Bug 2124254 - frr can no longer update routes
Summary: frr can no longer update routes
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: frr
Version: 37
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Michal Ruprich
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-09-05 12:52 UTC by Richard W.M. Jones
Modified: 2022-09-21 01:41 UTC (History)
3 users (show)

Fixed In Version: frr-8.3.1-4.fc37 frr-8.3.1-5.fc37
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-09-21 01:41:10 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
log from zebra (8.09 KB, text/plain)
2022-09-05 12:52 UTC, Richard W.M. Jones
no flags Details

Description Richard W.M. Jones 2022-09-05 12:52:00 UTC
Created attachment 1909619 [details]
log from zebra

Description of problem:

Lots of errors like:

Sep 05 13:35:53 foo.home.annexia.org zebra[1312]: [WVJCK-PPMGD][EC 4043309093] netlink-dp (NS 0) error: Operation not permitted, type=RTM_NEWNEXTHOP(104), seq=0, pid=2441373105
Sep 05 13:35:53 foo.home.annexia.org zebra[1312]: [WVJCK-PPMGD][EC 4043309093] netlink-dp (NS 0) error: Operation not permitted, type=RTM_NEWNEXTHOP(104), seq=2, pid=2441373105
Sep 05 13:35:53 foo.home.annexia.org zebra[1312]: [P2XBZ-RAFQ5][EC 4043309074] Failed to install Nexthop ID (3) into the kernel
Sep 05 13:35:53 foo.home.annexia.org zebra[1312]: [P2XBZ-RAFQ5][EC 4043309074] Failed to install Nexthop ID (4) into the kernel
Sep 05 13:35:54 foo.home.annexia.org zebra[1312]: [WVJCK-PPMGD][EC 4043309093] netlink-dp (NS 0) error: Operation not permitted, type=RTM_NEWNEXTHOP(104), seq=4, pid=2441373105
Sep 05 13:35:54 foo.home.annexia.org zebra[1312]: [WVJCK-PPMGD][EC 4043309093] netlink-dp (NS 0) error: Operation not permitted, type=RTM_NEWNEXTHOP(104), seq=6, pid=2441373105
Sep 05 13:35:54 foo.home.annexia.org zebra[1312]: [WVJCK-PPMGD][EC 4043309093] netlink-dp (NS 0) error: Operation not permitted, type=RTM_NEWROUTE(24), seq=7, pid=2441373105
Sep 05 13:35:54 foo.home.annexia.org zebra[1312]: [P2XBZ-RAFQ5][EC 4043309074] Failed to install Nexthop ID (4) into the kernel
Sep 05 13:35:54 foo.home.annexia.org zebra[1312]: [P2XBZ-RAFQ5][EC 4043309074] Failed to install Nexthop ID (8) into the kernel
Sep 05 13:35:54 foo.home.annexia.org zebra[1312]: [VYKYC-709DP] default(0:254):10.0.0.0/8: Route install failed

Version-Release number of selected component (if applicable):

frr-8.2.2-10.fc37.x86_64
kernel-5.19.6-300.fc37.x86_64

How reproducible:

100%  Seemed to start after updating from F35 to F37

Steps to Reproduce:
1. Use ripd

Comment 1 Richard W.M. Jones 2022-09-05 12:55:56 UTC
Adding the extra SELinux policy suggested for bug 2124253 did *not*
fix this bug, so there appear to be two separate issues with F37.

Comment 2 Michal Ruprich 2022-09-06 15:08:14 UTC
Hi Richards,

can you please share the ripd config that you are using? Anything in /var/log/audit/audit.log that would be relevant for FRR apart from bug #2124253 ?

Thanks and regards,
Michal

Comment 3 Richard W.M. Jones 2022-09-06 15:21:11 UTC
frr.conf is:

----------
hostname ***
password ***

debug rip events
debug rip packet

interface wlp61s0
  ip rip receive version 2
  ip rip send version 2

router rip
  network wlp61s0

log syslog
----------

Comment 4 Richard W.M. Jones 2022-09-06 15:23:27 UTC
Everything in audit.log that contains /\b(frr|zebra|ripd)\b/ is below.  It
looks like that's only things related to the selinux issues from the other
bug however.  So unclear.  I have fixed the selinux issues by adding a
custom policy, but it still cannot create routes which leads me to believe
this is really a separate, different issue.

