import frr-7.5.1-3.el8

2022-09-27 05:57:02 -04:00 · 2022-09-27 05:57:02 -04:00 · 387acfb08a
commit 387acfb08a
parent 9d4921fbd1
14 changed files with 542 additions and 307 deletions
--- a/.frr.metadata
+++ b/.frr.metadata
@ -1 +1 @@
-67064fd2c9f971a7004e3e66411f9c99e56cfb9c SOURCES/frr-7.5.tar.gz
+dfc756dfd123360d1e1a760d66821e47f9a6afed SOURCES/frr-7.5.1.tar.gz
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/frr-7.5.tar.gz
+SOURCES/frr-7.5.1.tar.gz
--- a/SOURCES/0008-designated-router.patch
+++ b/SOURCES/0008-designated-router.patch
--- a/SOURCES/0008-ospf-multi-instance.patch
+++ b/SOURCES/0008-ospf-multi-instance.patch
@ -1,119 +0,0 @@
-diff --git a/ospfd/ospfd.c b/ospfd/ospfd.c
-index d8be19db9..6fe94f3a4 100644
--- a/ospfd/ospfd.c
-+++ b/ospfd/ospfd.c
-@@ -384,12 +384,50 @@ struct ospf *ospf_lookup_by_inst_name(unsigned short instance, const char *name)
- 	return NULL;
- }
- 
-struct ospf *ospf_get(unsigned short instance, const char *name, bool *created)
-+static void ospf_init(struct ospf *ospf)
- {
-	struct ospf *ospf;
- 	struct vrf *vrf;
- 	struct interface *ifp;
- 
-+	ospf_opaque_type11_lsa_init(ospf);
-+
-+	if (ospf->vrf_id != VRF_UNKNOWN)
-+		ospf->oi_running = 1;
-+
-+	/* Activate 'ip ospf area x' configured interfaces for given
-+	 * vrf. Activate area on vrf x aware interfaces.
-+	 * vrf_enable callback calls router_id_update which
-+	 * internally will call ospf_if_update to trigger
-+	 * network_run_state
-+	 */
-+	vrf = vrf_lookup_by_id(ospf->vrf_id);
-+
-+	FOR_ALL_INTERFACES (vrf, ifp) {
-+		struct ospf_if_params *params;
-+		struct route_node *rn;
-+		uint32_t count = 0;
-+
-+		params = IF_DEF_PARAMS(ifp);
-+		if (OSPF_IF_PARAM_CONFIGURED(params, if_area))
-+			count++;
-+
-+		for (rn = route_top(IF_OIFS_PARAMS(ifp)); rn; rn = route_next(rn))
-+			if ((params = rn->info) && OSPF_IF_PARAM_CONFIGURED(params, if_area))
-+				count++;
-+
-+		if (count > 0) {
-+			ospf_interface_area_set(ospf, ifp);
-+			ospf->if_ospf_cli_count += count;
-+		}
-+	}
-+
-+	ospf_router_id_update(ospf);
-+}
-+
-+struct ospf *ospf_get(unsigned short instance, const char *name, bool *created)
-+{
-+	struct ospf *ospf;
-+
- 	/* vrf name provided call inst and name based api
- 	 * in case of no name pass default ospf instance */
- 	if (name)
-@@ -402,39 +440,7 @@ struct ospf *ospf_get(unsigned short instance, const char *name, bool *created)
- 		ospf = ospf_new(instance, name);
- 		ospf_add(ospf);
- 
-		ospf_opaque_type11_lsa_init(ospf);
-
-		if (ospf->vrf_id != VRF_UNKNOWN)
-			ospf->oi_running = 1;
-
-		/* Activate 'ip ospf area x' configured interfaces for given
-		 * vrf. Activate area on vrf x aware interfaces.
-		 * vrf_enable callback calls router_id_update which
-		 * internally will call ospf_if_update to trigger
-		 * network_run_state
-		 */
-		vrf = vrf_lookup_by_id(ospf->vrf_id);
-
-		FOR_ALL_INTERFACES (vrf, ifp) {
-			struct ospf_if_params *params;
-			struct route_node *rn;
-			uint32_t count = 0;
-
-			params = IF_DEF_PARAMS(ifp);
-			if (OSPF_IF_PARAM_CONFIGURED(params, if_area))
-				count++;
-
-			for (rn = route_top(IF_OIFS_PARAMS(ifp)); rn; rn = route_next(rn))
-				if ((params = rn->info) && OSPF_IF_PARAM_CONFIGURED(params, if_area))
-					count++;
-
-			if (count > 0) {
-				ospf_interface_area_set(ospf, ifp);
-				ospf->if_ospf_cli_count += count;
-			}
-		}
-
-		ospf_router_id_update(ospf);
-+		ospf_init(ospf);
- 	}
- 
- 	return ospf;
