From a302f6117dac72a82873a7d864d7ff6b2ee6d9ef Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Tue, 1 Aug 2023 09:40:29 +0200 Subject: [PATCH] Update SELinux rule to allow frr daemons create and use packet socket The commit addresses the following AVC denial: type=PROCTITLE msg=audit(07/27/2023 11:26:31.692:622) : proctitle=/usr/libexec/frr/bfdd -d -F traditional -A 127.0.0.1 type=SOCKADDR msg=audit(07/27/2023 11:26:31.692:622) : saddr={ saddr_fam=packet (unsupported) } type=SYSCALL msg=audit(07/27/2023 11:26:31.692:622) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0xf a1=0x7ffeb8c5a000 a2=0x14 a3=0x7ffeb8c59ff0 items=0 ppid=7818 pid=7903 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=bfdd exe=/usr/libexec/frr/bfdd subj=system_u:system_r:frr_t:s0 key=(null) type=AVC msg=audit(07/27/2023 11:26:31.692:622) : avc: denied { bind } for pid=7903 comm=bfdd scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=packet_socket permissive=0 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2216912 --- frr.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frr.te b/frr.te index 20fc95d..9cccae9 100644 --- a/frr.te +++ b/frr.te @@ -33,7 +33,7 @@ files_pid_file(frr_var_run_t) # allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin sys_admin }; allow frr_t self:netlink_route_socket rw_netlink_socket_perms; -allow frr_t self:packet_socket { create setopt }; +allow frr_t self:packet_socket create_socket_perms; allow frr_t self:process { setcap setpgid }; allow frr_t self:rawip_socket create_socket_perms; allow frr_t self:tcp_socket { connect connected_stream_socket_perms };