---------
type=SERVICE_STOP msg=audit(1662154201.246:123794): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=AVC msg=audit(1662154201.296:123795): avc:  denied  { setattr } for  pid=1465549 comm="zebra" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1662154201.332:123797): avc:  denied  { setattr } for  pid=1465555 comm="ripd" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1662154201.348:123798): avc:  denied  { setattr } for  pid=1465558 comm="staticd" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
type=SERVICE_START msg=audit(1662154201.399:123799): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1662377884.510:125112): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=AVC msg=audit(1662377884.595:125113): avc:  denied  { setattr } for  pid=1623551 comm="zebra" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1662377884.635:125114): avc:  denied  { setattr } for  pid=1623556 comm="ripd" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1662377884.648:125115): avc:  denied  { setattr } for  pid=1623559 comm="staticd" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
type=SERVICE_START msg=audit(1662377884.701:125116): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1662380260.467:125178): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=AVC msg=audit(1662380260.548:125179): avc:  denied  { setattr } for  pid=1634833 comm="zebra" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1662380260.587:125180): avc:  denied  { setattr } for  pid=1634838 comm="ripd" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1662380260.602:125181): avc:  denied  { setattr } for  pid=1634841 comm="staticd" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
type=SERVICE_START msg=audit(1662380260.648:125182): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1662381309.878:125259): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=AVC msg=audit(1662381349.136:204): avc:  denied  { setattr } for  pid=1293 comm="zebra" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1662381349.370:206): avc:  denied  { setattr } for  pid=1318 comm="ripd" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1662381349.397:207): avc:  denied  { setattr } for  pid=1323 comm="staticd" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
type=SERVICE_START msg=audit(1662381349.474:208): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1662381408.583:395): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=AVC msg=audit(1662381408.628:396): avc:  denied  { setattr } for  pid=1859 comm="zebra" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1662381408.671:397): avc:  denied  { setattr } for  pid=1864 comm="ripd" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1662381408.686:398): avc:  denied  { setattr } for  pid=1868 comm="staticd" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
type=SERVICE_START msg=audit(1662381408.729:399): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1662382193.026:526): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=AVC msg=audit(1662382193.109:527): avc:  denied  { setattr } for  pid=6206 comm="zebra" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1662382193.146:528): avc:  denied  { setattr } for  pid=6211 comm="ripd" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1662382193.162:529): avc:  denied  { setattr } for  pid=6214 comm="staticd" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
type=SERVICE_START msg=audit(1662382193.212:530): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1662382433.713:626): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=AVC msg=audit(1662382433.748:627): avc:  denied  { setattr } for  pid=6592 comm="zebra" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1662382433.778:628): avc:  denied  { setattr } for  pid=6597 comm="ripd" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1662382433.794:629): avc:  denied  { setattr } for  pid=6600 comm="staticd" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
type=SERVICE_START msg=audit(1662382433.843:630): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1662382438.129:644): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=AVC msg=audit(1662382438.223:645): avc:  denied  { setattr } for  pid=7335 comm="zebra" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1662382438.263:646): avc:  denied  { setattr } for  pid=7340 comm="ripd" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1662382438.278:647): avc:  denied  { setattr } for  pid=7343 comm="staticd" name="frr" dev="dm-1" ino=245708993 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
type=SERVICE_START msg=audit(1662382438.325:648): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1662382513.906:671): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_START msg=audit(1662382514.102:672): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1662382788.888:743): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_START msg=audit(1662382789.027:744): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1662382792.324:756): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_START msg=audit(1662382792.499:757): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1662476679.710:1465): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_START msg=audit(1662476679.860:1466): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=frr comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"

Comment 5 Michal Ruprich 2022-09-08 13:55:11 UTC
Thanks, this really seems to be something other than SELinux causing this. Looking into it.

Comment 6 Michal Ruprich 2022-09-08 14:23:35 UTC
Tested on a fresh f37, this is definitely SELinux messing with something, try running with setenforce 0 for a while and there are no errors and 'ip route' shows installed routes as it should. No AVCs though, that is what is buffling.

Comment 7 Zdenek Pytela 2022-09-08 16:18:03 UTC
Try

  # semodule -DB

to disable dontaudit rules and restart the service.

Comment 8 Michal Ruprich 2022-09-08 16:55:40 UTC
Thanks Zdenek,

this is the output:

type=AVC msg=audit(1662656080.867:611): avc:  denied  { net_admin } for  pid=1754 comm="zebra_dplane" capability=12  scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1662656080.868:612): avc:  denied  { net_admin } for  pid=1754 comm="zebra_dplane" capability=12  scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=capability permissive=0

I will try to tackle this in the SELinux policy now.

