v.ims.1 - Bump version

The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(07/27/2023 11:26:31.692:622) : proctitle=/usr/libexec/frr/bfdd -d -F traditional -A 127.0.0.1
type=SOCKADDR msg=audit(07/27/2023 11:26:31.692:622) : saddr={ saddr_fam=packet (unsupported) }
type=SYSCALL msg=audit(07/27/2023 11:26:31.692:622) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0xf a1=0x7ffeb8c5a000 a2=0x14 a3=0x7ffeb8c59ff0 items=0 ppid=7818 pid=7903 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=bfdd exe=/usr/libexec/frr/bfdd subj=system_u:system_r:frr_t:s0 key=(null)
type=AVC msg=audit(07/27/2023 11:26:31.692:622) : avc:  denied  { bind } for  pid=7903 comm=bfdd scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=packet_socket permissive=0

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2216912

.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -3,3 +3,18 @@
 /frr-7.3.tar.gz
 /remove-babeld-ldpd.sh
 /frr-7.3.1.tar.gz
+/frr-7.4.tar.gz
+/frr-7.5.tar.gz
+/frr-7.5.1.tar.gz
+/frr-8.0.tar.gz
+/frr-8.0.1.tar.gz
+/frr-8.2.tar.gz
+/frr-8.2.2.tar.gz
+/frr-8.3.1.tar.gz
+/frr-8.4.tar.gz
+/frr-8.4.1.tar.gz
+/frr-8.4.2.tar.gz
+/frr-8.5.tar.gz
+/frr-8.5.1.tar.gz
+/frr-8.5.2.tar.gz
+/frr-8.5.3.tar.gz

0000-remove-babeld-and-ldpd.patch

@@ -27,3 +27,29 @@ index 5be3264..33abc1d 100644
  	lib/Makefile \
  	nhrpd/Makefile \
  	ospf6d/Makefile \
+diff --git a/tools/etc/frr/daemons b/tools/etc/frr/daemons
+index 8aa0887..c92dcca 100644
+--- a/tools/etc/frr/daemons
++++ b/tools/etc/frr/daemons
+@@ -22,10 +22,8 @@ ripngd=no
+ isisd=no
+ pimd=no
+ pim6d=no
+-ldpd=no
+ nhrpd=no
+ eigrpd=no
+-babeld=no
+ sharpd=no
+ pbrd=no
+ bfdd=no
+@@ -48,10 +46,8 @@ ripngd_options=" -A ::1"
+ isisd_options="  -A 127.0.0.1"
+ pimd_options="   -A 127.0.0.1"
+ pim6d_options="  -A ::1"
+-ldpd_options="   -A 127.0.0.1"
+ nhrpd_options="  -A 127.0.0.1"
+ eigrpd_options=" -A 127.0.0.1"
+-babeld_options=" -A 127.0.0.1"
+ sharpd_options=" -A 127.0.0.1"
+ pbrd_options="   -A 127.0.0.1"
+ staticd_options="-A 127.0.0.1"

0001-nhrp-Configure-vici-socket-path-using-configure-with.patch

@@ -1,54 +0,0 @@
-From a2d2631efd4cee59cb6e15cc6d1cefc15bb2f433 Mon Sep 17 00:00:00 2001
-From: root <root@dm4.st.test2.hr>
-Date: Sat, 25 Jan 2020 19:38:39 +0100
-Subject: [PATCH] nhrp: Configure vici socket path using configure
- --with-vici-socket=/var/run/charon.vici (default)
-
----
- configure.ac       | 8 ++++++++
- nhrpd/README.nhrpd | 3 ++-
- nhrpd/vici.c       | 2 +-
- 3 files changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 59443b9f5..4fd96642a 100755
---- a/configure.ac
-+++ b/configure.ac
-@@ -139,6 +139,13 @@ AC_ARG_WITH([yangmodelsdir], [AS_HELP_STRING([--with-yangmodelsdir=DIR], [yang m
- ])
- AC_SUBST([yangmodelsdir])
- 
-+AC_ARG_WITH([vici-socket], [AS_HELP_STRING([--with-vici-socket=DIR], [vici-socket (/var/run/charon.vici)])], [
-+	vici_socket="$withval"
-+], [
-+	vici_socket="/var/run/charon.vici"
-+])
-+AC_DEFINE_UNQUOTED([VICI_SOCKET], ["$vici_socket"], [StrongSWAN vici interface])
-+
- AC_ARG_ENABLE(tcmalloc,
- 	AS_HELP_STRING([--enable-tcmalloc], [Turn on tcmalloc]),
- [case "${enableval}" in
-@@ -2384,6 +2391,7 @@ group for vty sockets   : ${enable_vty_group}
- config file mask        : ${enable_configfile_mask}
- log file mask           : ${enable_logfile_mask}
- zebra protobuf enabled  : ${enable_protobuf:-no}
-+vici socket path        : ${vici_socket}
- 
- The above user and group must have read/write access to the state file
- directory and to the config files in the config file directory."
-diff --git a/nhrpd/vici.c b/nhrpd/vici.c
-index d6105b71d..86023e1f8 100644
---- a/nhrpd/vici.c
-+++ b/nhrpd/vici.c
-@@ -478,7 +478,7 @@ static int vici_reconnect(struct thread *t)
- 	if (vici->fd >= 0)
- 		return 0;
- 
--	fd = sock_open_unix("/var/run/charon.vici");
-+	fd = sock_open_unix(VICI_SOCKET);
- 	if (fd < 0) {
- 		debugf(NHRP_DEBUG_VICI,
- 		       "%s: failure connecting VICI socket: %s",
--- 
-2.26.2
-