-@@ -450,7 +456,7 @@ struct ospf *ospf_get_instance(unsigned short instance, bool *created)
- 		ospf = ospf_new(instance, NULL /* VRF_DEFAULT*/);
- 		ospf_add(ospf);
- 
-		ospf_opaque_type11_lsa_init(ospf);
-+		ospf_init(ospf);
- 	}
- 
- 	return ospf;
-diff --git a/ospfd/ospfd.h b/ospfd/ospfd.h
-index 192e54281..3087b735a 100644
--- a/ospfd/ospfd.h
-+++ b/ospfd/ospfd.h
-@@ -604,7 +604,6 @@ extern int ospf_nbr_nbma_poll_interval_set(struct ospf *, struct in_addr,
- 					   unsigned int);
- extern int ospf_nbr_nbma_poll_interval_unset(struct ospf *, struct in_addr);
- extern void ospf_prefix_list_update(struct prefix_list *);
-extern void ospf_init(void);
- extern void ospf_if_update(struct ospf *, struct interface *);
- extern void ospf_ls_upd_queue_empty(struct ospf_interface *);
- extern void ospf_terminate(void);
--- a/SOURCES/0009-bgp-ttl-security.patch
+++ b/SOURCES/0009-bgp-ttl-security.patch
@ -1,92 +0,0 @@
-From 8a66632391db5f5181a4afef6aae41f48bee7fdb Mon Sep 17 00:00:00 2001
-From: Donald Sharp <sharpd@nvidia.com>
-Date: Fri, 15 Jan 2021 08:14:49 -0500
-Subject: [PATCH] bgpd: Allow peer-groups to have `ttl-security hops`
- configured
-
-The command `neighbor PGROUP ttl-security hops X` was being
-accepted but ignored.  Allow it to be stored.  I am still
-not sure that this is applied correctly, but that is another
-problem.
-
-Fixes: #7848
-Signed-off-by: Donald Sharp <sharpd@nvidia.com>
---
- bgpd/bgpd.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c
-index 9297ec4711c..4ebd3da0620 100644
--- a/bgpd/bgpd.c
-+++ b/bgpd/bgpd.c
-@@ -7150,6 +7150,7 @@ int is_ebgp_multihop_configured(struct peer *peer)
- int peer_ttl_security_hops_set(struct peer *peer, int gtsm_hops)
- {
- 	struct peer_group *group;
-+	struct peer *gpeer;
- 	struct listnode *node, *nnode;
- 	int ret;
- 
-@@ -7186,9 +7187,10 @@ int peer_ttl_security_hops_set(struct peer *peer, int gtsm_hops)
- 				return ret;
- 		} else {
- 			group = peer->group;
-+			group->conf->gtsm_hops = gtsm_hops;
- 			for (ALL_LIST_ELEMENTS(group->peer, node, nnode,
-					       peer)) {
-				peer->gtsm_hops = group->conf->gtsm_hops;
-+					       gpeer)) {
-+				gpeer->gtsm_hops = group->conf->gtsm_hops;
- 
- 				/* Calling ebgp multihop also resets the
- 				 * session.
-@@ -7198,7 +7200,7 @@ int peer_ttl_security_hops_set(struct peer *peer, int gtsm_hops)
- 				 * value is
- 				 * irrelevant.
- 				 */
-				peer_ebgp_multihop_set(peer, MAXTTL);
-+				peer_ebgp_multihop_set(gpeer, MAXTTL);
- 			}
- 		}
- 	} else {
-@@ -7219,9 +7221,10 @@ int peer_ttl_security_hops_set(struct peer *peer, int gtsm_hops)
- 					       MAXTTL + 1 - gtsm_hops);
- 		} else {
- 			group = peer->group;
-+			group->conf->gtsm_hops = gtsm_hops;
- 			for (ALL_LIST_ELEMENTS(group->peer, node, nnode,
-					       peer)) {
-				peer->gtsm_hops = group->conf->gtsm_hops;
-+					       gpeer)) {
-+				gpeer->gtsm_hops = group->conf->gtsm_hops;
- 
- 				/* Change setting of existing peer
- 				 *   established then change value (may break
-@@ -7231,17 +7234,18 @@ int peer_ttl_security_hops_set(struct peer *peer, int gtsm_hops)
- 				 *   no session then do nothing (will get
- 				 * handled by next connection)
- 				 */
-				if (peer->fd >= 0
-				    && peer->gtsm_hops
-+				if (gpeer->fd >= 0
-+				    && gpeer->gtsm_hops
- 					       != BGP_GTSM_HOPS_DISABLED)
- 					sockopt_minttl(
-						peer->su.sa.sa_family, peer->fd,
-						MAXTTL + 1 - peer->gtsm_hops);
