Bug 197195 - RIPd and zebra cannot save their configuration
RIPd and zebra cannot save their configuration
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: quagga (Show other bugs)
rawhide
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Martin Bacovsky
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-06-29 02:09 EDT by Tomasz Kepczynski
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-07-31 12:37:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomasz Kepczynski 2006-06-29 02:09:13 EDT
Description of problem:
RIPd cannot save its configuration when ardered to by
"write file" command.

Version-Release number of selected component (if applicable):
selinux-policy-2.2.43-4.fc5
selinux-policy-targeted-2.2.43-4.fc5
quagga-0.98.5-4

How reproducible:
always

Steps to Reproduce:
1. start ripd
2. connect to ripd: telnet localhost 2602
3. enter enable mode: enable
4. order it to write configuration to file: write file
  
Actual results:
ripd# write file
Can't open configuration file /etc/quagga/ripd.conf.zPv5wh.

Expected results:
ripd saves its configuration

Additional info:
This is probably due to selinux targeted policy.
ausearch -x ripd shows this:
time->Thu Jun 29 08:13:43 2006
type=PATH msg=audit(1151561623.801:1112): item=0
name="/etc/quagga/ripd.conf.zPv5wh" parent=2525226 dev=fd:00 mode=040751 ouid=92
ogid=92 rdev=00:00 obj=system_u:object_r:zebra_conf_t:s0
type=CWD msg=audit(1151561623.801:1112):  cwd="/"
type=SYSCALL msg=audit(1151561623.801:1112): arch=40000003 syscall=5 success=no
exit=-13 a0=88d51a0 a1=c2 a2=180 a3=4272f00 items=1 pid=11654 auid=43270 uid=92
gid=92 euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 tty=(none) comm="ripd"
exe="/usr/sbin/ripd" subj=user_u:system_r:zebra_t:s0
type=AVC msg=audit(1151561623.801:1112): avc:  denied  { write } for  pid=11654
comm="ripd" name="quagga" dev=dm-0 ino=2525226
scontext=user_u:system_r:zebra_t:s0 tcontext=system_u:object_r:zebra_conf_t:s0
tclass=dir

Please also note that on one system I was also unable to connect to ripd
(zebra was OK), also due to selinux (the question is why, both boxes run
on FC5). If this is the case try:
semanage port -a -t zebra_port_t -p tcp 2602
Comment 1 Tomasz Kepczynski 2006-06-29 04:26:36 EDT
Zebra also has this problem:

gklab-59-001.igk.intel.com# write file
Can't open configuration file /etc/quagga/zebra.conf.J62Xgg.

gklab-59-001:/etc/quagga# ausearch -x zebra
----
time->Thu Jun 29 10:28:24 2006
type=PATH msg=audit(1151569704.894:101): item=0
name="/etc/quagga/zebra.conf.J62Xgg" parent=2525226 dev=fd:00 mode=040751
ouid=92 ogid=92 rdev=00:00 obj=system_u:object_r:zebra_conf_t:s0
type=CWD msg=audit(1151569704.894:101):  cwd="/"
type=SYSCALL msg=audit(1151569704.894:101): arch=40000003 syscall=5 success=no
exit=-13 a0=8054470 a1=c2 a2=180 a3=e9c5e items=1 pid=5347 auid=43270 uid=92
gid=92 euid=92 suid=92 fsuid=92 egid=92 sgid=92 fsgid=92 tty=(none) comm="zebra"
exe="/usr/sbin/zebra" subj=user_u:system_r:zebra_t:s0
type=AVC msg=audit(1151569704.894:101): avc:  denied  { write } for  pid=5347
comm="zebra" name="quagga" dev=dm-0 ino=2525226
scontext=user_u:system_r:zebra_t:s0 tcontext=system_u:object_r:zebra_conf_t:s0
tclass=dir

I guess that the rest of the deamons from the package also have this problem.
Comment 2 ValueCommerce Infrastructure Team 2006-07-19 07:31:34 EDT
One possible workaround is to disable SELinux with "setenforce 0" before writing
configurartion and to enable it back with "setenforce 1" after, but this is far
not the best way to configure routers. It would be great to have a rule for
writing configuration in /usr/share/selinux/targeted/include/services/zebra.if
Comment 3 Daniel Walsh 2007-07-31 10:56:06 EDT
setsebool -P allow_zebra_write_config=1

This selinux boolean should allow zebra to write its config file

Note You need to log in before you can comment on or make changes to this bug.