151569704.894:101): arch=40000003 syscall=5 success=no
exit=-13 a0=8054470 a1=c2 a2=180 a3=e9c5e items=1 pid=5347 auid=43270 uid=92
gid=92 euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 tty=(none) comm="zebra"
exe="/usr/sbin/zebra" subj=user_u:system_r:zebra_t:s0
type=AVC msg=audit(1151569704.894:101): avc:  denied  { write } for  pid=5347
comm="zebra" name="quagga" dev=dm-0 ino=2525226
scontext=user_u:system_r:zebra_t:s0 tcontext=system_u:object_r:zebra_conf_t:s0
tclass=dir

I guess that the rest of the deamons from the package also have this problem.

-- Additional comment from infrastructure on 2006-07-19 07:31
EST --
One possible workaround is to disable SELinux with "setenforce 0" before writing
configurartion and to enable it back with "setenforce 1" after, but this is far
not the best way to configure routers. It would be great to have a rule for
writing configuration in /usr/share/selinux/targeted/include/services/zebra.if


-- Additional comment from dwalsh on 2007-07-31 10:56 EST --
setsebool -P allow_zebra_write_config=1

This selinux boolean should allow zebra to write its config file
Comment 1 Daniel Walsh 2008-01-18 21:04:47 UTC 
Are you sure it works for me.  When I run your avc through audit2why it says it
should be allowed.

Try it again.

setsebool -P allow_zebra_write_config=1

to make sure policy builds and gets loaded.

Then run zebra.
Comment 2 Tomasz Kepczynski 2008-01-19 06:37:50 UTC 
I did as you suggested, then tried to save configuration from
ripngd:

Raw Audit Messages

avc: denied { add_name } for comm=ripngd name=ripngd.conf.Alil2r pid=4085
scontext=unconfined_u:system_r:zebra_t:s0 tclass=dir
tcontext=system_u:object_r:zebra_conf_t:s0

(I skip the rest output of sealert as it does not follow LANG setting from
environment and print in Polish...)

I also tried restorec -rv /etc, and it did not help as well.
Comment 3 Daniel Walsh 2008-01-21 20:15:50 UTC 
You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-79.fc8
Comment 4 Martin Nagy 2008-01-22 10:08:54 UTC 
Closing as this is resolved in rawhide according to Daniel.