RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1939516 - frr service cannot reload itself, due to executing in the wrong SELinux context
Summary: frr service cannot reload itself, due to executing in the wrong SELinux context
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: frr
Version: 8.3
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Michal Ruprich
QA Contact: František Hrdina
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-03-16 14:50 UTC by Renaud Métrich
Modified: 2024-06-14 00:50 UTC (History)
2 users (show)

Fixed In Version: frr-7.5.1-6.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-05-16 08:30:22 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:2801 0 None None None 2023-05-16 08:30:29 UTC

Description Renaud Métrich 2021-03-16 14:50:02 UTC 
Description of problem:

A customer reported that frr service could not be reloaded because of the following exception message showing up:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
frr[29623]: Applying only incremental changes to running configuration from frr.conf
frr[29623]: Traceback (most recent call last):
frr[29623]:   File "/usr/lib/frr/frr-reload.py", line 1099, in <module>
frr[29623]:     format='%(asctime)s %(levelname)5s: %(message)s')
frr[29623]:   File "/usr/lib64/python3.6/logging/__init__.py", line 1808, in basicConfig
frr[29623]:     h = FileHandler(filename, mode)
frr[29623]:   File "/usr/lib64/python3.6/logging/__init__.py", line 1032, in __init__
frr[29623]:     StreamHandler.__init__(self, self._open())
frr[29623]:   File "/usr/lib64/python3.6/logging/__init__.py", line 1061, in _open
frr[29623]:     return open(self.baseFilename, self.mode, encoding=self.encoding)
frr[29623]: PermissionError: [Errno 13] Permission denied: '/var/log/frr/frr-reload.log'
systemd[1]: frr.service: Control process exited, code=exited status=1
systemd[1]: Reload failed for FRRouting (FRR).
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Related AVC:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
type=AVC ... : avc:  denied  { create } for  pid=29623 comm=frr-reload.py name=frr-reload.log scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0 
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

The reason for this is frr executable are executing in the context of systemd (init_t) because /usr/lib/frr/frr is labeled with lib_t, which is not adequate.
Since RHEL8, init_t is now a confined domain, so it's not capable of writing generic logs labeled with var_log_t.

Please explain what this service is doing so that we can understand which context is suitable for the executables.
IMO, the appropriate context would be something like initrc_exec_t, which would let the processes transition to initrc_t and be able to write generic logs.

Once determined, this BZ will have to be moved to SELinux to update the policy.


Version-Release number of selected component (if applicable):

frr-7.0-10.el8.x86_64


How reproducible:

Always on customer system, didn't try on my system (I don't know which configuration is needed to execute frr service).

Steps to Reproduce:
1. start the service
2. reload the service

Actual results:

Failure to reload + AVC

Expected results:

No AVC
Comment 1 Michal Ruprich 2021-04-27 08:09:35 UTC 
Hi,

seems like the reload script from the Upstream is a complete mess. Basically even if we use non-integrated configs(separate .conf files for each daemon), the reload script needs frr.conf to be present and to have some content for this to work, otherwise there are many errors with this:

Scenario 1 - no frr.conf(I believe that in 7.0 version of frr, the frr.conf was not even used at that time, so I don't know why this should happen):
1. systemctl start frr
2. systemctl reload frr
Job for frr.service failed.
See "systemctl status frr.service" and "journalctl -xe" for details.
3. systemctl status -l frr
frr[20552]: Unable to read configuration file /etc/frr/frr.conf. Only supporting integrated config
frr.service: frr.service: Control process exited, code=exited status=1
systemd[1]: Reload failed for FRRouting (FRR).

Scenario 2 - create empty /etc/frr/frr.conf:
1. systemctl start frr
2. touch /etc/frr/frr.conf
3. systemctl reload frr

As a result - you get the AVC and permission errors and the traceback that is desrcibed in this bug.

Senario 3 - create /var/log/frr/frr-reload.py:
1. systemctl start frr
2. touch /var/log/frr/frr-reload.py
3. systemctl reload frr

FRR complains that the frr.conf is empty and the reload process exits with code 1

Scenario 4 - have some nonsense content in frr.conf:
1. systemctl start frr
2. echo hello > /etc/frr/frr.conf
3. systemctl reload frr
Apr 27 03:07:39 ci-vm-10-0-138-102.hosted.upshift.rdu2.redhat.com frr[20624]: subprocess.CalledProcessError: Command '['/usr/bin/vtysh', '-m', '-f', '/etc/frr/frr.conf']' returned non-zero exit status 2.
frr[20624]: During handling of the above exception, another exception occurred:
frr[20624]: Traceback (most recent call last):
frr[20624]:   File "/usr/lib/frr/frr-reload.py", line 1145, in <module>
frr[20624]:     newconf.load_from_file(args.filename)
frr[20624]:   File "/usr/lib/frr/frr-reload.py", line 131, in load_from_file
frr[20624]:     raise ve
frr[20624]: __main__.VtyshMarkException: Command '['/usr/bin/vtysh', '-m', '-f', '/etc/frr/frr.conf']' returned non-zero exit status 2.
systemd[1]: frr.service: Control process exited, code=exited status=1
systemd[1]: Reload failed for FRRouting (FRR).

