From 095fe159283925262b5268c63697fb0364a19ca6 Mon Sep 17 00:00:00 2001
From: Michal Ruprich <mruprich@redhat.com>
Date: Mon, 9 Sep 2024 16:11:57 +0200
Subject: [PATCH] Resolves: RHEL-56074 - frr AVCs after rebase to 10.1

---
 frr.fc   |  1 +
 frr.spec |  7 +++++--
 frr.te   | 10 +++++++---
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/frr.fc b/frr.fc
index 3724f47..881cfee 100644
--- a/frr.fc
+++ b/frr.fc
@@ -6,6 +6,7 @@
 
 /var/log/frr(/.*)?              gen_context(system_u:object_r:frr_log_t,s0)
 /var/tmp/frr(/.*)?              gen_context(system_u:object_r:frr_tmp_t,s0)
+/var/lib/frr(/.*)?              gen_context(system_u:object_r:frr_var_lib_t,s0)
 
 /run/lock/subsys/bfdd       --  gen_context(system_u:object_r:frr_lock_t,s0)
 /run/lock/subsys/bgpd       --  gen_context(system_u:object_r:frr_lock_t,s0)
diff --git a/frr.spec b/frr.spec
index f5d9183..228cb54 100644
--- a/frr.spec
+++ b/frr.spec
@@ -9,7 +9,7 @@
 
 Name:           frr
 Version:        10.1
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        Routing daemon
 License:        GPL-2.0-or-later AND ISC AND LGPL-2.0-or-later AND BSD-2-Clause AND BSD-3-Clause AND (GPL-2.0-or-later  OR ISC) AND MIT
 URL:            http://www.frrouting.org
@@ -117,7 +117,7 @@ autoreconf -ivf
     --sysconfdir=%{_sysconfdir}/frr \
     --libdir=%{_libdir}/frr \
     --libexecdir=%{_libexecdir}/frr \
-    --localstatedir=/run/frr \
+    --localstatedir=/var \
     --enable-multipath=64 \
     --enable-vtysh=yes \
     --disable-ospfclient \
@@ -277,6 +277,9 @@ rm tests/lib/*grpc*
 %endif
 
 %changelog
+* Mon Sep 09 2024 Michal Ruprich <mruprich@redhat.com> - 10.1-4
+- Resolves: RHEL-56074 - frr AVCs after rebase to 10.1
+
 * Mon Aug 26 2024 Michal Ruprich <mruprich@redhat.com> - 10.1-3
 - Related: RHEL-55747 - Adding libs_manage_lib_dirs for handling lib_t
 
diff --git a/frr.te b/frr.te
index 34d6699..68af3e9 100644
--- a/frr.te
+++ b/frr.te
@@ -27,6 +27,9 @@ systemd_unit_file(frr_unit_file_t)
 type frr_var_run_t;
 files_pid_file(frr_var_run_t)
 
+type frr_var_lib_t;
+files_type(frr_var_lib_t)
+
 ########################################
 #
 # frr local policy
@@ -54,6 +57,10 @@ manage_files_pattern(frr_t, frr_log_t, frr_log_t)
 manage_lnk_files_pattern(frr_t, frr_log_t, frr_log_t)
 logging_log_filetrans(frr_t, frr_log_t, { dir file lnk_file })
 
+manage_dirs_pattern(frr_t, frr_var_lib_t, frr_var_lib_t)
+manage_files_pattern(frr_t, frr_var_lib_t, frr_var_lib_t)
+files_var_lib_filetrans(frr_t, frr_var_lib_t, { dir file })
+
 allow frr_t frr_tmp_t:file map;
 manage_dirs_pattern(frr_t, frr_tmp_t, frr_tmp_t)
 manage_files_pattern(frr_t, frr_tmp_t, frr_tmp_t)
@@ -110,9 +117,6 @@ ipsec_domtrans_mgmt(frr_t)
 
 userdom_read_admin_home_files(frr_t)
 
-libs_delete_lib_symlinks(frr_t);
-libs_manage_lib_dirs(frr_t);
-
 optional_policy(`
 	logging_send_syslog_msg(frr_t)
 ')