Bug 2216911
| Summary: | SELinux is preventing FRR-Zebra to access to network namespaces. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Michal Ruprich <mruprich> |
| Component: | frr | Assignee: | Michal Ruprich <mruprich> |
| Status: | VERIFIED --- | QA Contact: | František Hrdina <fhrdina> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.9 | CC: | arshad.rad, extras-qa, fhrdina, mmalik, mruprich, tkorbar, zpytela |
| Target Milestone: | rc | Keywords: | AutoVerified, Triaged |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | frr-7.5.1-12.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 2216073 | Environment: | |
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Michal Ruprich
2023-06-23 08:12:19 UTC
With RHEL8 I see read and getattr calls:
type=PROCTITLE msg=audit(06/23/2023 03:55:40.133:309) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 -n
type=SYSCALL msg=audit(06/23/2023 03:55:40.133:309) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0xf a1=0x5644b8faf578 a2=0x300 a3=0x3e items=0 ppid=6780 pid=6793 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null)
type=AVC msg=audit(06/23/2023 03:55:40.133:309) : avc: denied { read } for pid=6793 comm=zebra name=netns dev="tmpfs" ino=38646 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:object_r:ifconfig_var_run_t:s0 tclass=dir permissive=0
----
type=PROCTITLE msg=audit(06/23/2023 03:55:54.574:311) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 -n
type=SYSCALL msg=audit(06/23/2023 03:55:54.574:311) : arch=x86_64 syscall=lstat success=no exit=EACCES(Permission denied) a0=0x7fadfa93e120 a1=0x7ffdd2f09f10 a2=0x7ffdd2f09f10 a3=0x0 items=0 ppid=1 pid=6794 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null)
type=AVC msg=audit(06/23/2023 03:55:54.574:311) : avc: denied { getattr } for pid=6794 comm=zebra path=/run/netns/my-ns dev="nsfs" ino=4026532186 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file permissive=0
Same scenario with permissive mode:
type=PROCTITLE msg=audit(06/23/2023 08:11:58.380:323) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 -n
type=SYSCALL msg=audit(06/23/2023 08:11:58.380:323) : arch=x86_64 syscall=openat success=yes exit=15 a0=AT_FDCWD a1=0x55fa4eb1d578 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=0 ppid=6971 pid=6984 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null)
type=AVC msg=audit(06/23/2023 08:11:58.380:323) : avc: denied { read } for pid=6984 comm=zebra name=netns dev="tmpfs" ino=38646 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:object_r:ifconfig_var_run_t:s0 tclass=dir permissive=1
----
type=PROCTITLE msg=audit(06/23/2023 08:11:58.381:324) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 -n
type=SYSCALL msg=audit(06/23/2023 08:11:58.381:324) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=0xf a1=0x55fa4f6f7c13 a2=0x7ffdd2068410 a3=0x0 items=0 ppid=6971 pid=6984 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null)
type=AVC msg=audit(06/23/2023 08:11:58.381:324) : avc: denied { getattr } for pid=6984 comm=zebra path=/run/netns/my-ns dev="nsfs" ino=4026532186 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file permissive=1
----
type=PROCTITLE msg=audit(06/23/2023 08:11:58.381:325) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 -n
type=SYSCALL msg=audit(06/23/2023 08:11:58.381:325) : arch=x86_64 syscall=openat success=yes exit=16 a0=AT_FDCWD a1=0x7f82ec3d7120 a2=O_RDONLY a3=0x0 items=0 ppid=6971 pid=6984 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null)
type=AVC msg=audit(06/23/2023 08:11:58.381:325) : avc: denied { open } for pid=6984 comm=zebra path=/run/netns/my-ns dev="nsfs" ino=4026532186 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file permissive=1
type=AVC msg=audit(06/23/2023 08:11:58.381:325) : avc: denied { read } for pid=6984 comm=zebra dev="nsfs" ino=4026532186 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file permissive=1
|