A different traceback because the config option is nonsense.

Scenario 5 - have some config in frr.conf that makes sense:
1. systemctl start frr
2. echo "bgp extcommunity-list standard user permit rt 65001:80"  > /etc/frr/frr.conf
3. systemctl reload frr

Success but the problem now is, that frr ignores all other config files for other daemons and only reads from frr.conf. This should not happen in 7.0 because at that time, all configs were being read from separate config files.

The bottom line is, that apparently the reload script at the time was already prepared for integrated configuration(one config to rule them all - frr.conf) and it is not complatible with our version of FRR in RHEL8. Even the newer version in RHEL-8.4.0 where we use 'no service integrated-vtysh-config' in vtysh.conf to disable integrated configuration, is unable to use the reload command. When you try, following error is produced:
frr[21133]: 'service integrated-vtysh-config' is not configured, this is required for 'service frr reload'
systemd[1]: frr.service: Control process exited, code=exited status=1

I don't see a way out of this in RHEL8 unless the user wants to use the integrated frr.conf for all daemons. The good thing here is, that the reload script does not break the running instance of frr.
Comment 2 Michal Ruprich 2021-04-27 10:53:03 UTC 
I thought that a change similar to this would help with the SELinux issue:
https://src.fedoraproject.org/rpms/frr/c/c0bc1c720af50804bdea5a39a74032e9821cd6f5?branch=rawhide

But there seems to be something hardwired in the older version. I know that this is not ideal but at this point I would simply recommend not to use the reload function with frr. If the customer insists that they absolutely need this to work, please let me know and I will dig into it and try to fix it. My conclusion is that the reload was not meant to be used for this version of FRR, but it is already there so we need to figure this out.
Comment 3 Renaud Métrich 2021-04-27 11:08:21 UTC 
I think you are right, the path /usr/lib/ffr is not correct since there is no reason ffr would execute in init_t context (which is implied here since /usr/lib is labeled with lib_t).
Whereas with /usr/libexec, this would end up becoming unconfined_service_t.
Comment 4 Jiri Baum 2021-04-27 22:19:06 UTC 
Note that there is a variant of scenario 5 which fails:

Scenario 5b - have some config in frr.conf that makes sense before starting frr:
1. echo "bgp extcommunity-list standard user permit rt 65001:80"  > /etc/frr/frr.conf
2. systemctl start frr
3. systemctl reload frr

Fails with the SELinux error.
 

This is the natural order when writing an Ansible playbook to configure a host - first template out the config files, then start the service, then do a (superfluous) reload.
Comment 5 Renaud Métrich 2021-04-28 06:55:00 UTC 
Hi Jiri,

Would it make sense to you to create a custom context for /usr/lib/frr at installation time of frr?

~~~
# semanage fcontext -a -t bin_t "/usr/lib/frr(/.*)?"
# restorecon -Fr /usr/lib/frr
~~~

This would mimic the Fedora frr which has binaries in /usr/libexec/frr instead of /usr/lib/frr, hence will make sure the service runs as unconfined_service_t.
Comment 6 Jiri Baum 2021-04-30 09:01:07 UTC 
Hi Renaud,

I'm not the maintainer of frr (or indeed any RHEL package), so I have no particular opinion on the details. I would expect scenario 5b to work out of the box, and I would expect scenarios 5 and 5b to have identical outcomes.
Comment 7 Renaud Métrich 2021-04-30 09:12:05 UTC 
Hi Jiri, sure I know you are not the maintainer.
It's just a proposal to test that the solution above would be acceptable to you.
If so I will then create a KCS linked to the Red Hat case you opened some time ago to deal with this.
Comment 8 Jiri Baum 2021-04-30 10:59:03 UTC 
I'm afraid I don't have the SELinux expertise to evaluate the proposal, sorry!
Comment 9 Michal Ruprich 2021-05-03 13:35:01 UTC 
(In reply to Jiri Baum from comment #4)
> Note that there is a variant of scenario 5 which fails:
> 
> Scenario 5b - have some config in frr.conf that makes sense before starting
> frr:
> 1. echo "bgp extcommunity-list standard user permit rt 65001:80"  >
> /etc/frr/frr.conf
> 2. systemctl start frr
> 3. systemctl reload frr
> 
> Fails with the SELinux error.
>  
> 
> This is the natural order when writing an Ansible playbook to configure a
> host - first template out the config files, then start the service, then do
> a (superfluous) reload.

Hi Jiri,

but the point of reload command(at least for FRR here) is to apply config changes without reloading the service. Ideally this scenario 5b should work since there are no changes in the config between start and reload. The scenario 5 should simulate the situation where you start the service, let it run for a while, add some config and just reload. Like I said in comment #1, the reload script is a mess.

Michal
Comment 10 Jiri Baum 2021-05-04 00:27:04 UTC 
Hi Michal,

Exactly, scenarios 5 and 5b should both work.

Currently, only 5 works and 5b fails.


Jiri
Comment 29 errata-xmlrpc 2023-05-16 08:30:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: frr security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2801
Note You need to log in before you can comment on or make changes to this bug.