Bug 2311120 - AVCs for using a netlink socket in FRR
Summary: AVCs for using a netlink socket in FRR
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: frr
Version: rawhide
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Michal Ruprich
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-09-10 12:35 UTC by Michal Ruprich
Modified: 2024-09-19 00:17 UTC (History)
3 users (show)

Fixed In Version: frr-10.1-4.fc41
Clone Of:
Environment:
Last Closed: 2024-09-19 00:17:30 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Michal Ruprich 2024-09-10 12:35:35 UTC 
A couple of AVCs are being generated when running FRR. Netlink socket needs to be used. AVCs:

----
type=PROCTITLE msg=audit(09/09/2024 11:59:00.777:621) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 
type=SYSCALL msg=audit(09/09/2024 11:59:00.777:621) : arch=x86_64 syscall=socket success=yes exit=16 a0=netlink a1=SOCK_RAW a2=chaos a3=0x2000 items=0 ppid=2605 pid=2631 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(09/09/2024 11:59:00.777:621) : avc:  denied  { create } for  pid=2631 comm=zebra scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=netlink_generic_socket permissive=1 
----
type=PROCTITLE msg=audit(09/09/2024 11:59:00.777:622) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 
type=SOCKADDR msg=audit(09/09/2024 11:59:00.777:622) : saddr={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 } 
type=SYSCALL msg=audit(09/09/2024 11:59:00.777:622) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x10 a1=0x7ffc64b042bc a2=0xc a3=0x2000 items=0 ppid=2605 pid=2631 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(09/09/2024 11:59:00.777:622) : avc:  denied  { bind } for  pid=2631 comm=zebra scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=netlink_generic_socket permissive=1 
----
type=PROCTITLE msg=audit(09/09/2024 11:59:00.777:623) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 
type=SOCKADDR msg=audit(09/09/2024 11:59:00.777:623) : saddr={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=2631 } 
type=SYSCALL msg=audit(09/09/2024 11:59:00.777:623) : arch=x86_64 syscall=getsockname success=yes exit=0 a0=0x10 a1=0x7ffc64b042bc a2=0x7ffc64b042b0 a3=0x2000 items=0 ppid=2605 pid=2631 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(09/09/2024 11:59:00.777:623) : avc:  denied  { getattr } for  pid=2631 comm=zebra scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=netlink_generic_socket permissive=1 
----
type=PROCTITLE msg=audit(09/09/2024 11:59:00.777:624) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 
type=SYSCALL msg=audit(09/09/2024 11:59:00.777:624) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0x10 a1=SOL_NETLINK a2=0xb a3=0x7ffc64b04360 items=0 ppid=2605 pid=2631 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(09/09/2024 11:59:00.777:624) : avc:  denied  { setopt } for  pid=2631 comm=zebra scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=netlink_generic_socket permissive=1 
----
type=PROCTITLE msg=audit(09/09/2024 11:59:00.777:625) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 
type=SYSCALL msg=audit(09/09/2024 11:59:00.777:625) : arch=x86_64 syscall=getsockopt success=yes exit=0 a0=0x10 a1=SOL_SOCKET a2=SO_RCVBUF a3=0x7ffc64b042c4 items=0 ppid=2605 pid=2631 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(09/09/2024 11:59:00.777:625) : avc:  denied  { getopt } for  pid=2631 comm=zebra scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=netlink_generic_socket permissive=1 


Reproducible: Always

Steps to Reproduce:
1. Start FRR in a permissive mode
2. ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today to view AVCs
Comment 1 Fedora Update System 2024-09-10 18:35:07 UTC 
FEDORA-2024-5e340d5845 (frr-10.1-4.fc41) has been submitted as an update to Fedora 41.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-5e340d5845
Comment 2 Fedora Update System 2024-09-11 02:29:11 UTC 
FEDORA-2024-5e340d5845 has been pushed to the Fedora 41 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-5e340d5845`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-5e340d5845

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 3 Fedora Update System 2024-09-19 00:17:30 UTC 
FEDORA-2024-5e340d5845 (frr-10.1-4.fc41) has been pushed to the Fedora 41 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.