Bug 2216911

Summary: SELinux is preventing FRR-Zebra to access to network namespaces.
Product: Red Hat Enterprise Linux 8 Reporter: Michal Ruprich <mruprich>
Component: frrAssignee: Michal Ruprich <mruprich>
Status: VERIFIED --- QA Contact: František Hrdina <fhrdina>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.9CC: arshad.rad, extras-qa, fhrdina, mmalik, mruprich, tkorbar, zpytela
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: frr-7.5.1-12.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2216073 Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michal Ruprich 2023-06-23 08:12:19 UTC 
+++ This bug was initially created as a clone of Bug #2216073 +++

SELinux is preventing FRR-Zebra to access to network namespaces.

sudo audit2why -i /var/log/audit/audit.log
type=AVC msg=audit(1687223395.771:44136): avc:  denied  { read } for  pid=21815 comm="zebra" name="netns" dev="tmpfs" ino=1715 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:object_r:ifconfig_var_run_t:s0 tclass=dir permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.
		You can use audit2allow to generate a loadable module to allow this access.
....
sudo audit2allow -i /var/log/audit/audit.log
#============= frr_t ==============
allow frr_t ifconfig_var_run_t:dir { read watch };

Source Context               system_u:system_r:frr_t:s0
Target Context               unconfined_u:object_r:ifconfig_var_run_t:s0
frr                          8.5-1.fc37
selinux-policy               37.21-2.fc37
selinux-policy-targeted      37.21-2.fc37

Reproducible: Always

Steps to Reproduce:
1. Install FRR 8.5 
2. Create a network namespace through ip netns add my-ns
3. Add -n switch to the zebra option at /etc/frr/daemons
4. Restart FRR
5. Login to FRR 

Actual Results:  
The VRF based on the network namespace is not available.

Expected Results:  
vrf my-ns
 netns /run/netns/my-ns
exit-vrf

Kernel: 5.19.16-301.fc37.x86_64
Comment 1 Michal Ruprich 2023-06-23 08:24:59 UTC 
With RHEL8 I see read and getattr calls:

type=PROCTITLE msg=audit(06/23/2023 03:55:40.133:309) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 -n 
type=SYSCALL msg=audit(06/23/2023 03:55:40.133:309) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0xf a1=0x5644b8faf578 a2=0x300 a3=0x3e items=0 ppid=6780 pid=6793 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(06/23/2023 03:55:40.133:309) : avc:  denied  { read } for  pid=6793 comm=zebra name=netns dev="tmpfs" ino=38646 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:object_r:ifconfig_var_run_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(06/23/2023 03:55:54.574:311) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 -n 
type=SYSCALL msg=audit(06/23/2023 03:55:54.574:311) : arch=x86_64 syscall=lstat success=no exit=EACCES(Permission denied) a0=0x7fadfa93e120 a1=0x7ffdd2f09f10 a2=0x7ffdd2f09f10 a3=0x0 items=0 ppid=1 pid=6794 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(06/23/2023 03:55:54.574:311) : avc:  denied  { getattr } for  pid=6794 comm=zebra path=/run/netns/my-ns dev="nsfs" ino=4026532186 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file permissive=0
Comment 2 Michal Ruprich 2023-06-23 12:14:20 UTC 
Same scenario with permissive mode:

type=PROCTITLE msg=audit(06/23/2023 08:11:58.380:323) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 -n 
type=SYSCALL msg=audit(06/23/2023 08:11:58.380:323) : arch=x86_64 syscall=openat success=yes exit=15 a0=AT_FDCWD a1=0x55fa4eb1d578 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=0 ppid=6971 pid=6984 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(06/23/2023 08:11:58.380:323) : avc:  denied  { read } for  pid=6984 comm=zebra name=netns dev="tmpfs" ino=38646 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:object_r:ifconfig_var_run_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(06/23/2023 08:11:58.381:324) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 -n 
type=SYSCALL msg=audit(06/23/2023 08:11:58.381:324) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=0xf a1=0x55fa4f6f7c13 a2=0x7ffdd2068410 a3=0x0 items=0 ppid=6971 pid=6984 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(06/23/2023 08:11:58.381:324) : avc:  denied  { getattr } for  pid=6984 comm=zebra path=/run/netns/my-ns dev="nsfs" ino=4026532186 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(06/23/2023 08:11:58.381:325) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 -n 
type=SYSCALL msg=audit(06/23/2023 08:11:58.381:325) : arch=x86_64 syscall=openat success=yes exit=16 a0=AT_FDCWD a1=0x7f82ec3d7120 a2=O_RDONLY a3=0x0 items=0 ppid=6971 pid=6984 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(06/23/2023 08:11:58.381:325) : avc:  denied  { open } for  pid=6984 comm=zebra path=/run/netns/my-ns dev="nsfs" ino=4026532186 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file permissive=1 
type=AVC msg=audit(06/23/2023 08:11:58.381:325) : avc:  denied  { read } for  pid=6984 comm=zebra dev="nsfs" ino=4026532186 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file permissive=1