Created attachment 1909619 [details] log from zebra Description of problem: Lots of errors like: Sep 05 13:35:53 foo.home.annexia.org zebra[1312]: [WVJCK-PPMGD][EC 4043309093] netlink-dp (NS 0) error: Operation not permitted, type=RTM_NEWNEXTHOP(104), seq=0, pid=2441373105 Sep 05 13:35:53 foo.home.annexia.org zebra[1312]: [WVJCK-PPMGD][EC 4043309093] netlink-dp (NS 0) error: Operation not permitted, type=RTM_NEWNEXTHOP(104), seq=2, pid=2441373105 Sep 05 13:35:53 foo.home.annexia.org zebra[1312]: [P2XBZ-RAFQ5][EC 4043309074] Failed to install Nexthop ID (3) into the kernel Sep 05 13:35:53 foo.home.annexia.org zebra[1312]: [P2XBZ-RAFQ5][EC 4043309074] Failed to install Nexthop ID (4) into the kernel Sep 05 13:35:54 foo.home.annexia.org zebra[1312]: [WVJCK-PPMGD][EC 4043309093] netlink-dp (NS 0) error: Operation not permitted, type=RTM_NEWNEXTHOP(104), seq=4, pid=2441373105 Sep 05 13:35:54 foo.home.annexia.org zebra[1312]: [WVJCK-PPMGD][EC 4043309093] netlink-dp (NS 0) error: Operation not permitted, type=RTM_NEWNEXTHOP(104), seq=6, pid=2441373105 Sep 05 13:35:54 foo.home.annexia.org zebra[1312]: [WVJCK-PPMGD][EC 4043309093] netlink-dp (NS 0) error: Operation not permitted, type=RTM_NEWROUTE(24), seq=7, pid=2441373105 Sep 05 13:35:54 foo.home.annexia.org zebra[1312]: [P2XBZ-RAFQ5][EC 4043309074] Failed to install Nexthop ID (4) into the kernel Sep 05 13:35:54 foo.home.annexia.org zebra[1312]: [P2XBZ-RAFQ5][EC 4043309074] Failed to install Nexthop ID (8) into the kernel Sep 05 13:35:54 foo.home.annexia.org zebra[1312]: [VYKYC-709DP] default(0:254):10.0.0.0/8: Route install failed Version-Release number of selected component (if applicable): frr-8.2.2-10.fc37.x86_64 kernel-5.19.6-300.fc37.x86_64 How reproducible: 100% Seemed to start after updating from F35 to F37 Steps to Reproduce: 1. Use ripd
Adding the extra SELinux policy suggested for bug 2124253 did *not* fix this bug, so there appear to be two separate issues with F37.
Hi Richards, can you please share the ripd config that you are using? Anything in /var/log/audit/audit.log that would be relevant for FRR apart from bug #2124253 ? Thanks and regards, Michal
frr.conf is: ---------- hostname *** password *** debug rip events debug rip packet interface wlp61s0 ip rip receive version 2 ip rip send version 2 router rip network wlp61s0 log syslog ----------
Everything in audit.log that contains /\b(frr|zebra|ripd)\b/ is below. It looks like that's only things related to the selinux issues from the other bug however. So unclear. I have fixed the selinux issues by adding a custom policy, but it still cannot create routes which leads me to believe this is really a separate, different issue. --------- type=SERVICE_STOP msg=audit(1662154201.246:123794): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=AVC msg=audit(1662154201.296:123795): avc: denied { setattr } for pid=1465549 comm="zebra" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1662154201.332:123797): avc: denied { setattr } for pid=1465555 comm="ripd" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1662154201.348:123798): avc: denied { setattr } for pid=1465558 comm="staticd" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 type=SERVICE_START msg=audit(1662154201.399:123799): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=SERVICE_STOP msg=audit(1662377884.510:125112): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=AVC msg=audit(1662377884.595:125113): avc: denied { setattr } for pid=1623551 comm="zebra" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1662377884.635:125114): avc: denied { setattr } for pid=1623556 comm="ripd" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1662377884.648:125115): avc: denied { setattr } for pid=1623559 comm="staticd" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 type=SERVICE_START msg=audit(1662377884.701:125116): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=SERVICE_STOP msg=audit(1662380260.467:125178): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=AVC msg=audit(1662380260.548:125179): avc: denied { setattr } for pid=1634833 comm="zebra" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1662380260.587:125180): avc: denied { setattr } for pid=1634838 comm="ripd" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1662380260.602:125181): avc: denied { setattr } for pid=1634841 comm="staticd" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 type=SERVICE_START msg=audit(1662380260.648:125182): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=SERVICE_STOP msg=audit(1662381309.878:125259): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=AVC msg=audit(1662381349.136:204): avc: denied { setattr } for pid=1293 comm="zebra" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1662381349.370:206): avc: denied { setattr } for pid=1318 comm="ripd" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1662381349.397:207): avc: denied { setattr } for pid=1323 comm="staticd" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 type=SERVICE_START msg=audit(1662381349.474:208): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=SERVICE_STOP msg=audit(1662381408.583:395): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=AVC msg=audit(1662381408.628:396): avc: denied { setattr } for pid=1859 