-				if ((peer->status < Established)
-				    && peer->doppelganger
-				    && (peer->doppelganger->fd >= 0))
-					sockopt_minttl(peer->su.sa.sa_family,
-						       peer->doppelganger->fd,
-+						gpeer->su.sa.sa_family,
-+						gpeer->fd,
-+						MAXTTL + 1 - gpeer->gtsm_hops);
-+				if ((gpeer->status < Established)
-+				    && gpeer->doppelganger
-+				    && (gpeer->doppelganger->fd >= 0))
-+					sockopt_minttl(gpeer->su.sa.sa_family,
-+						       gpeer->doppelganger->fd,
- 						       MAXTTL + 1 - gtsm_hops);
- 			}
- 		}
--- a/SOURCES/0009-routemap.patch
+++ b/SOURCES/0009-routemap.patch
@ -0,0 +1,25 @@
+diff --git a/lib/routemap.c b/lib/routemap.c
+index a90443a..0b594b2 100644
+--- a/lib/routemap.c
+++ b/lib/routemap.c
+@@ -1649,9 +1649,9 @@ static struct list *route_map_get_index_list(struct route_node **rn,
+  */
+ static struct route_map_index *
+ route_map_get_index(struct route_map *map, const struct prefix *prefix,
+-		    route_map_object_t type, void *object, uint8_t *match_ret)
+		    route_map_object_t type, void *object, enum route_map_cmd_result_t *match_ret)
+ {
+-	int ret = 0;
+	enum route_map_cmd_result_t ret = RMAP_NOMATCH;
+ 	struct list *candidate_rmap_list = NULL;
+ 	struct route_node *rn = NULL;
+ 	struct listnode *ln = NULL, *nn = NULL;
+@@ -2399,7 +2399,7 @@ route_map_result_t route_map_apply(struct route_map *map,
+ 	if ((!map->optimization_disabled)
+ 	    && (map->ipv4_prefix_table || map->ipv6_prefix_table)) {
+ 		index = route_map_get_index(map, prefix, type, object,
+-					    (uint8_t *)&match_ret);
+					    &match_ret);
+ 		if (index) {
+ 			if (rmap_debug)
+ 				zlog_debug(
--- a/SOURCES/0010-bfd-reload.patch
+++ b/SOURCES/0010-bfd-reload.patch
@ -1,60 +0,0 @@
-From 46a2b560fa84c5f8ece8dbb82cbf355af675ad41 Mon Sep 17 00:00:00 2001
-From: Rafael Zalamena <rzalamena@opensourcerouting.org>
-Date: Tue, 19 Jan 2021 08:49:23 -0300
-Subject: [PATCH] tools: fix frr-reload BFD profile support
-
-Fix the handling of multiple BFD profiles by adding the appropriated
-code to push/pop contexts inside BFD configuration node.
-
-Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
---
- tools/frr-reload.py | 28 ++++++++++++++++++++++++++++
- 1 file changed, 28 insertions(+)
-
-diff --git a/tools/frr-reload.py b/tools/frr-reload.py
-index da005b6f874..ca6fe81f007 100755
--- a/tools/frr-reload.py
-+++ b/tools/frr-reload.py
-@@ -533,6 +533,18 @@ def load_contexts(self):
-             if line.startswith('!') or line.startswith('#'):
-                 continue
- 
-+            if (len(ctx_keys) == 2
-+                and ctx_keys[0].startswith('bfd')
-+                and ctx_keys[1].startswith('profile ')
-+                and line == 'end'):
-+                log.debug('LINE %-50s: popping from sub context, %-50s', line, ctx_keys)
-+
-+                if main_ctx_key:
-+                    self.save_contexts(ctx_keys, current_context_lines)
-+                    ctx_keys = copy.deepcopy(main_ctx_key)
-+                    current_context_lines = []
-+                    continue
-+
-             # one line contexts
-             # there is one exception though: ldpd accepts a 'router-id' clause
-             # as part of its 'mpls ldp' config context. If we are processing
-@@ -649,6 +661,22 @@ def load_contexts(self):
-                 log.debug('LINE %-50s: entering sub-sub-context, append to ctx_keys', line)
-                 ctx_keys.append(line)
