2216911 – SELinux is preventing FRR-Zebra to access to network namespaces.

Bug 2216911 - SELinux is preventing FRR-Zebra to access to network namespaces.

Summary: SELinux is preventing FRR-Zebra to access to network namespaces.

Keywords:
Status:	ASSIGNED
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	frr
Sub Component:
Version:	8.9
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Michal Ruprich
QA Contact:	František Hrdina
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-06-23 08:12 UTC by Michal Ruprich
Modified:	2023-08-11 14:07 UTC (History)
CC List:	7 users (show)
Fixed In Version:	frr-7.5.1-8.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	2216073
Environment:
Last Closed:
Type:	---
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-160538	0	None	None	None	2023-06-23 08:22:05 UTC

Description Michal Ruprich 2023-06-23 08:12:19 UTC

+++ This bug was initially created as a clone of Bug #2216073 +++

SELinux is preventing FRR-Zebra to access to network namespaces.

sudo audit2why -i /var/log/audit/audit.log
type=AVC msg=audit(1687223395.771:44136): avc:  denied  { read } for  pid=21815 comm="zebra" name="netns" dev="tmpfs" ino=1715 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:object_r:ifconfig_var_run_t:s0 tclass=dir permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.
		You can use audit2allow to generate a loadable module to allow this access.
....
sudo audit2allow -i /var/log/audit/audit.log
#============= frr_t ==============
allow frr_t ifconfig_var_run_t:dir { read watch };

Source Context               system_u:system_r:frr_t:s0
Target Context               unconfined_u:object_r:ifconfig_var_run_t:s0
frr                          8.5-1.fc37
selinux-policy               37.21-2.fc37
selinux-policy-targeted      37.21-2.fc37

Reproducible: Always

Steps to Reproduce:
1. Install FRR 8.5 
2. Create a network namespace through ip netns add my-ns
3. Add -n switch to the zebra option at /etc/frr/daemons
4. Restart FRR
5. Login to FRR 

Actual Results:  
The VRF based on the network namespace is not available.

Expected Results:  
vrf my-ns
 netns /run/netns/my-ns
exit-vrf

Kernel: 5.19.16-301.fc37.x86_64

Comment 1 Michal Ruprich 2023-06-23 08:24:59 UTC

With RHEL8 I see read and getattr calls:

type=PROCTITLE msg=audit(06/23/2023 03:55:40.133:309) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 -n 
type=SYSCALL msg=audit(06/23/2023 03:55:40.133:309) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0xf a1=0x5644b8faf578 a2=0x300 a3=0x3e items=0 ppid=6780 pid=6793 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(06/23/2023 03:55:40.133:309) : avc:  denied  { read } for  pid=6793 comm=zebra name=netns dev="tmpfs" ino=38646 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:object_r:ifconfig_var_run_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(06/23/2023 03:55:54.574:311) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 -n 
type=SYSCALL msg=audit(06/23/2023 03:55:54.574:311) : arch=x86_64 syscall=lstat success=no exit=EACCES(Permission denied) a0=0x7fadfa93e120 a1=0x7ffdd2f09f10 a2=0x7ffdd2f09f10 a3=0x0 items=0 ppid=1 pid=6794 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(06/23/2023 03:55:54.574:311) : avc:  denied  { getattr } for  pid=6794 comm=zebra path=/run/netns/my-ns dev="nsfs" ino=4026532186 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file permissive=0

Comment 2 Michal Ruprich 2023-06-23 12:14:20 UTC

Same scenario with permissive mode:

type=PROCTITLE msg=audit(06/23/2023 08:11:58.380:323) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 -n 
type=SYSCALL msg=audit(06/23/2023 08:11:58.380:323) : arch=x86_64 syscall=openat success=yes exit=15 a0=AT_FDCWD a1=0x55fa4eb1d578 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=0 ppid=6971 pid=6984 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(06/23/2023 08:11:58.380:323) : avc:  denied  { read } for  pid=6984 comm=zebra name=netns dev="tmpfs" ino=38646 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:object_r:ifconfig_var_run_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(06/23/2023 08:11:58.381:324) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 -n 
type=SYSCALL msg=audit(06/23/2023 08:11:58.381:324) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=0xf a1=0x55fa4f6f7c13 a2=0x7ffdd2068410 a3=0x0 items=0 ppid=6971 pid=6984 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(06/23/2023 08:11:58.381:324) : avc:  denied  { getattr } for  pid=6984 comm=zebra path=/run/netns/my-ns dev="nsfs" ino=4026532186 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(06/23/2023 08:11:58.381:325) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 -n 
type=SYSCALL msg=audit(06/23/2023 08:11:58.381:325) : arch=x86_64 syscall=openat success=yes exit=16 a0=AT_FDCWD a1=0x7f82ec3d7120 a2=O_RDONLY a3=0x0 items=0 ppid=6971 pid=6984 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(06/23/2023 08:11:58.381:325) : avc:  denied  { open } for  pid=6984 comm=zebra path=/run/netns/my-ns dev="nsfs" ino=4026532186 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file permissive=1 
type=AVC msg=audit(06/23/2023 08:11:58.381:325) : avc:  denied  { read } for  pid=6984 comm=zebra dev="nsfs" ino=4026532186 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file permissive=1

Note You need to log in before you can comment on or make changes to this bug.