Bug 2216073
| Summary: | SELinux is preventing FRR-Zebra to access to network namespaces. | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Mehrdad Arshad Rad <arshad.rad> | |
| Component: | frr | Assignee: | Michal Ruprich <mruprich> | |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 37 | CC: | fhrdina, mruprich, tkorbar, zpytela | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | frr-8.5.2-1.fc37 frr-8.5.2-1.fc38 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2216911 2216912 (view as bug list) | Environment: | ||
| Last Closed: | 2023-07-10 00:36:44 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
Thanks for the bug, this will most likely need a new interface to get the to get the new type. Working on it. Adding a more verbose log of the two AVCs in permissive mode:
type=PROCTITLE msg=audit(06/23/2023 08:22:31.898:570) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 -n
type=PATH msg=audit(06/23/2023 08:22:31.898:570) : item=0 name=/var/run/netns inode=1194 dev=00:18 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:ifconfig_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(06/23/2023 08:22:31.898:570) : cwd=/
type=SYSCALL msg=audit(06/23/2023 08:22:31.898:570) : arch=x86_64 syscall=openat success=yes exit=16 a0=AT_FDCWD a1=0x5570b7faf7eb a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=1992 pid=2000 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null)
type=AVC msg=audit(06/23/2023 08:22:31.898:570) : avc: denied { read } for pid=2000 comm=zebra name=netns dev="tmpfs" ino=1194 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:object_r:ifconfig_var_run_t:s0 tclass=dir permissive=1
----
type=PROCTITLE msg=audit(06/23/2023 08:22:31.899:571) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 -n
type=PATH msg=audit(06/23/2023 08:22:31.899:571) : item=0 name=/var/run/netns inode=1194 dev=00:18 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:ifconfig_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(06/23/2023 08:22:31.899:571) : cwd=/
type=SYSCALL msg=audit(06/23/2023 08:22:31.899:571) : arch=x86_64 syscall=inotify_add_watch success=yes exit=1 a0=0x10 a1=0x5570b7faf7eb a2=0x300 a3=0x7ffe984db080 items=1 ppid=1992 pid=2000 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null)
type=AVC msg=audit(06/23/2023 08:22:31.899:571) : avc: denied { watch } for pid=2000 comm=zebra path=/run/netns dev="tmpfs" ino=1194 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:object_r:ifconfig_var_run_t:s0 tclass=dir permissive=1
FEDORA-2023-a377c170bf has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-a377c170bf FEDORA-2023-4b6ee8514f has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-4b6ee8514f FEDORA-2023-4b6ee8514f has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-4b6ee8514f` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-4b6ee8514f See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2023-a377c170bf has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-a377c170bf` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-a377c170bf See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2023-4b6ee8514f has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2023-a377c170bf has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report. |
SELinux is preventing FRR-Zebra to access to network namespaces. sudo audit2why -i /var/log/audit/audit.log type=AVC msg=audit(1687223395.771:44136): avc: denied { read } for pid=21815 comm="zebra" name="netns" dev="tmpfs" ino=1715 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:object_r:ifconfig_var_run_t:s0 tclass=dir permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. .... sudo audit2allow -i /var/log/audit/audit.log #============= frr_t ============== allow frr_t ifconfig_var_run_t:dir { read watch }; Source Context system_u:system_r:frr_t:s0 Target Context unconfined_u:object_r:ifconfig_var_run_t:s0 frr 8.5-1.fc37 selinux-policy 37.21-2.fc37 selinux-policy-targeted 37.21-2.fc37 Reproducible: Always Steps to Reproduce: 1. Install FRR 8.5 2. Create a network namespace through ip netns add my-ns 3. Add -n switch to the zebra option at /etc/frr/daemons 4. Restart FRR 5. Login to FRR Actual Results: The VRF based on the network namespace is not available. Expected Results: vrf my-ns netns /run/netns/my-ns exit-vrf Kernel: 5.19.16-301.fc37.x86_64