Bug 1714984

Summary: SELinux policy (daemons) changes required for package: frr
Product: Red Hat Enterprise Linux 8 Reporter: rhel-prp-maitai <rhel-prp-maitai>
Component: frrAssignee: Michal Ruprich <mruprich>
Status: CLOSED ERRATA QA Contact: František Hrdina <fhrdina>
Severity: unspecified Docs Contact: Šárka Jana <sjanderk>
Priority: unspecified    
Version: 8.1CC: drusek, fhrdina, lvrabec, michele, mmalik, mruprich, mschena, pkoncity, plautrba, sjanderk, ssekidde, sujagtap, zpytela
Target Milestone: rcKeywords: AutoVerified, Reopened, Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: frr-7.5.1-3.el8 Doc Type: Bug Fix
Doc Text:
.The `frr` binary files and scripts have a new location Previously, the `frr` package for managing dynamic routing stack contained its binary files and scripts in the `/usr/lib/frr` directory, which caused certain issues when applying the new targeted SELinux policy. Consequently, SELinux logged denial messages in access vector cache (AVC) and prevented `frr` from starting properly. With this update, `/usr/libexec/frr` is the new location of the `frr` binary files and scripts. As a result, SELinux applies rules for binaries and scripts in `/usr/libexec/frr` and for other `frr` libraries in `/usr/lib64/frr` separately, and no longer produces denial messages.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-08 09:39:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1657029, 1726199, 1776342    

Comment 5 Milos Malik 2019-08-29 08:45:59 UTC 
If the nis_enabled boolean is switched off then following programs require a name_bind access to following ports:
nhrpd -> tcp/2610
eigrpd -> tcp/2613
pbrd -> tcp/2615
staticd -> tcp/2616
fabricd -> tcp/2618
bfdd -> udp/3784
Comment 19 Lukas Vrabec 2019-11-26 14:35:58 UTC 
*** Bug 1776349 has been marked as a duplicate of this bug. ***
Comment 25 Patrik Koncity 2021-01-26 10:04:58 UTC 
PR : https://github.com/fedora-selinux/selinux-policy/pull/547
Comment 27 Zdenek Pytela 2021-02-10 17:11:01 UTC 
Resetting ITR as further clarification from frr developers is needed.
Comment 31 RHEL Program Management 2021-04-21 07:31:15 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.
Comment 32 Maurizio Schena 2021-07-26 11:49:14 UTC 
Reopening the BZ again as we have a new customer affected by this.
Comment 34 Zdenek Pytela 2022-06-14 16:09:18 UTC 
Switching the component to frr based on preliminary agreement with the team.
Comment 54 errata-xmlrpc 2022-11-08 09:39:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (frr bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7560