comm="zebra" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1662381408.671:397): avc: denied { setattr } for pid=1864 comm="ripd" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1662381408.686:398): avc: denied { setattr } for pid=1868 comm="staticd" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 type=SERVICE_START msg=audit(1662381408.729:399): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=SERVICE_STOP msg=audit(1662382193.026:526): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=AVC msg=audit(1662382193.109:527): avc: denied { setattr } for pid=6206 comm="zebra" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1662382193.146:528): avc: denied { setattr } for pid=6211 comm="ripd" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1662382193.162:529): avc: denied { setattr } for pid=6214 comm="staticd" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 type=SERVICE_START msg=audit(1662382193.212:530): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=SERVICE_STOP msg=audit(1662382433.713:626): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=AVC msg=audit(1662382433.748:627): avc: denied { setattr } for pid=6592 comm="zebra" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1662382433.778:628): avc: denied { setattr } for pid=6597 comm="ripd" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1662382433.794:629): avc: denied { setattr } for pid=6600 comm="staticd" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 type=SERVICE_START msg=audit(1662382433.843:630): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=SERVICE_STOP msg=audit(1662382438.129:644): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=AVC msg=audit(1662382438.223:645): avc: denied { setattr } for pid=7335 comm="zebra" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1662382438.263:646): avc: denied { setattr } for pid=7340 comm="ripd" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1662382438.278:647): avc: denied { setattr } for pid=7343 comm="staticd" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 type=SERVICE_START msg=audit(1662382438.325:648): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=SERVICE_STOP msg=audit(1662382513.906:671): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=SERVICE_START msg=audit(1662382514.102:672): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=SERVICE_STOP msg=audit(1662382788.888:743): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=SERVICE_START msg=audit(1662382789.027:744): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=SERVICE_STOP msg=audit(1662382792.324:756): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=SERVICE_START msg=audit(1662382792.499:757): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=SERVICE_STOP msg=audit(1662476679.710:1465): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=SERVICE_START msg=audit(1662476679.860:1466): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
Thanks, this really seems to be something other than SELinux causing this. Looking into it.
Tested on a fresh f37, this is definitely SELinux messing with something, try running with setenforce 0 for a while and there are no errors and 'ip route' shows installed routes as it should. No AVCs though, that is what is buffling.
Try # semodule -DB to disable dontaudit rules and restart the service.
Thanks Zdenek, this is the output: type=AVC msg=audit(1662656080.867:611): avc: denied { net_admin } for pid=1754 comm="zebra_dplane" capability=12 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=capability permissive=0 type=AVC msg=audit(1662656080.868:612): avc: denied { net_admin } for pid=1754 comm="zebra_dplane" capability=12 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=capability permissive=0 I will try to tackle this in the SELinux policy now.
With full auditing enabled you should see the syscall requesting the capability. 1) Open the /etc/audit/rules.d/audit.rules file in an editor. 2) Remove the following line if it exists: -a task,never 3) Add the following line to the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Re-run your scenario. 6) Collect AVC denials: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
Thank you Zdenek, this is the output: type=AVC msg=audit(1662667828.219:774): avc: denied { net_admin } for pid=2788 comm="zebra_dplane" capability=12 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=capability permissive=0 type=SYSCALL msg=audit(1662667828.219:774): arch=c000003e syscall=46 success=yes exit=52 a0=e a1=7f593f3a8960 a2=0 a3=564c2e69bc4c items=0 ppid=1 pid=2788 auid=4294967295 uid=992 gid=990 euid=992 suid=992 fsuid=992 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="zebra_dplane" exe="/usr/libexec/frr/zebra" subj=system_u:system_r:frr_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=sendmsg AUID="unset" UID="frr" GID="frr" EUID="frr" SUID="frr" FSUID="frr" EGID="frr" SGID="frr" FSGID="frr" type=SOCKADDR msg=audit(1662667828.219:774): saddr=100000000000000000000000^]SADDR={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 } type=PROCTITLE msg=audit(1662667828.219:774): proctitle=2F7573722F6C6962657865632F6672722F7A65627261002D64002D4600747261646974696F6E616C002D41003132372E302E302E31002D73003930303030303030 audit2allow hints to add allow frr_t self:capability net_admin; to the policy but that did not help.
