From 16d43cc08d44870f5643ff40fd9be4fa195198de Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 19 Aug 2022 09:43:34 +0200
Subject: [PATCH] Allow frr daemons bind generic sockets to tcp ports

The vrrpd and pathd daemons need to bind to ports 2619/tcp and 2621/tcp.
This commit can be reverted if the inter-process communication changes
to using unix sockets in the future.

Addresses the following AVC denial:

type=PROCTITLE msg=audit(08/10/2022 05:32:53.905:257) : proctitle=/usr/libexec/frr/pathd -d -F traditional -A 127.0.0.1
type=AVC msg=audit(08/10/2022 05:32:53.905:257) : avc:  denied  { name_bind } for  pid=8625 comm=pathd src=2621 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
type=SYSCALL msg=audit(08/10/2022 05:32:53.905:257) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0xc a1=0x55e3ba44fdd0 a2=0x10 a3=0x7fff610c2bd4 items=0 ppid=8623 pid=8625 auid=unset uid=geoclue gid=flatpak euid=geoclue suid=geoclue fsuid=geoclue egid=flatpak sgid=flatpak fsgid=flatpak tty=(none) ses=unset comm=pathd exe=/usr/libexec/frr/pathd subj=system_u:system_r:frr_t:s0 key=(null)
type=SOCKADDR msg=audit(08/10/2022 05:32:53.905:257) : saddr={ saddr_fam=inet laddr=127.0.0.1 lport=2621 }

Resolves: rhbz#2117262
---
 frr.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/frr.te b/frr.te
index bbafca4..db69262 100644
--- a/frr.te
+++ b/frr.te
@@ -83,6 +83,7 @@ corenet_tcp_bind_bgp_port(frr_t)
 corenet_tcp_bind_cmadmin_port(frr_t)
 corenet_udp_bind_cmadmin_port(frr_t)
 corenet_tcp_bind_firepower_port(frr_t)
+corenet_tcp_bind_generic_port(frr_t)
 corenet_tcp_bind_priority_e_com_port(frr_t)
 corenet_udp_bind_router_port(frr_t)
 corenet_tcp_bind_qpasa_agent_port(frr_t)