Bug 2216912

Summary: SELinux is preventing FRR-Zebra to access to network namespaces.
Product: Red Hat Enterprise Linux 9 Reporter: Michal Ruprich <mruprich>
Component: frrAssignee: Michal Ruprich <mruprich>
Status: CLOSED ERRATA QA Contact: František Hrdina <fhrdina>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 9.3CC: arshad.rad, extras-qa, fhrdina, mmalik, mruprich, tkorbar, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: frr-8.3.1-10.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2216073 Environment:
Last Closed: 2023-11-07 08:32:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michal Ruprich 2023-06-23 08:21:29 UTC 
+++ This bug was initially created as a clone of Bug #2216073 +++

SELinux is preventing FRR-Zebra to access to network namespaces.

sudo audit2why -i /var/log/audit/audit.log
type=AVC msg=audit(1687223395.771:44136): avc:  denied  { read } for  pid=21815 comm="zebra" name="netns" dev="tmpfs" ino=1715 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:object_r:ifconfig_var_run_t:s0 tclass=dir permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.
		You can use audit2allow to generate a loadable module to allow this access.
....
sudo audit2allow -i /var/log/audit/audit.log
#============= frr_t ==============
allow frr_t ifconfig_var_run_t:dir { read watch };

Source Context               system_u:system_r:frr_t:s0
Target Context               unconfined_u:object_r:ifconfig_var_run_t:s0
frr                          8.5-1.fc37
selinux-policy               37.21-2.fc37
selinux-policy-targeted      37.21-2.fc37

Reproducible: Always

Steps to Reproduce:
1. Install FRR 8.5 
2. Create a network namespace through ip netns add my-ns
3. Add -n switch to the zebra option at /etc/frr/daemons
4. Restart FRR
5. Login to FRR 

Actual Results:  
The VRF based on the network namespace is not available.

Expected Results:  
vrf my-ns
 netns /run/netns/my-ns
exit-vrf

Kernel: 5.19.16-301.fc37.x86_64
Comment 1 Michal Ruprich 2023-06-23 08:24:19 UTC 
With RHEL9 I see just read call that is being deined:

type=PROCTITLE msg=audit(06/23/2023 04:02:57.168:303) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 -n 
type=SYSCALL msg=audit(06/23/2023 04:02:57.168:303) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x10 a1=0x5617f9dd0ece a2=0x300 a3=0xffffffff items=0 ppid=7382 pid=7392 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(06/23/2023 04:02:57.168:303) : avc:  denied  { read } for  pid=7392 comm=zebra name=netns dev="tmpfs" ino=1016 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:object_r:ifconfig_var_run_t:s0 tclass=dir permissive=0
Comment 2 Michal Ruprich 2023-06-23 12:16:04 UTC 
Same scenario in permissive mode:

type=PROCTITLE msg=audit(06/23/2023 08:15:17.541:331) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 -n 
type=SYSCALL msg=audit(06/23/2023 08:15:17.541:331) : arch=x86_64 syscall=openat success=yes exit=16 a0=AT_FDCWD a1=0x55b1aea6cece a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=0 ppid=7623 pid=7633 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(06/23/2023 08:15:17.541:331) : avc:  denied  { read } for  pid=7633 comm=zebra name=netns dev="tmpfs" ino=1016 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:object_r:ifconfig_var_run_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(06/23/2023 08:15:17.541:332) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 -n 
type=SYSCALL msg=audit(06/23/2023 08:15:17.541:332) : arch=x86_64 syscall=inotify_add_watch success=yes exit=1 a0=0x10 a1=0x55b1aea6cece a2=0x300 a3=0x7ffc5a347080 items=0 ppid=7623 pid=7633 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(06/23/2023 08:15:17.541:332) : avc:  denied  { watch } for  pid=7633 comm=zebra path=/run/netns dev="tmpfs" ino=1016 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:object_r:ifconfig_var_run_t:s0 tclass=dir permissive=1
Comment 7 Milos Malik 2023-07-27 15:32:05 UTC 
The modified automated TC executed on Fedora 38 found another SELinux denial:
----
type=PROCTITLE msg=audit(07/27/2023 11:26:31.692:622) : proctitle=/usr/libexec/frr/bfdd -d -F traditional -A 127.0.0.1 
type=SOCKADDR msg=audit(07/27/2023 11:26:31.692:622) : saddr={ saddr_fam=packet (unsupported) } 
type=SYSCALL msg=audit(07/27/2023 11:26:31.692:622) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0xf a1=0x7ffeb8c5a000 a2=0x14 a3=0x7ffeb8c59ff0 items=0 ppid=7818 pid=7903 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=bfdd exe=/usr/libexec/frr/bfdd subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(07/27/2023 11:26:31.692:622) : avc:  denied  { bind } for  pid=7903 comm=bfdd scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=packet_socket permissive=0 
----

# rpm -qa selinux\* frr\* | sort
frr-8.5.2-1.fc38.x86_64
frr-selinux-8.5.2-1.fc38.noarch
selinux-policy-38.21-1.fc38.noarch
selinux-policy-devel-38.21-1.fc38.noarch
selinux-policy-targeted-38.21-1.fc38.noarch
#
Comment 8 Milos Malik 2023-07-27 15:33:53 UTC 
If you need me to file the comment#7 issue as a new bug, let me know.
Comment 9 Zdenek Pytela 2023-08-01 07:44:10 UTC 
The additional denial from #c7 should be addressed by:
https://src.fedoraproject.org/rpms/frr/pull-request/33
Comment 24 errata-xmlrpc 2023-11-07 08:32:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: frr security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:6434