0001-use-python3.patch

@@ -1,20 +0,0 @@
-diff --git a/tools/frr-reload.py b/tools/frr-reload.py
-index 208fb11..0692adc 100755
---- a/tools/frr-reload.py
-+++ b/tools/frr-reload.py
-@@ -1,4 +1,4 @@
--#!/usr/bin/python
-+#!/usr/bin/python3
- # Frr Reloader
- # Copyright (C) 2014 Cumulus Networks, Inc.
- #
-diff --git a/tools/generate_support_bundle.py b/tools/generate_support_bundle.py
-index 540b7a1..0876ebb 100755
---- a/tools/generate_support_bundle.py
-+++ b/tools/generate_support_bundle.py
-@@ -1,4 +1,4 @@
--#!/usr/bin/python
-+#!/usr/bin/python3
- 
- ########################################################
- ### Python Script to generate the FRR support bundle ###

0002-enable-openssl.patch

@@ -3,15 +3,15 @@ index 0b7af18..0533e24 100644
 --- a/lib/subdir.am
 +++ b/lib/subdir.am
 @@ -41,7 +41,6 @@ lib_libfrr_la_SOURCES = \
- 	lib/linklist.c \
  	lib/log.c \
+ 	lib/log_filter.c \
  	lib/log_vty.c \
 -	lib/md5.c \
  	lib/memory.c \
  	lib/mlag.c \
  	lib/module.c \
 @@ -64,7 +64,6 @@ lib_libfrr_la_SOURCES = \
- 	lib/routemap.c \
+ 	lib/routemap_northbound.c \
  	lib/sbuf.c \
  	lib/seqlock.c \
 -	lib/sha256.c \
@@ -19,7 +19,7 @@ index 0b7af18..0533e24 100644
  	lib/skiplist.c \
  	lib/sockopt.c \
 @@ -170,7 +170,6 @@ pkginclude_HEADERS += \
- 	lib/linklist.h \
+ 	lib/link_state.h \
  	lib/log.h \
  	lib/log_vty.h \
 -	lib/md5.h \
@@ -27,7 +27,7 @@ index 0b7af18..0533e24 100644
  	lib/module.h \
  	lib/monotime.h \
 @@ -191,7 +190,6 @@ pkginclude_HEADERS += \
- 	lib/routemap.h \
+ 	lib/route_opaque.h \
  	lib/sbuf.h \
  	lib/seqlock.h \
 -	lib/sha256.h \

0004-fips-mode.patch

@@ -101,3 +101,15 @@ index 5bb81ef..02a09ef 100644
  	nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY,
  			      strmatch(mode, "md5") ? "md5" : "plain-text");
  	if (strmatch(mode, "md5"))
+diff --git a/lib/zebra.h b/lib/zebra.h
+index 53ae5b4..930307f 100644
+--- a/lib/zebra.h
++++ b/lib/zebra.h
+@@ -114,6 +114,7 @@
+ #ifdef CRYPTO_OPENSSL
+ #include <openssl/evp.h>
+ #include <openssl/hmac.h>
++#include <openssl/fips.h>
+ #endif
+
+ #include "openbsd-tree.h"