Comment 9 Zdenek Pytela 2022-09-08 17:06:39 UTC
With full auditing enabled you should see the syscall requesting the capability.

1) Open the /etc/audit/rules.d/audit.rules file in an editor.
2) Remove the following line if it exists:
-a task,never
3) Add the following line to the end of the file:
-w /etc/shadow -p w
4) Restart the audit daemon:
  # service auditd restart
5) Re-run your scenario.
6) Collect AVC denials:
  # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today

Comment 10 Michal Ruprich 2022-09-08 20:17:50 UTC
Thank you Zdenek, this is the output:

type=AVC msg=audit(1662667828.219:774): avc:  denied  { net_admin } for  pid=2788 comm="zebra_dplane" capability=12  scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=capability permissive=0
type=SYSCALL msg=audit(1662667828.219:774): arch=c000003e syscall=46 success=yes exit=52 a0=e a1=7f593f3a8960 a2=0 a3=564c2e69bc4c items=0 ppid=1 pid=2788 auid=4294967295 uid=992 gid=990 euid=992 suid=992 fsuid=992 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="zebra_dplane" exe="/usr/libexec/frr/zebra" subj=system_u:system_r:frr_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=sendmsg AUID="unset" UID="frr" GID="frr" EUID="frr" SUID="frr" FSUID="frr" EGID="frr" SGID="frr" FSGID="frr"
type=SOCKADDR msg=audit(1662667828.219:774): saddr=100000000000000000000000^]SADDR={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 }
type=PROCTITLE msg=audit(1662667828.219:774): proctitle=2F7573722F6C6962657865632F6672722F7A65627261002D64002D4600747261646974696F6E616C002D41003132372E302E302E31002D73003930303030303030

audit2allow hints to add allow frr_t self:capability net_admin; to the policy but that did not help.

Comment 11 Zdenek Pytela 2022-09-09 07:54:28 UTC
Michale,

Are there still dontaudit rules disabled?

Note ausearch with the -i switch as suggested interprets some of the data (uids are different on my system):

type=PROCTITLE msg=audit(8.9.2022 22:10:28.219:774) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000
type=SOCKADDR msg=audit(8.9.2022 22:10:28.219:774) : saddr={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 } saddr_fam=netlink nlnk-fam=16 nlnk-pid=0
type=SYSCALL msg=audit(8.9.2022 22:10:28.219:774) : arch=x86_64 syscall=sendmsg success=yes exit=52 a0=0xe a1=0x7f593f3a8960 a2=0x0 a3=0x564c2e69bc4c items=0 ppid=1 pid=2788 auid=unset uid=colord gid=printadmin euid=colord suid=colord fsuid=colord egid=printadmin sgid=printadmin fsgid=printadmin tty=(none) ses=unset comm=zebra_dplane exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) SYSCALL=sendmsg AUID="unset" UID="frr" GID="frr" EUID="frr" SUID="frr" FSUID="frr" EGID="frr" SGID="frr" FSGID="frr"
type=AVC msg=audit(8.9.2022 22:10:28.219:774) : avc:  denied  { net_admin } for  pid=2788 comm=zebra_dplane capability=net_admin  scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=capability permissive=0

Comment 12 Michal Ruprich 2022-09-09 08:54:55 UTC
This should be the complete output also with semodules -DB:

