Adding SELinux rule to enable zebra to write to sysctl_net_t

Adding SELinux rule to enable bgpd to call name_connect to bgp_port_t
2022-09-16 16:00:15 +02:00 · 2022-09-16 16:00:15 +02:00 · 3905b5274d
commit 3905b5274d
parent 41a038e1d1
2 changed files with 7 additions and 2 deletions
--- a/frr.spec
+++ b/frr.spec
@ -7,7 +7,7 @@

 Name:           frr
 Version:        8.3.1
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        Routing daemon
 License:        GPLv2+
 URL:            http://www.frrouting.org
@ -264,6 +264,10 @@ rm tests/lib/*grpc*
 %endif

 %changelog
+* Fri Sep 16 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-5
+- Adding SELinux rule to enable zebra to write to sysctl_net_t
+- Adding SELinux rule to enable bgpd to call name_connect to bgp_port_t
+
 * Fri Sep 09 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-4
 - Fixing an error in post scriptlet

--- a/frr.te
+++ b/frr.te
@ -68,7 +68,7 @@ allow frr_t frr_exec_t:dir search_dir_perms;
 can_exec(frr_t, frr_exec_t)

 kernel_read_network_state(frr_t)
-kernel_read_net_sysctls(frr_t)
+kernel_rw_net_sysctls(frr_t)
 kernel_read_system_state(frr_t)

 auth_use_nsswitch(frr_t)
@ -80,6 +80,7 @@ corenet_udp_bind_bfd_control_port(frr_t)
 corenet_udp_bind_bfd_echo_port(frr_t)
 corenet_udp_bind_bfd_multi_port(frr_t)
 corenet_tcp_bind_bgp_port(frr_t)
+corenet_tcp_connect_bgp_port(frr_t)
 corenet_tcp_bind_cmadmin_port(frr_t)
 corenet_udp_bind_cmadmin_port(frr_t)
 corenet_tcp_bind_firepower_port(frr_t)