0005-remove-grpc-test.patch

@@ -0,0 +1,23 @@
+diff --git a/tests/lib/subdir.am b/tests/lib/subdir.am
+index 7b5eaa4..5c82f69 100644
+--- a/tests/lib/subdir.am
++++ b/tests/lib/subdir.am
+@@ -18,18 +18,6 @@ tests_lib_test_frrscript_SOURCES = tests/lib/test_frrscript.c
+ EXTRA_DIST += tests/lib/test_frrscript.py
+ 
+ 
+-##############################################################################
+-GRPC_TESTS_LDADD = staticd/libstatic.a grpc/libfrrgrpc_pb.la -lgrpc++ -lprotobuf $(ALL_TESTS_LDADD) $(LIBYANG_LIBS) -lm
+-
+-if GRPC
+-check_PROGRAMS += tests/lib/test_grpc
+-endif
+-tests_lib_test_grpc_CXXFLAGS = $(WERROR) $(TESTS_CXXFLAGS)
+-tests_lib_test_grpc_CPPFLAGS = $(TESTS_CPPFLAGS)
+-tests_lib_test_grpc_LDADD = $(GRPC_TESTS_LDADD)
+-tests_lib_test_grpc_SOURCES = tests/lib/test_grpc.cpp
+-
+-
+ ##############################################################################
+ if ZEROMQ
+ check_PROGRAMS += tests/lib/test_zmq

0006-python-version.patch

@@ -1,23 +0,0 @@
-diff --git a/m4/ax_python.m4 b/m4/ax_python.m4
-index d293da525..9f43ea0ab 100644
---- a/m4/ax_python.m4
-+++ b/m4/ax_python.m4
-@@ -3,7 +3,7 @@ dnl 2019 David Lamparter for NetDEF, Inc.
- dnl SPDX-License-Identifier: GPL-2.0-or-later
- 
- dnl the _ at the beginning will be cut off (to support the empty version string)
--m4_define_default([_FRR_PY_VERS], [_3 _ _2 _3.7 _3.6 _3.5 _3.4 _3.3 _3.2 _2.7])
-+m4_define_default([_FRR_PY_VERS], [_3 _3.10 _3.9 _3.8 _3.7 _3.6 _3.5 _3.4 _3.3 _3.2 _ _2 _2.7])
- 
- dnl check basic interpreter properties (py2/py3)
- dnl doubles as simple check whether the interpreter actually works
-@@ -186,7 +186,8 @@ AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
-       AC_MSG_RESULT([yes])
- 
-       PYTHON_CFLAGS="`\"$pycfg\" --includes`"
--      if test x"${py_ver}" == x"3.8" || test x"{py_ver}" == x"3.9"; then
-+      minor_ver=${py_ver#*\.}
-+      if test $((minor_ver)) > 7; then
-         PYTHON_LIBS="`\"$pycfg\" --ldflags --embed`"
-       else
-         PYTHON_LIBS="`\"$pycfg\" --ldflags`"

frr-sysusers.conf

@@ -0,0 +1,4 @@
+#Type Name   ID     GECOS                        Home directory  Shell
+g     frrvty -
+u     frr    -      "FRRouting routing suite"    /var/run/frr    /sbin/nologin
+m     frr    frrvty

frr.fc

@@ -0,0 +1,29 @@
+/usr/libexec/frr/(.*)?              gen_context(system_u:object_r:frr_exec_t,s0)
+
+/usr/lib/systemd/system/frr.*   gen_context(system_u:object_r:frr_unit_file_t,s0)
+
+/etc/frr(/.*)?                  gen_context(system_u:object_r:frr_conf_t,s0)
+
+/var/log/frr(/.*)?              gen_context(system_u:object_r:frr_log_t,s0)
+/var/tmp/frr(/.*)?              gen_context(system_u:object_r:frr_tmp_t,s0)
+
+/var/lock/subsys/bfdd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/bgpd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/eigrpd     --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/fabricd    --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/isisd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/nhrpd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/ospf6d     --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/ospfd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/pbrd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/pimd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/ripd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/ripngd     --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/staticd    --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/zebra      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/vrrpd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/pathd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+
+/var/run/frr(/.*)?              gen_context(system_u:object_r:frr_var_run_t,s0)
+
+/usr/bin/vtysh              --  gen_context(system_u:object_r:frr_exec_t,s0)

