Run frr service as frr_t and add new bfd_multi port #547
Conversation
Koncpa
force-pushed
the
frr
branch
3 times, most recently
from
3b578c3
to
86025b5
Compare
Koncpa
force-pushed
the
frr
branch
4 times, most recently
from
29b5ffc
to
e2d2f63
Compare
Add new port called cmadmin for bfdd daemon, which is use in frr service. Related to PR: fedora-selinux#547
|
Add another permissions for frr policy, which were discover during testing a common selinux policy tests. The build test will fail, because in policy has added interface, which isn't yet in policy, but PR has already made: #556 |
In that case why not just include the commit in this PR instead of opening a separate one? |
Add new port called cmadmin for bfdd daemon, which is use in frr service. Related to PR: fedora-selinux#547
policy/modules/contrib/frr.fc
Outdated
| /var/lock/subsys/ripd gen_context(system_u:object_r:frr_lock_t,s0) | ||
| /var/lock/subsys/ripngd gen_context(system_u:object_r:frr_lock_t,s0) | ||
| /var/lock/subsys/staticd gen_context(system_u:object_r:frr_lock_t,s0) | ||
| /var/lock/subsys/zebra gen_context(system_u:object_r:frr_lock_t,s0) |
There was a problem hiding this comment.
Are all of the subsys locks plain files?
There was a problem hiding this comment.
For plain files the -- spec can be used.
policy/modules/contrib/frr.te
Outdated
| files_pid_filetrans(frr_t, frr_var_run_t, { dir file lnk_file }) | ||
|
|
||
| allow frr_t frr_exec_t:dir search_dir_perms; | ||
| read_lnk_files_pattern(frr_t, frr_exec_t, frr_exec_t) |
There was a problem hiding this comment.
Is there an example for executable symlink?
There was a problem hiding this comment.
Yes, here you have example.
Example : type=PROCTITLE msg=audit(02/02/2021 06:02:14.242:651) : proctitle=/usr/lib/frr/fabricd -d -A 127.0.0.1 type=PATH msg=audit(02/02/2021 06:02:14.242:651) : item=0 name=/usr/lib64/frr/libfrr.so.0 nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(02/02/2021 06:02:14.242:651) : cwd=/etc/frr type=SYSCALL msg=audit(02/02/2021 06:02:14.242:651) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7ffcae5eadb0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=35891 pid=35892 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=fabricd exe=/usr/lib/frr/fabricd subj=system_u:system_r:frr_t:s0 key=(null) type=AVC msg=audit(02/02/2021 06:02:14.242:651) : avc: denied { read } for pid=35892 comm=fabricd name=libfrr.so.0 dev="vda1" ino=35651802 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:frr_exec_t:s0 tclass=lnk_file permissive=0
There was a problem hiding this comment.
Thanks, I managed to find the previous discussion.
There was a problem hiding this comment.
Can you post the output of this command?
ls -laZ /usr/lib64/frr
There was a problem hiding this comment.
This seems like a packaging bug in frr - the executable files currently in /usr/lib/frr should be placed in /usr/libexec/frr instead. Did you report it to the maintainer/upstream?
There was a problem hiding this comment.
@zpytela , matchpathcon say:
/usr/lib64/frr/libfrr.so.0 system_u:object_r:frr_exec_t:s0
There was a problem hiding this comment.
This seems like a packaging bug in
frr- the executable files currently in/usr/lib/frrshould be placed in/usr/libexec/frrinstead. Did you report it to the maintainer/upstream?
No didn't report that.
There was a problem hiding this comment.
The problem is that in .fc there is
/usr/lib/frr(/.*)? gen_context(system_u:object_r:frr_exec_t,s0), which breaks the labels in/usr/lib64/frr/..., since there is an equivalency between/usr/liband/usr/lib64.
So issue is that this files should be in /usr/libexec/frr a also have different label?
There was a problem hiding this comment.
Executable files which are not supposed to be executed from cmdline should be in /usr/libexec. Shared libraries should be in /usr/lib64 and have the common type lib_t unless there was a reason for having a private type - this matches the purpose of shared libraries.
There was a problem hiding this comment.
@WOnder93 So I have already reported this bug to frr maintainer.
|
@Koncpa, do you want to keep the 2 commit separate, like to distinguish between the initial policy and later enhancements, or will it make sense for you to squash them? |
What do you think that will be better? I made two commits because on previous commit made @WOnder93 review so I want distinguish later enchancements for next review. |
Koncpa
force-pushed
the
frr
branch
2 times, most recently
from
4c9f3fa
to
ae53499
Compare
|
Squash two commits into one. |
Add new port called cmadmin for bfdd daemon, which is use in frr service. Related to PR: #547
Koncpa
force-pushed
the
frr
branch
2 times, most recently
from
13efe63
to
a1ee416
Compare
Add new port called cmadmin for bfdd daemon, which is use in frr service. Related to PR: fedora-selinux#547
Koncpa
force-pushed
the
frr
branch
3 times, most recently
from
ae53499
to
e83f4ab
Compare
Koncpa
force-pushed
the
frr
branch
2 times, most recently
from
f7a8c31
to
6410e5e
Compare
Koncpa
changed the title
|
Now it generally looks good. |
Koncpa
force-pushed
the
frr
branch
2 times, most recently
from
4f6d6ce
to
9109d77
Compare
Confined frr service as frr_t and create policy files and rules for frr service. FRRouting (FRR) is an IP routing protocol which includes protocol daemons for BGP, IS-IS, LDP, OSPF, PIM, and RIP. Add new port called bfd_multi for bfdd daemon, which is use in frr service.
Confined frr service as frr_t and create policy files and rules for frr service.
FRRouting (FRR) is an IP routing protocol which
includes protocol daemons for BGP, IS-IS, LDP, OSPF, PIM, and RIP.
Add new port called bfd_multi for bfdd daemon, which is use in frr service.