SELinux is preventing FRR-Zebra to access to network namespaces. sudo audit2why -i /var/log/audit/audit.log type=AVC msg=audit(1687223395.771:44136): avc: denied { read } for pid=21815 comm="zebra" name="netns" dev="tmpfs" ino=1715 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:object_r:ifconfig_var_run_t:s0 tclass=dir permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. .... sudo audit2allow -i /var/log/audit/audit.log #============= frr_t ============== allow frr_t ifconfig_var_run_t:dir { read watch }; Source Context system_u:system_r:frr_t:s0 Target Context unconfined_u:object_r:ifconfig_var_run_t:s0 frr 8.5-1.fc37 selinux-policy 37.21-2.fc37 selinux-policy-targeted 37.21-2.fc37 Reproducible: Always Steps to Reproduce: 1. Install FRR 8.5 2. Create a network namespace through ip netns add my-ns 3. Add -n switch to the zebra option at /etc/frr/daemons 4. Restart FRR 5. Login to FRR Actual Results: The VRF based on the network namespace is not available. Expected Results: vrf my-ns netns /run/netns/my-ns exit-vrf Kernel: 5.19.16-301.fc37.x86_64
Thanks for the bug, this will most likely need a new interface to get the to get the new type. Working on it. Adding a more verbose log of the two AVCs in permissive mode: type=PROCTITLE msg=audit(06/23/2023 08:22:31.898:570) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 -n type=PATH msg=audit(06/23/2023 08:22:31.898:570) : item=0 name=/var/run/netns inode=1194 dev=00:18 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:ifconfig_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(06/23/2023 08:22:31.898:570) : cwd=/ type=SYSCALL msg=audit(06/23/2023 08:22:31.898:570) : arch=x86_64 syscall=openat success=yes exit=16 a0=AT_FDCWD a1=0x5570b7faf7eb a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=1992 pid=2000 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) type=AVC msg=audit(06/23/2023 08:22:31.898:570) : avc: denied { read } for pid=2000 comm=zebra name=netns dev="tmpfs" ino=1194 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:object_r:ifconfig_var_run_t:s0 tclass=dir permissive=1 ---- type=PROCTITLE msg=audit(06/23/2023 08:22:31.899:571) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 -n type=PATH msg=audit(06/23/2023 08:22:31.899:571) : item=0 name=/var/run/netns inode=1194 dev=00:18 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:ifconfig_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(06/23/2023 08:22:31.899:571) : cwd=/ type=SYSCALL msg=audit(06/23/2023 08:22:31.899:571) : arch=x86_64 syscall=inotify_add_watch success=yes exit=1 a0=0x10 a1=0x5570b7faf7eb a2=0x300 a3=0x7ffe984db080 items=1 ppid=1992 pid=2000 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) type=AVC msg=audit(06/23/2023 08:22:31.899:571) : avc: denied { watch } for pid=2000 comm=zebra path=/run/netns dev="tmpfs" ino=1194 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:object_r:ifconfig_var_run_t:s0 tclass=dir permissive=1
FEDORA-2023-a377c170bf has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-a377c170bf
FEDORA-2023-4b6ee8514f has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-4b6ee8514f
FEDORA-2023-4b6ee8514f has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-4b6ee8514f` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-4b6ee8514f See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-a377c170bf has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-a377c170bf` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-a377c170bf See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-4b6ee8514f has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2023-a377c170bf has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.