Michale, Are there still dontaudit rules disabled? Note ausearch with the -i switch as suggested interprets some of the data (uids are different on my system): type=PROCTITLE msg=audit(8.9.2022 22:10:28.219:774) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 type=SOCKADDR msg=audit(8.9.2022 22:10:28.219:774) : saddr={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 } saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 type=SYSCALL msg=audit(8.9.2022 22:10:28.219:774) : arch=x86_64 syscall=sendmsg success=yes exit=52 a0=0xe a1=0x7f593f3a8960 a2=0x0 a3=0x564c2e69bc4c items=0 ppid=1 pid=2788 auid=unset uid=colord gid=printadmin euid=colord suid=colord fsuid=colord egid=printadmin sgid=printadmin fsgid=printadmin tty=(none) ses=unset comm=zebra_dplane exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) SYSCALL=sendmsg AUID="unset" UID="frr" GID="frr" EUID="frr" SUID="frr" FSUID="frr" EGID="frr" SGID="frr" FSGID="frr" type=AVC msg=audit(8.9.2022 22:10:28.219:774) : avc: denied { net_admin } for pid=2788 comm=zebra_dplane capability=net_admin scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=capability permissive=0
This should be the complete output also with semodules -DB: type=PROCTITLE msg=audit(09/09/2022 04:53:16.138:536) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 type=SOCKADDR msg=audit(09/09/2022 04:53:16.138:536) : saddr={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 } type=SYSCALL msg=audit(09/09/2022 04:53:16.138:536) : arch=x86_64 syscall=sendmsg success=yes exit=44 a0=0xe a1=0x7f2bc09fd960 a2=0x0 a3=0x5607bbed7c4c items=0 ppid=1 pid=1864 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra_dplane exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) type=AVC msg=audit(09/09/2022 04:53:16.138:536) : avc: denied { net_admin } for pid=1864 comm=zebra_dplane capability=net_admin scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=capability permissive=0 ---- type=PROCTITLE msg=audit(09/09/2022 04:53:22.579:543) : proctitle=/usr/bin/sh /sbin/augenrules --load type=PATH msg=audit(09/09/2022 04:53:22.579:543) : item=2 name=/lib64/ld-linux-x86-64.so.2 inode=135764 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(09/09/2022 04:53:22.579:543) : item=1 name=/usr/bin/sh inode=136425 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(09/09/2022 04:53:22.579:543) : item=0 name=/sbin/augenrules inode=152130 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(09/09/2022 04:53:22.579:543) : cwd=/ type=EXECVE msg=audit(09/09/2022 04:53:22.579:543) : argc=3 a0=/usr/bin/sh a1=/sbin/augenrules a2=--load type=BPRM_FCAPS msg=audit(09/09/2022 04:53:22.579:543) : fver=0 fp=none fi=none fe=0 old_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read,perfmon,bpf,checkpoint_restore old_pi=none old_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read,perfmon,bpf,checkpoint_restore old_pa=none pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read,perfmon,bpf,checkpoint_restore pi=none pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read,perfmon,bpf,checkpoint_restore pa=none frootid=0 type=SYSCALL msg=audit(09/09/2022 04:53:22.579:543) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x562e041dce00 a1=0x562e042cda60 a2=0x562e041bac50 a3=0x1 items=3 ppid=1 pid=1912 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=augenrules exe=/usr/bin/bash subj=system_u:system_r:unconfined_service_t:s0 key=(null) type=AVC msg=audit(09/09/2022 04:53:22.579:543) : avc: denied { siginh } for pid=1912 comm=augenrules scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=0 ---- type=PROCTITLE msg=audit(09/09/2022 04:53:29.529:547) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 type=SOCKADDR msg=audit(09/09/2022 04:53:29.529:547) : saddr={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 } type=SYSCALL msg=audit(09/09/2022 04:53:29.529:547) : arch=x86_64 syscall=sendmsg success=yes exit=48 a0=0xe a1=0x7f2bc09fd960 a2=0x0 a3=0x5607bbed7c4c items=0 ppid=1 pid=1864 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra_dplane exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) type=AVC msg=audit(09/09/2022 04:53:29.529:547) : avc: denied { net_admin } for pid=1864 comm=zebra_dplane capability=net_admin scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=capability permissive=0 ---- type=PROCTITLE msg=audit(09/09/2022 04:53:29.530:548) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 type=SOCKADDR msg=audit(09/09/2022 04:53:29.530:548) : saddr={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 } type=SYSCALL msg=audit(09/09/2022 04:53:29.530:548) : arch=x86_64 syscall=sendmsg success=yes exit=52 a0=0xe a1=0x7f2bc09fd960 a2=0x0 a3=0x5607bbed7c4c items=0 ppid=1 pid=1864 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra_dplane exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) type=AVC msg=audit(09/09/2022 04:53:29.530:548) : avc: denied { net_admin } for pid=1864 comm=zebra_dplane capability=net_admin scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=capability permissive=0
FYI in the middle there is an AVC which probably is just a result of service auditd restart and is normally dontaudited.
FEDORA-2022-1b7925467c has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-1b7925467c
So I added these rules that were missing in F37. These were added to Rawhide but probably at the time of branching of F37 so they were not there: 1. Permission to write .history_frr, which will probably be in /root/ most of the time: optional_policy(` userdom_admin_home_dir_filetrans(frr_t, frr_conf_t, file, ".history_frr") ') 2. bind ports for vrrpd and pathd: corenet_tcp_bind_generic_port(frr_t) 3. And the capability to call net_admin: allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin }; This should do it. Let me know if you see any more AVCs Richard. Thank you, Michal
Works here, thanks.
FEDORA-2022-1b7925467c has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-1b7925467c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-1b7925467c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-9f5d5b6e3a has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-9f5d5b6e3a
FEDORA-2022-9f5d5b6e3a has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-9f5d5b6e3a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-9f5d5b6e3a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-9f5d5b6e3a has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.