- 
-+            elif (
-+                line.startswith('profile ')
-+                and len(ctx_keys) == 1
-+                and ctx_keys[0].startswith('bfd')
-+            ):
-+
-+                # Save old context first
-+                self.save_contexts(ctx_keys, current_context_lines)
-+                current_context_lines = []
-+                main_ctx_key = copy.deepcopy(ctx_keys)
-+                log.debug(
-+                    "LINE %-50s: entering BFD profile sub-context, append to ctx_keys",
-+                    line
-+                )
-+                ctx_keys.append(line)
-+
-             else:
-                 # Continuing in an existing context, add non-commented lines to it
-                 current_context_lines.append(line)
-
--- a/SOURCES/0010-moving-executables.patch
+++ b/SOURCES/0010-moving-executables.patch
@ -0,0 +1,40 @@
+diff --git a/tools/frr.service b/tools/frr.service
+index aa45f42..a3f0103 100644
+--- a/tools/frr.service
+++ b/tools/frr.service
+@@ -17,9 +17,9 @@ WatchdogSec=60s
+ RestartSec=5
+ Restart=on-abnormal
+ LimitNOFILE=1024
+-ExecStart=/usr/lib/frr/frrinit.sh start
+-ExecStop=/usr/lib/frr/frrinit.sh stop
+-ExecReload=/usr/lib/frr/frrinit.sh reload
+ExecStart=/usr/libexec/frr/frrinit.sh start
+ExecStop=/usr/libexec/frr/frrinit.sh stop
+ExecReload=/usr/libexec/frr/frrinit.sh reload
+ 
+ [Install]
+ WantedBy=multi-user.target
+diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in
+index 9a144b2..a334d95 100644
+--- a/tools/frrcommon.sh.in
+++ b/tools/frrcommon.sh.in
+@@ -59,6 +59,9 @@ chownfrr() {
+ 	[ -n "$FRR_USER" ] && chown "$FRR_USER" "$1"
+ 	[ -n "$FRR_GROUP" ] && chgrp "$FRR_GROUP" "$1"
+ 	[ -n "$FRR_CONFIG_MODE" ] && chmod "$FRR_CONFIG_MODE" "$1"
+	if [ -d "$1" ]; then
+		chmod gu+x "$1"
+	fi
+ }
+ 
+ vtysh_b () {
+@@ -152,7 +155,7 @@ daemon_start() {
+ 	daemon_prep "$daemon" "$inst" || return 1
+ 	if test ! -d "$V_PATH"; then
+ 		mkdir -p "$V_PATH"
+-		chown frr "$V_PATH"
+		chownfrr "$V_PATH"
+ 	fi
+ 
+ 	eval wrap="\$${daemon}_wrap"
--- a/SOURCES/0011-reload-bfd-profile.patch
+++ b/SOURCES/0011-reload-bfd-profile.patch
@ -0,0 +1,77 @@
+diff --git a/tools/frr-reload.py b/tools/frr-reload.py
+index 9979c8b..1c24f90 100755
+--- a/tools/frr-reload.py
+++ b/tools/frr-reload.py
+@@ -785,6 +785,48 @@ def line_exist(lines, target_ctx_keys, target_line, exact_match=True):
+                     return True
+     return False
+ 
+def delete_bgp_bfd(lines_to_add, lines_to_del):
+    """
+    When 'neighbor <peer> bfd profile <profile>' is present without a
+    'neighbor <peer> bfd' line, FRR explicitily adds it to the running
+    configuration. When the new configuration drops the bfd profile
+    line, the user's intent is to delete any bfd configuration on the
+    peer. On reload, deleting the bfd profile line after the bfd line
+    will re-enable BFD with the default BFD profile. Move the bfd line
+    to the end, if it exists in the new configuration.
+
+    Example:
+
+     neighbor 10.0.0.1 bfd
+     neighbor 10.0.0.1 bfd profile bfd-profile-1
+
+     Move to end:
+     neighbor 10.0.0.1 bfd profile bfd-profile-1
+     ...
+
+     neighbor 10.0.0.1 bfd
+
+    """
+    lines_to_del_to_app = []
+    for (ctx_keys, line) in lines_to_del:
+        if (
+            ctx_keys[0].startswith("router bgp")
+            and line
+            and line.startswith("neighbor ")
+        ):
