Commit Graph

10 Commits

Author SHA1 Message Date
Vit Mojzis
9c91b908e1 SELinux: rename ifconfig_run interfaces to be more specific
The change has no functional impact on the policy. It is just to keep it
in sync with the interfaces shipped in selinux-policy-* packages.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2024-01-25 12:51:35 +00:00
Michal Ruprich
ca06a43267 Adding a couple of SELinux rules, includes fix for rhbz#2149299 2023-09-01 13:15:04 +02:00
Zdenek Pytela
a302f6117d Update SELinux rule to allow frr daemons create and use packet socket
The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(07/27/2023 11:26:31.692:622) : proctitle=/usr/libexec/frr/bfdd -d -F traditional -A 127.0.0.1
type=SOCKADDR msg=audit(07/27/2023 11:26:31.692:622) : saddr={ saddr_fam=packet (unsupported) }
type=SYSCALL msg=audit(07/27/2023 11:26:31.692:622) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0xf a1=0x7ffeb8c5a000 a2=0x14 a3=0x7ffeb8c59ff0 items=0 ppid=7818 pid=7903 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=bfdd exe=/usr/libexec/frr/bfdd subj=system_u:system_r:frr_t:s0 key=(null)
type=AVC msg=audit(07/27/2023 11:26:31.692:622) : avc:  denied  { bind } for  pid=7903 comm=bfdd scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=packet_socket permissive=0

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2216912
2023-08-01 09:40:29 +02:00
Michal Ruprich
de8d85febb frr-8.5.1-4
Selinux policy changes:
- Allow watch,read on /var/run/netns directory and its content
- Add sys_admin capability

It seems like sys_admin is needed because frr is using setns function to change the actual namespace. Full log here:
type=PROCTITLE msg=audit(06/29/2023 03:42:07.692:559) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 -n
type=SYSCALL msg=audit(06/29/2023 03:42:07.692:559) : arch=x86_64 syscall=setns success=no exit=EPERM(Operation not permitted) a0=0x11 a1=CLONE_NEWNET a2=0x0 a3=0x0 items=0 ppid=3692 pid=3701 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null)
type=AVC msg=audit(06/29/2023 03:42:07.692:559) : avc: denied { sys_admin } for pid=3701 comm=zebra capability=sys_admin scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=capability permissive=0

Resolves: #2216073 - SELinux is preventing FRR-Zebra to access to network namespaces
2023-06-29 15:54:02 +02:00
Michal Ruprich
1787b2810b New version 8.4.1
Fix for rhbz #2140705
2022-11-25 18:02:48 +01:00
Michal Ruprich
3905b5274d Adding SELinux rule to enable zebra to write to sysctl_net_t
Adding SELinux rule to enable bgpd to call name_connect to bgp_port_t
2022-09-16 16:00:15 +02:00
Michal Ruprich
a7b3783ddc Resolves: #2124254 - frr can no longer update routes 2022-09-09 16:14:11 +02:00
Zdenek Pytela
16d43cc08d Allow frr daemons bind generic sockets to tcp ports
The vrrpd and pathd daemons need to bind to ports 2619/tcp and 2621/tcp.
This commit can be reverted if the inter-process communication changes
to using unix sockets in the future.

Addresses the following AVC denial:

type=PROCTITLE msg=audit(08/10/2022 05:32:53.905:257) : proctitle=/usr/libexec/frr/pathd -d -F traditional -A 127.0.0.1
type=AVC msg=audit(08/10/2022 05:32:53.905:257) : avc:  denied  { name_bind } for  pid=8625 comm=pathd src=2621 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
type=SYSCALL msg=audit(08/10/2022 05:32:53.905:257) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0xc a1=0x55e3ba44fdd0 a2=0x10 a3=0x7fff610c2bd4 items=0 ppid=8623 pid=8625 auid=unset uid=geoclue gid=flatpak euid=geoclue suid=geoclue fsuid=geoclue egid=flatpak sgid=flatpak fsgid=flatpak tty=(none) ses=unset comm=pathd exe=/usr/libexec/frr/pathd subj=system_u:system_r:frr_t:s0 key=(null)
type=SOCKADDR msg=audit(08/10/2022 05:32:53.905:257) : saddr={ saddr_fam=inet laddr=127.0.0.1 lport=2621 }

Resolves: rhbz#2117262
2022-08-19 10:30:23 +00:00
Zdenek Pytela
1e7608b86e Allow frr_t create /root/.history_frr with a private type
The file can be created when the frr service starts, so
a file transition is needed to be defined in the policy.
2022-08-10 10:09:25 +02:00
Michal Ruprich
9408b0b09e Packaging SELinux policy for FRR 2022-07-28 13:35:19 +02:00