Related: RHEL-55747 - Adding new selinux rules

frr.spec

@@ -9,7 +9,7 @@
 
 Name:           frr
 Version:        10.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Routing daemon
 License:        GPL-2.0-or-later AND ISC AND LGPL-2.0-or-later AND BSD-2-Clause AND BSD-3-Clause AND (GPL-2.0-or-later  OR ISC) AND MIT
 URL:            http://www.frrouting.org
@@ -44,7 +44,7 @@ BuildRequires:  grpc-plugins
 BuildRequires:  json-c-devel
 BuildRequires:  libcap-devel
 BuildRequires:  libtool
-BuildRequires:  libyang-devel >= 2.0.0
+BuildRequires:  libyang-devel >= 2.1.148
 BuildRequires:  make
 BuildRequires:  ncurses
 BuildRequires:  ncurses-devel
@@ -277,6 +277,9 @@ rm tests/lib/*grpc*
 %endif
 
 %changelog
+* Sun Aug 25 2024 Michal Ruprich <mruprich@redhat.com> - 10.1-2
+- Related: RHEL-55747 - Adding new selinux rules
+
 * Thu Aug 22 2024 Michal Ruprich <mruprich@redhat.com> - 10.1-1
 - New version 10.1
 

frr.te

@@ -33,6 +33,11 @@ files_pid_file(frr_var_run_t)
 #
 allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin sys_admin };
 allow frr_t self:netlink_route_socket rw_netlink_socket_perms;
+allow frr_t self:netlink_generic_socket create;
+allow frr_t self:netlink_generic_socket setopt;
+allow frr_t self:netlink_generic_socket getopt;
+allow frr_t self:netlink_generic_socket getattr;
+allow frr_t self:netlink_generic_socket bind;
 allow frr_t self:packet_socket create_socket_perms;
 allow frr_t self:process { setcap setpgid };
 allow frr_t self:rawip_socket create_socket_perms;
@@ -105,6 +110,8 @@ ipsec_domtrans_mgmt(frr_t)
 
 userdom_read_admin_home_files(frr_t)
 
+libs_delete_lib_symlinks(frr_t);
+
 optional_policy(`
 	logging_send_syslog_msg(frr_t)
 ')