+            # 'no neighbor [peer] bfd>'
+            nb_bfd = "neighbor (\S+) .*bfd$"
+            re_nb_bfd = re.search(nb_bfd, line)
+            if re_nb_bfd:
+                lines_to_del_to_app.append((ctx_keys, line))
+
+    for (ctx_keys, line) in lines_to_del_to_app:
+        lines_to_del.remove((ctx_keys, line))
+        lines_to_del.append((ctx_keys, line))
+
+    return (lines_to_add, lines_to_del)
+
+
+ def check_for_exit_vrf(lines_to_add, lines_to_del):
+ 
+     # exit-vrf is a bit tricky.  If the new config is missing it but we
+@@ -1248,6 +1290,7 @@ def compare_context_objects(newconf, running):
+             for line in newconf_ctx.lines:
+                 lines_to_add.append((newconf_ctx_keys, line))
+ 
+    (lines_to_add, lines_to_del) = delete_bgp_bfd(lines_to_add, lines_to_del)
+     (lines_to_add, lines_to_del) = check_for_exit_vrf(lines_to_add, lines_to_del)
+     (lines_to_add, lines_to_del) = ignore_delete_re_add_lines(lines_to_add, lines_to_del)
+     (lines_to_add, lines_to_del) = ignore_unconfigurable_lines(lines_to_add, lines_to_del)
+diff --git a/bgpd/bgp_bfd.c b/bgpd/bgp_bfd.c
+index b566b0e..1bd6249 100644
+--- a/bgpd/bgp_bfd.c
+++ b/bgpd/bgp_bfd.c
+@@ -686,9 +686,9 @@ void bgp_bfd_peer_config_write(struct vty *vty, struct peer *peer, char *addr)
+ 
+ 	if (!CHECK_FLAG(bfd_info->flags, BFD_FLAG_PARAM_CFG)
+ 	    && (bfd_info->type == BFD_TYPE_NOT_CONFIGURED)) {
+-		vty_out(vty, " neighbor %s bfd", addr);
+		vty_out(vty, " neighbor %s bfd\n", addr);
+ 		if (bfd_info->profile[0])
+-			vty_out(vty, " profile %s", bfd_info->profile);
+			vty_out(vty, " neighbor %s bfd profile %s", addr, bfd_info->profile);
+ 		vty_out(vty, "\n");
+ 	}
+ 
--- a/SOURCES/0012-bfd-peers-crash.patch
+++ b/SOURCES/0012-bfd-peers-crash.patch
@ -1,25 +0,0 @@
-From 1d923374f64e099d734899aff219d90cb0213fa6 Mon Sep 17 00:00:00 2001
-From: Emanuele Bovisio <emanuele.bovisio@eolo.it>
-Date: Thu, 5 Nov 2020 14:27:51 +0100
-Subject: [PATCH] bfdd: fix crash on show bfd peers counters json
-
-wrong pointer passed to bfd_id_iterate function
-
-Signed-off-by: Emanuele Bovisio <emanuele.bovisio@eolo.it>
---
- bfdd/bfdd_vty.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/bfdd/bfdd_vty.c b/bfdd/bfdd_vty.c
-index a3f1638e5f6..837a7b7d7d6 100644
--- a/bfdd/bfdd_vty.c
-+++ b/bfdd/bfdd_vty.c
-@@ -447,7 +447,7 @@ static void _display_peers_counter(struct vty *vty, char *vrfname, bool use_json
- 
- 	jo = json_object_new_array();
- 	bvt.jo = jo;
-	bfd_id_iterate(_display_peer_counter_json_iter, jo);
-+	bfd_id_iterate(_display_peer_counter_json_iter, &bvt);
- 
- 	vty_out(vty, "%s\n", json_object_to_json_string_ext(jo, 0));
- 	json_object_free(jo);
--- a/SOURCES/frr.fc
+++ b/SOURCES/frr.fc
@ -0,0 +1,28 @@
+/usr/libexec/frr(/.*)?        	gen_context(system_u:object_r:frr_exec_t,s0)
+
+/usr/lib/systemd/system/frr.*   gen_context(system_u:object_r:frr_unit_file_t,s0)
+
+/etc/frr(/.*)?                  gen_context(system_u:object_r:frr_conf_t,s0)
+
+/var/log/frr(/.*)?              gen_context(system_u:object_r:frr_log_t,s0)
+/var/tmp/frr(/.*)?              gen_context(system_u:object_r:frr_tmp_t,s0)
+
