Routing daemon
de8d85febb
Selinux policy changes:
- Allow watch,read on /var/run/netns directory and its content
- Add sys_admin capability
It seems like sys_admin is needed because frr is using setns function to change the actual namespace. Full log here:
type=PROCTITLE msg=audit(06/29/2023 03:42:07.692:559) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 -n
type=SYSCALL msg=audit(06/29/2023 03:42:07.692:559) : arch=x86_64 syscall=setns success=no exit=EPERM(Operation not permitted) a0=0x11 a1=CLONE_NEWNET a2=0x0 a3=0x0 items=0 ppid=3692 pid=3701 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null)
type=AVC msg=audit(06/29/2023 03:42:07.692:559) : avc: denied { sys_admin } for pid=3701 comm=zebra capability=sys_admin scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=capability permissive=0
Resolves: #2216073 - SELinux is preventing FRR-Zebra to access to network namespaces
|
||
|---|---|---|
| .fmf | ||
| plans | ||
| .gitignore | ||
| 0000-remove-babeld-and-ldpd.patch | ||
| 0002-enable-openssl.patch | ||
| 0003-disable-eigrp-crypto.patch | ||
| 0004-fips-mode.patch | ||
| 0005-remove-grpc-test.patch | ||
| frr-sysusers.conf | ||
| frr-tmpfiles.conf | ||
| frr.fc | ||
| frr.if | ||
| frr.spec | ||
| frr.te | ||
| gating.yaml | ||
| README.md | ||
| sources | ||
frr
The frr package