2216912 – SELinux is preventing FRR-Zebra to access to network namespaces.

Bug 2216912 - SELinux is preventing FRR-Zebra to access to network namespaces.

Summary: SELinux is preventing FRR-Zebra to access to network namespaces.

Keywords:
Status:	VERIFIED
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	frr
Sub Component:
Version:	9.3
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Michal Ruprich
QA Contact:	František Hrdina
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-06-23 08:21 UTC by Michal Ruprich
Modified:	2023-08-14 12:07 UTC (History)
CC List:	7 users (show)
Fixed In Version:	frr-8.3.1-10.el9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	2216073
Environment:
Last Closed:
Type:	---
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-160539	0	None	None	None	2023-06-23 08:22:11 UTC

Description Michal Ruprich 2023-06-23 08:21:29 UTC

+++ This bug was initially created as a clone of Bug #2216073 +++

SELinux is preventing FRR-Zebra to access to network namespaces.

sudo audit2why -i /var/log/audit/audit.log
type=AVC msg=audit(1687223395.771:44136): avc:  denied  { read } for  pid=21815 comm="zebra" name="netns" dev="tmpfs" ino=1715 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:object_r:ifconfig_var_run_t:s0 tclass=dir permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.
		You can use audit2allow to generate a loadable module to allow this access.
....
sudo audit2allow -i /var/log/audit/audit.log
#============= frr_t ==============
allow frr_t ifconfig_var_run_t:dir { read watch };

Source Context               system_u:system_r:frr_t:s0
Target Context               unconfined_u:object_r:ifconfig_var_run_t:s0
frr                          8.5-1.fc37
selinux-policy               37.21-2.fc37
selinux-policy-targeted      37.21-2.fc37

Reproducible: Always

Steps to Reproduce:
1. Install FRR 8.5 
2. Create a network namespace through ip netns add my-ns
3. Add -n switch to the zebra option at /etc/frr/daemons
4. Restart FRR
5. Login to FRR 

Actual Results:  
The VRF based on the network namespace is not available.

Expected Results:  
vrf my-ns
 netns /run/netns/my-ns
exit-vrf

Kernel: 5.19.16-301.fc37.x86_64

Comment 1 Michal Ruprich 2023-06-23 08:24:19 UTC

With RHEL9 I see just read call that is being deined:

type=PROCTITLE msg=audit(06/23/2023 04:02:57.168:303) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 -n 
type=SYSCALL msg=audit(06/23/2023 04:02:57.168:303) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x10 a1=0x5617f9dd0ece a2=0x300 a3=0xffffffff items=0 ppid=7382 pid=7392 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(06/23/2023 04:02:57.168:303) : avc:  denied  { read } for  pid=7392 comm=zebra name=netns dev="tmpfs" ino=1016 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:object_r:ifconfig_var_run_t:s0 tclass=dir permissive=0

Comment 2 Michal Ruprich 2023-06-23 12:16:04 UTC

Same scenario in permissive mode:

type=PROCTITLE msg=audit(06/23/2023 08:15:17.541:331) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 -n 
type=SYSCALL msg=audit(06/23/2023 08:15:17.541:331) : arch=x86_64 syscall=openat success=yes exit=16 a0=AT_FDCWD a1=0x55b1aea6cece a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=0 ppid=7623 pid=7633 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(06/23/2023 08:15:17.541:331) : avc:  denied  { read } for  pid=7633 comm=zebra name=netns dev="tmpfs" ino=1016 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:object_r:ifconfig_var_run_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(06/23/2023 08:15:17.541:332) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 -n 
type=SYSCALL msg=audit(06/23/2023 08:15:17.541:332) : arch=x86_64 syscall=inotify_add_watch success=yes exit=1 a0=0x10 a1=0x55b1aea6cece a2=0x300 a3=0x7ffc5a347080 items=0 ppid=7623 pid=7633 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(06/23/2023 08:15:17.541:332) : avc:  denied  { watch } for  pid=7633 comm=zebra path=/run/netns dev="tmpfs" ino=1016 scontext=system_u:system_r:frr_t:s0 tcontext=unconfined_u:object_r:ifconfig_var_run_t:s0 tclass=dir permissive=1

Comment 7 Milos Malik 2023-07-27 15:32:05 UTC

The modified automated TC executed on Fedora 38 found another SELinux denial:
----
type=PROCTITLE msg=audit(07/27/2023 11:26:31.692:622) : proctitle=/usr/libexec/frr/bfdd -d -F traditional -A 127.0.0.1 
type=SOCKADDR msg=audit(07/27/2023 11:26:31.692:622) : saddr={ saddr_fam=packet (unsupported) } 
type=SYSCALL msg=audit(07/27/2023 11:26:31.692:622) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0xf a1=0x7ffeb8c5a000 a2=0x14 a3=0x7ffeb8c59ff0 items=0 ppid=7818 pid=7903 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=bfdd exe=/usr/libexec/frr/bfdd subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(07/27/2023 11:26:31.692:622) : avc:  denied  { bind } for  pid=7903 comm=bfdd scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=packet_socket permissive=0 
----

# rpm -qa selinux\* frr\* | sort
frr-8.5.2-1.fc38.x86_64
frr-selinux-8.5.2-1.fc38.noarch
selinux-policy-38.21-1.fc38.noarch
selinux-policy-devel-38.21-1.fc38.noarch
selinux-policy-targeted-38.21-1.fc38.noarch
#

Comment 8 Milos Malik 2023-07-27 15:33:53 UTC

If you need me to file the comment#7 issue as a new bug, let me know.

Comment 9 Zdenek Pytela 2023-08-01 07:44:10 UTC

The additional denial from #c7 should be addressed by:
https://src.fedoraproject.org/rpms/frr/pull-request/33

Note You need to log in before you can comment on or make changes to this bug.