Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-147189

AVC failures when running frr10

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • rhel-9.8
    • rhel-9.8
    • frr10
    • None
    • frr10-10.4.1-3.el9
    • None
    • Low
    • 1
    • rhel-net-perf
    • 0
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • _N&P-Refined_
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      AVC failures were discovered during the testing of frr10 after running the complete daemon suite:

       

      # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today -se frr_t
----
type=PROCTITLE msg=audit(02/05/2026 10:16:08.597:332) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 
type=PATH msg=audit(02/05/2026 10:16:08.597:332) : item=1 name=(null) inode=33554670 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(02/05/2026 10:16:08.597:332) : item=0 name=(null) inode=4194438 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/05/2026 10:16:08.597:332) : cwd=/ 
type=SYSCALL msg=audit(02/05/2026 10:16:08.597:332) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=0x7f8486a07d20 a1=0755 a2=0x0 a3=0x3e3 items=2 ppid=8572 pid=8598 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(02/05/2026 10:16:08.597:332) : avc:  denied  { create } for  pid=8598 comm=zebra name=frr scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=1 
type=AVC msg=audit(02/05/2026 10:16:08.597:332) : avc:  denied  { add_name } for  pid=8598 comm=zebra name=frr scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=1 
type=AVC msg=audit(02/05/2026 10:16:08.597:332) : avc:  denied  { write } for  pid=8598 comm=zebra name=lib dev="vda1" ino=4194438 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(02/05/2026 10:16:08.598:333) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 
type=SYSCALL msg=audit(02/05/2026 10:16:08.598:333) : arch=x86_64 syscall=chown success=yes exit=0 a0=0x7f8486a07d20 a1=frr a2=0x3e3 a3=0x3e3 items=0 ppid=8572 pid=8598 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(02/05/2026 10:16:08.598:333) : avc:  denied  { setattr } for  pid=8598 comm=zebra name=frr dev="vda1" ino=33554670 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(02/05/2026 10:16:08.620:334) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 
type=SYSCALL msg=audit(02/05/2026 10:16:08.620:334) : arch=x86_64 syscall=socket success=yes exit=17 a0=netlink a1=SOCK_RAW a2=chaos a3=0x5561a8b095cc items=0 ppid=8572 pid=8598 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(02/05/2026 10:16:08.620:334) : avc:  denied  { create } for  pid=8598 comm=zebra scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=netlink_generic_socket permissive=1 
----
type=PROCTITLE msg=audit(02/05/2026 10:16:08.622:335) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 
type=SYSCALL msg=audit(02/05/2026 10:16:08.622:335) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x11 a1=0x7ffc003661dc a2=0xc a3=0x5561a8b095cc items=0 ppid=8572 pid=8598 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(02/05/2026 10:16:08.622:335) : avc:  denied  { bind } for  pid=8598 comm=zebra scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=netlink_generic_socket permissive=1 
----
type=PROCTITLE msg=audit(02/05/2026 10:16:08.622:336) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 
type=SOCKADDR msg=audit(02/05/2026 10:16:08.622:336) : saddr={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=8598 } 
type=SYSCALL msg=audit(02/05/2026 10:16:08.622:336) : arch=x86_64 syscall=getsockname success=yes exit=0 a0=0x11 a1=0x7ffc003661dc a2=0x7ffc003661d0 a3=0x5561a8b095cc items=0 ppid=8572 pid=8598 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(02/05/2026 10:16:08.622:336) : avc:  denied  { getattr } for  pid=8598 comm=zebra scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=netlink_generic_socket permissive=1 
----
type=PROCTITLE msg=audit(02/05/2026 10:16:08.622:337) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 
type=SYSCALL msg=audit(02/05/2026 10:16:08.622:337) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0x11 a1=SOL_NETLINK a2=0xb a3=0x7ffc00366280 items=0 ppid=8572 pid=8598 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(02/05/2026 10:16:08.622:337) : avc:  denied  { setopt } for  pid=8598 comm=zebra scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=netlink_generic_socket permissive=1 
----
type=PROCTITLE msg=audit(02/05/2026 10:16:08.622:338) : proctitle=/usr/libexec/frr/zebra -d -F traditional -A 127.0.0.1 -s 90000000 
type=SYSCALL msg=audit(02/05/2026 10:16:08.622:338) : arch=x86_64 syscall=getsockopt success=yes exit=0 a0=0x11 a1=SOL_SOCKET a2=SO_RCVBUF a3=0x7ffc003661e4 items=0 ppid=8572 pid=8598 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=zebra exe=/usr/libexec/frr/zebra subj=system_u:system_r:frr_t:s0 key=(null) 
type=AVC msg=audit(02/05/2026 10:16:08.622:338) : avc:  denied  { getopt } for  pid=8598 comm=zebra scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=netlink_generic_socket permissive=1 

       

       

      This is an error on my side, I forgot to edit selinux files and of course, the newer version of FRR has more features and needs more selinux permissions. This has a very simple solution and I have already tested it myself. The following rules are needed:

      type frr_var_lib_t;
files_type(frr_var_lib_t)

allow frr_t self:netlink_generic_socket create;
allow frr_t self:netlink_generic_socket setopt;
allow frr_t self:netlink_generic_socket getopt;
allow frr_t self:netlink_generic_socket getattr;
allow frr_t self:netlink_generic_socket bind;

manage_dirs_pattern(frr_t, frr_var_lib_t, frr_var_lib_t)
manage_files_pattern(frr_t, frr_var_lib_t, frr_var_lib_t)
files_var_lib_filetrans(frr_t, frr_var_lib_t, { dir file })

              mruprich@redhat.com Michal Ruprich
              mruprich@redhat.com Michal Ruprich
              Michal Ruprich Michal Ruprich
              Frantisek Hrdina Frantisek Hrdina
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: