Adding a couple of rules to tackle AVCs

2022-09-09 19:07:50 +02:00
parent 61a4e5aa67
commit 8c46bbbf5c
2 changed files with 13 additions and 3 deletions
--- a/frr.spec
+++ b/frr.spec
@@ -7,7 +7,7 @@

 Name:           frr
 Version:        8.3.1
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        Routing daemon
 License:        GPLv2+
 URL:            http://www.frrouting.org
@@ -214,8 +214,10 @@ fi
 %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
 %selinux_relabel_post -s %{selinuxtype}
 #/var/tmp and /var/run need to be relabeled as well if FRR is running before upgrade
+if [ $1 == 2 ]; then
    %{_sbindir}/restorecon -R /var/tmp/frr &> /dev/null
    %{_sbindir}/restorecon -R /var/run/frr &> /dev/null
+fi

 %postun selinux
 if [ $1 -eq 0 ]; then
@@ -262,6 +264,9 @@ rm tests/lib/*grpc*
 %endif

 %changelog
+* Fri Sep 09 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-4
+- Adding a couple of rules to tackle AVCs
+
 * Fri Sep 09 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-3
 - Resolves: #2124254 - frr can no longer update routes

--- a/frr.te
+++ b/frr.te
@@ -82,6 +82,7 @@ corenet_udp_bind_bfd_multi_port(frr_t)
 corenet_tcp_bind_bgp_port(frr_t)
 corenet_tcp_bind_cmadmin_port(frr_t)
 corenet_udp_bind_cmadmin_port(frr_t)
+corenet_tcp_bind_generic_port(frr_t)
 corenet_tcp_bind_firepower_port(frr_t)
 corenet_tcp_bind_priority_e_com_port(frr_t)
 corenet_udp_bind_router_port(frr_t)
@@ -112,3 +113,7 @@ optional_policy(`
 optional_policy(`
 	networkmanager_read_state(frr_t)
 ')
+
+optional_policy(`
+        userdom_admin_home_dir_filetrans(frr_t, frr_conf_t, file, ".history_frr")
+')