type=PROCTITLE msg=audit(09/09/2022 04:53:16.138:536) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 
type=SOCKADDR msg=audit(09/09/2022 04:53:16.138:536) : saddr={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 } 
type=SYSCALL msg=audit(09/09/2022 04:53:16.138:536) : arch=x86_64 syscall=sendmsg success=yes exit=44 a0=0xe a1=0x7f2bc09fd960 a2=0x0 a3=0x5607bbed7c4c items=0 ppid=1 pid=1864 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra_dplane exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(09/09/2022 04:53:16.138:536) : avc:  denied  { net_admin } for  pid=1864 comm=zebra_dplane capability=net_admin  scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(09/09/2022 04:53:22.579:543) : proctitle=/usr/bin/sh /sbin/augenrules --load 
type=PATH msg=audit(09/09/2022 04:53:22.579:543) : item=2 name=/lib64/ld-linux-x86-64.so.2 inode=135764 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(09/09/2022 04:53:22.579:543) : item=1 name=/usr/bin/sh inode=136425 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(09/09/2022 04:53:22.579:543) : item=0 name=/sbin/augenrules inode=152130 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/09/2022 04:53:22.579:543) : cwd=/ 
type=EXECVE msg=audit(09/09/2022 04:53:22.579:543) : argc=3 a0=/usr/bin/sh a1=/sbin/augenrules a2=--load 
type=BPRM_FCAPS msg=audit(09/09/2022 04:53:22.579:543) : fver=0 fp=none fi=none fe=0 old_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read,perfmon,bpf,checkpoint_restore old_pi=none old_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read,perfmon,bpf,checkpoint_restore old_pa=none pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read,perfmon,bpf,checkpoint_restore pi=none pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read,perfmon,bpf,checkpoint_restore pa=none frootid=0 
type=SYSCALL msg=audit(09/09/2022 04:53:22.579:543) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x562e041dce00 a1=0x562e042cda60 a2=0x562e041bac50 a3=0x1 items=3 ppid=1 pid=1912 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=augenrules exe=/usr/bin/bash subj=system_u:system_r:unconfined_service_t:s0 key=(null) 
type=AVC msg=audit(09/09/2022 04:53:22.579:543) : avc:  denied  { siginh } for  pid=1912 comm=augenrules scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=0 
----
type=PROCTITLE msg=audit(09/09/2022 04:53:29.529:547) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 
type=SOCKADDR msg=audit(09/09/2022 04:53:29.529:547) : saddr={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 } 
type=SYSCALL msg=audit(09/09/2022 04:53:29.529:547) : arch=x86_64 syscall=sendmsg success=yes exit=48 a0=0xe a1=0x7f2bc09fd960 a2=0x0 a3=0x5607bbed7c4c items=0 ppid=1 pid=1864 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra_dplane exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(09/09/2022 04:53:29.529:547) : avc:  denied  { net_admin } for  pid=1864 comm=zebra_dplane capability=net_admin  scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(09/09/2022 04:53:29.530:548) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 
type=SOCKADDR msg=audit(09/09/2022 04:53:29.530:548) : saddr={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 } 
type=SYSCALL msg=audit(09/09/2022 04:53:29.530:548) : arch=x86_64 syscall=sendmsg success=yes exit=52 a0=0xe a1=0x7f2bc09fd960 a2=0x0 a3=0x5607bbed7c4c items=0 ppid=1 pid=1864 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra_dplane exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(09/09/2022 04:53:29.530:548) : avc:  denied  { net_admin } for  pid=1864 comm=zebra_dplane capability=net_admin  scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=capability permissive=0

Comment 13 Zdenek Pytela 2022-09-09 14:28:24 UTC
FYI in the middle there is an AVC which probably is just a result of service auditd restart and is normally dontaudited.

Comment 14 Fedora Update System 2022-09-09 17:28:48 UTC
FEDORA-2022-1b7925467c has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-1b7925467c

Comment 15 Michal Ruprich 2022-09-09 17:32:06 UTC
So I added these rules that were missing in F37. These were added to Rawhide but probably at the time of branching of F37 so they were not there:
1. Permission to write .history_frr, which will probably be in /root/ most of the time:
optional_policy(`
        userdom_admin_home_dir_filetrans(frr_t, frr_conf_t, file, ".history_frr")
')

2. bind ports for vrrpd and pathd:
corenet_tcp_bind_generic_port(frr_t)

3. And the capability to call net_admin:
allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin };

This should do it. Let me know if you see any more AVCs Richard.

Thank you,
Michal

Comment 16 Richard W.M. Jones 2022-09-09 18:57:01 UTC
Works here, thanks.

Comment 17 Fedora Update System 2022-09-10 17:21:07 UTC
FEDORA-2022-1b7925467c has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-1b7925467c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-1b7925467c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 18 Fedora Update System 2022-09-16 15:17:40 UTC
FEDORA-2022-9f5d5b6e3a has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-9f5d5b6e3a

Comment 19 Fedora Update System 2022-09-17 03:29:31 UTC
FEDORA-2022-9f5d5b6e3a has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-9f5d5b6e3a`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-9f5d5b6e3a

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 20 Fedora Update System 2022-09-21 01:41:10 UTC
FEDORA-2022-9f5d5b6e3a has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.