+/var/lock/subsys/bfdd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/bgpd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/eigrpd     --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/fabricd    --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/isisd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/nhrpd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/ospf6d     --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/ospfd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/pbrd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/pimd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/ripd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/ripngd     --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/staticd    --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/zebra      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/vrrpd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+
+/var/run/frr(/.*)?              gen_context(system_u:object_r:frr_var_run_t,s0)
+
+/usr/bin/vtysh              --  gen_context(system_u:object_r:frr_exec_t,s0)
--- a/SOURCES/frr.if
+++ b/SOURCES/frr.if
@ -0,0 +1,162 @@
+## <summary>policy for frr</summary>
+
+########################################
+## <summary>
+##	Execute frr_exec_t in the frr domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`frr_domtrans',`
+	gen_require(`
+		type frr_t, frr_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, frr_exec_t, frr_t)
+')
+
+######################################
+## <summary>
+##	Execute frr in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_exec',`
+	gen_require(`
+		type frr_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, frr_exec_t)
+')
+
+########################################
+## <summary>
+##	Read frr's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`frr_read_log',`
+	gen_require(`
+		type frr_log_t;
+	')
+
+	read_files_pattern($1, frr_log_t, frr_log_t)
+	optional_policy(`
+		logging_search_logs($1)
+	')
+')
+
+########################################
+## <summary>
+##	Append to frr log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_append_log',`
+	gen_require(`
+		type frr_log_t;
+	')
+
+	append_files_pattern($1, frr_log_t, frr_log_t)
+	optional_policy(`
+		logging_search_logs($1)
+	')
+')
+
+########################################
+## <summary>
+##	Manage frr log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_manage_log',`
+	gen_require(`
+		type frr_log_t;
+	')
+
+	manage_dirs_pattern($1, frr_log_t, frr_log_t)
+	manage_files_pattern($1, frr_log_t, frr_log_t)
+	manage_lnk_files_pattern($1, frr_log_t, frr_log_t)
+	optional_policy(`
+		logging_search_logs($1)
+	')
+')
+
+########################################
+## <summary>
+##	Read frr PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_read_pid_files',`
+	gen_require(`
+		type frr_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, frr_var_run_t, frr_var_run_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an frr environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_admin',`
+	gen_require(`
+		type frr_t;
+		type frr_log_t;
+		type frr_var_run_t;
+	')
+
+	allow $1 frr_t:process { signal_perms };
+	ps_process_pattern($1, frr_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 frr_t:process ptrace;
+	')
+
+	admin_pattern($1, frr_log_t)
+
+	files_search_pids($1)
+	admin_pattern($1, frr_var_run_t)
+	optional_policy(`
+		logging_search_logs($1)
+	')
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
--- a/SOURCES/frr.te
+++ b/SOURCES/frr.te
@ -0,0 +1,121 @@
+policy_module(frr, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type frr_t;
+type frr_exec_t;
+init_daemon_domain(frr_t, frr_exec_t)
+
+type frr_log_t;
+logging_log_file(frr_log_t)
+
+type frr_tmp_t;
+files_tmp_file(frr_tmp_t)
+
+type frr_lock_t;
+files_lock_file(frr_lock_t)
+
+type frr_conf_t;
+files_config_file(frr_conf_t)
+
+type frr_unit_file_t;
+systemd_unit_file(frr_unit_file_t)
+
+type frr_var_run_t;
+files_pid_file(frr_var_run_t)
+
+########################################
+#
+# frr local policy
+#
+allow frr_t self:capability { fowner fsetid chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid };
+allow frr_t self:netlink_route_socket rw_netlink_socket_perms;
+allow frr_t self:packet_socket create;
+allow frr_t self:process { setcap setpgid };
+allow frr_t self:rawip_socket create_socket_perms;
+allow frr_t self:tcp_socket { connect connected_stream_socket_perms };
+allow frr_t self:udp_socket create_socket_perms;
+allow frr_t self:unix_stream_socket connectto;
+
+allow frr_t frr_conf_t:dir list_dir_perms;
+manage_files_pattern(frr_t, frr_conf_t, frr_conf_t)
+read_lnk_files_pattern(frr_t, frr_conf_t, frr_conf_t)
+
+manage_dirs_pattern(frr_t, frr_log_t, frr_log_t)
+manage_files_pattern(frr_t, frr_log_t, frr_log_t)
+manage_lnk_files_pattern(frr_t, frr_log_t, frr_log_t)
+logging_log_filetrans(frr_t, frr_log_t, { dir file lnk_file })
+
+allow frr_t frr_tmp_t:file map;
+manage_dirs_pattern(frr_t, frr_tmp_t, frr_tmp_t)
+manage_files_pattern(frr_t, frr_tmp_t, frr_tmp_t)
+files_tmp_filetrans(frr_t, frr_tmp_t, { file dir })
+
+manage_files_pattern(frr_t, frr_lock_t, frr_lock_t)
+manage_lnk_files_pattern(frr_t, frr_lock_t, frr_lock_t)
+files_lock_filetrans(frr_t, frr_lock_t, { file lnk_file })
+
+manage_dirs_pattern(frr_t, frr_var_run_t, frr_var_run_t)
+manage_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
+manage_lnk_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
+manage_sock_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
+files_pid_filetrans(frr_t, frr_var_run_t, { dir file lnk_file })
+
+allow frr_t frr_exec_t:dir search_dir_perms;
+can_exec(frr_t, frr_exec_t)
+
+kernel_read_network_state(frr_t)
+kernel_read_net_sysctls(frr_t)
+kernel_read_system_state(frr_t)
+
+auth_use_nsswitch(frr_t)
+
+corecmd_exec_bin(frr_t)
+
+corenet_tcp_bind_appswitch_emp_port(frr_t)
+corenet_udp_bind_bfd_control_port(frr_t)
+corenet_udp_bind_bfd_echo_port(frr_t)
+corenet_tcp_bind_bgp_port(frr_t)
+corenet_udp_bind_all_unreserved_ports(frr_t);
+corenet_tcp_bind_generic_port(frr_t)
+corenet_tcp_bind_firepower_port(frr_t)
+corenet_tcp_bind_priority_e_com_port(frr_t)
+corenet_udp_bind_router_port(frr_t)
+corenet_tcp_bind_qpasa_agent_port(frr_t)
+corenet_tcp_bind_smntubootstrap_port(frr_t)
+corenet_tcp_bind_versa_tek_port(frr_t)
+corenet_tcp_bind_zebra_port(frr_t)
+
+domain_use_interactive_fds(frr_t)
+
+fs_read_nsfs_files(frr_t)
+
+sysnet_exec_ifconfig(frr_t)
+
+userdom_read_admin_home_files(frr_t)
+
+init_signal(frr_t)
+init_signal_script(frr_t)
+init_signull_script(frr_t)
+
+optional_policy(`
+	logging_send_syslog_msg(frr_t)
+')
+
+optional_policy(`
+	modutils_exec_kmod(frr_t)
+	modutils_getattr_module_deps(frr_t)
+	modutils_read_module_config(frr_t)
+	modutils_read_module_deps_files(frr_t)
+')
+
+optional_policy(`
+	networkmanager_read_state(frr_t)
+')
+
+optional_policy(`
+	userdom_admin_home_dir_filetrans(frr_t, frr_conf_t, file, ".history_frr")
+')
--- a/SPECS/frr.spec
+++ b/SPECS/frr.spec
@ -1,16 +1,21 @@
-%global frrversion	7.5
-%global frr_libdir /usr/lib/frr
+%global frrversion	7.5.1
+%global frr_libdir /usr/libexec/frr

 %global _hardened_build 1
+%global selinuxtype targeted
+%bcond_without selinux

 Name: frr
-Version: 7.5
-Release: 11%{?checkout}%{?dist}
+Version: 7.5.1
+Release: 3%{?checkout}%{?dist}
 Summary: Routing daemon
 License: GPLv2+
 URL: http://www.frrouting.org
 Source0: https://github.com/FRRouting/frr/releases/download/%{name}-%{frrversion}/%{name}-%{frrversion}.tar.gz
 Source1: %{name}-tmpfiles.conf
+Source2: frr.fc
+Source3: frr.te
+Source4: frr.if
 BuildRequires: perl-generators
 BuildRequires: gcc
 BuildRequires: net-snmp-devel
@ -27,6 +32,11 @@ Requires(preun): systemd /sbin/install-info
 Requires(postun): systemd
 Requires: iproute
 Requires: initscripts
+
+%if 0%{?with_selinux}
+Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
+%endif
+
 Provides: routingdaemon = %{version}-%{release}
 Obsoletes: frr-sysvinit quagga frr-contrib

@ -37,11 +47,10 @@ Patch0003: 0003-disable-eigrp-crypto.patch
 Patch0004: 0004-fips-mode.patch
 Patch0006: 0006-CVE-2020-12831.patch
 Patch0007: 0007-frrinit.patch
-Patch0008: 0008-ospf-multi-instance.patch
-Patch0009: 0009-bgp-ttl-security.patch
-Patch0010: 0010-bfd-reload.patch
-Patch0011: 0011-designated-router.patch
-Patch0012: 0012-bfd-peers-crash.patch
+Patch0008: 0008-designated-router.patch
+Patch0009: 0009-routemap.patch
+Patch0010: 0010-moving-executables.patch
+Patch0011: 0011-reload-bfd-profile.patch

 %description
 FRRouting is free software that manages TCP/IP based routing protocols. It takes
@ -52,8 +61,25 @@ FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP

 FRRouting is a fork of Quagga.

+%if 0%{?with_selinux}
+%package selinux
+Summary:       Selinux policy for FRR
+BuildArch:     noarch
+Requires:      selinux-policy-%{selinuxtype}
+Requires(post):        selinux-policy-%{selinuxtype}
+BuildRequires: selinux-policy-devel
+%{?selinux_requires}
+
+%description selinux
+SELinux policy modules for FRR package
+
+%endif
+
 %prep
 %autosetup -S git
+#SELinux
+mkdir selinux
+cp -p %{SOURCE2} %{SOURCE3} %{SOURCE4} selinux

 %build
 autoreconf -ivf
@ -88,6 +114,12 @@ pushd doc
 make info
 popd

+#SELinux policy
+%if 0%{?with_selinux}
+make -C selinux -f %{_datadir}/selinux/devel/Makefile %{name}.pp
+bzip2 -9 selinux/%{name}.pp
+%endif
+
 %install
 mkdir -p %{buildroot}/etc/{frr,rc.d/init.d,sysconfig,logrotate.d,pam.d,default} \
         %{buildroot}/var/log/frr %{buildroot}%{_infodir} \
@ -112,6 +144,12 @@ install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.logrotate %{buil
 install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.pam %{buildroot}/etc/pam.d/frr
 install -d -m 775 %{buildroot}/run/frr

+%if 0%{?with_selinux}
+install -D -m 644 selinux/%{name}.pp.bz2 \
+       %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+install -D -m 644 selinux/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if
+%endif
+
 rm %{buildroot}%{_libdir}/frr/*.la
 rm %{buildroot}%{_libdir}/frr/modules/*.la

@ -127,6 +165,8 @@ getent passwd frr >/dev/null 2>&1 || useradd -M -r -g frr -s /sbin/nologin \
 usermod -aG frrvty frr

 %post
+#Because we move files to /usr/libexec, we need to reload .service files as well
+/usr/bin/systemctl daemon-reload
 %systemd_post frr.service

 if [ -f %{_infodir}/%{name}.inf* ]; then
@ -166,6 +206,26 @@ fi
 %preun
 %systemd_preun frr.service

+#SELinux
+%if 0%{?with_selinux}
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+%selinux_relabel_post -s %{selinuxtype}
+#/var/tmp and /var/run need to be relabeled as well if FRR is running before upgrade
+%{_sbindir}/restorecon -R /var/tmp/frr &> /dev/null
+%{_sbindir}/restorecon -R /var/run/frr &> /dev/null
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{name}
+    %selinux_relabel_post -s %{selinuxtype}
+fi
+
+%endif
+
 %check
 make check PYTHON=%{__python3}

@ -201,7 +261,25 @@ make check PYTHON=%{__python3}
 /usr/share/yang/*.yang
 %{_tmpfilesdir}/%{name}.conf

+%if 0%{?with_selinux}
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.*
+%{_datadir}/selinux/devel/include/distributed/%{name}.if
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
+%endif
+
 %changelog
+* Thu Aug 25 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-3
+- Resolves: #2054160 - FRR reloader does not disable BFD when unsetting BFD profile
+
+* Wed Aug 24 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-2
+- Resolves: #1941765 - AVCs while running frr tests on RHEL 8.4.0 Beta-1.2
+- Resolves: #1714984 - SELinux policy (daemons) changes required for package
+
+* Wed May 11 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-1
+- Resolves: #2018451 - Rebase of frr to version 7.5.1
+- Resolves: #1975361 - the dynamic routing setup does not work any more
+
 * Wed Jan 05 2022 Michal Ruprich <mruprich@redhat.com> - 7.5-11
 - Resolves: #2034328 - Bfdd crash in metallb CI