frr.if

@@ -0,0 +1,215 @@
+## <summary>policy for frr</summary>
+
+########################################
+## <summary>
+##	Execute frr_exec_t in the frr domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`frr_domtrans',`
+	gen_require(`
+		type frr_t, frr_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, frr_exec_t, frr_t)
+')
+
+######################################
+## <summary>
+##	Execute frr in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_exec',`
+	gen_require(`
+		type frr_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, frr_exec_t)
+')
+
+########################################
+## <summary>
+##	Read frr's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`frr_read_log',`
+	gen_require(`
+		type frr_log_t;
+	')
+
+	read_files_pattern($1, frr_log_t, frr_log_t)
+	optional_policy(`
+		logging_search_logs($1)
+	')
+')
+
+########################################
+## <summary>
+##	Append to frr log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_append_log',`
+	gen_require(`
+		type frr_log_t;
+	')
+
+	append_files_pattern($1, frr_log_t, frr_log_t)
+	optional_policy(`
+		logging_search_logs($1)
+	')
+')
+
+########################################
+## <summary>
+##	Manage frr log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_manage_log',`
+	gen_require(`
+		type frr_log_t;
+	')
+
+	manage_dirs_pattern($1, frr_log_t, frr_log_t)
+	manage_files_pattern($1, frr_log_t, frr_log_t)
+	manage_lnk_files_pattern($1, frr_log_t, frr_log_t)
+	optional_policy(`
+		logging_search_logs($1)
+	')
+')
+
+########################################
+## <summary>
+##	Read frr PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_read_pid_files',`
+	gen_require(`
+		type frr_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, frr_var_run_t, frr_var_run_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an frr environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_admin',`
+	gen_require(`
+		type frr_t;
+		type frr_log_t;
+		type frr_var_run_t;
+	')
+
+	allow $1 frr_t:process { signal_perms };
+	ps_process_pattern($1, frr_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 frr_t:process ptrace;
+	')
+
+	admin_pattern($1, frr_log_t)
+
+	files_search_pids($1)
+	admin_pattern($1, frr_var_run_t)
+	optional_policy(`
+		logging_search_logs($1)
+	')
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
+
+########################################
+#
+# Interface compatibility blocks
+#
+# The following definitions ensure compatibility with distribution policy
+# versions that do not contain given interfaces (epel, or older Fedora
+# releases).
+# Each block tests for existence of given interface and defines it if needed.
+#
+
+######################################
+## <summary>
+##	Watch ifconfig_var_run_t directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+ifndef(`sysnet_watch_ifconfig_run',`
+	interface(`sysnet_watch_ifconfig_run',`
+		gen_require(`
+			type ifconfig_var_run_t;
+		')
+
+		watch_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+	')
+')
+
+########################################
+## <summary>
+##	Read ifconfig_var_run_t files and link files
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+ifndef(`sysnet_read_ifconfig_run',`
+	interface(`sysnet_read_ifconfig_run',`
+		gen_require(`
+			type ifconfig_var_run_t;
+		')
+
+		list_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+		read_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+		read_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+	')
+')
+

frr.spec

@@ -1,54 +1,113 @@
-%global frrversion	7.3.1
-%global frr_libdir /usr/lib/frr
-%global checkout .st.1
+%global dist .ims.1%{?dist}
+
+%global frr_libdir %{_libexecdir}/frr
 
 %global _hardened_build 1
+%global selinuxtype targeted
 %define _legacy_common_support 1
 
-Name: frr
-Version: 7.3.1
-Release: 2%{?checkout}%{?dist}
-Summary: Routing daemon
-License: GPLv2+
-URL: http://www.frrouting.org
-Source0: https://github.com/FRRouting/frr/releases/download/%{name}-%{frrversion}/%{name}-%{frrversion}.tar.gz
-Source1: %{name}-tmpfiles.conf
-BuildRequires: perl-generators
-BuildRequires: gcc
-BuildRequires: net-snmp-devel
-BuildRequires: texinfo libcap-devel texi2html autoconf automake libtool patch groff
-BuildRequires: readline readline-devel ncurses ncurses-devel
-BuildRequires: git pam-devel c-ares-devel
-BuildRequires: json-c-devel bison >= 2.7 flex perl-XML-LibXML
-BuildRequires: python3-devel python3-sphinx python3-pytest
-BuildRequires: systemd systemd-devel
-BuildRequires: libyang-devel >= 0.16.74
-Requires: net-snmp ncurses
-Requires(post): systemd /sbin/install-info
-Requires(preun): systemd /sbin/install-info
-Requires(postun): systemd
-Provides: routingdaemon = %{version}-%{release}
-Conflicts: quagga
+%bcond grpc %{undefined rhel}
+%bcond selinux 1
 
-Patch0000: 0000-remove-babeld-and-ldpd.patch
-Patch0001: 0001-use-python3.patch
-Patch0002: 0002-enable-openssl.patch
-Patch0003: 0003-disable-eigrp-crypto.patch
-Patch0004: 0004-fips-mode.patch
-Patch0006: 0006-python-version.patch
-Patch0060: 0001-nhrp-Configure-vici-socket-path-using-configure-with.patch
+Name:           frr
+Version:        8.5.3
+Release:        1%{?dist}
+Summary:        Routing daemon
+License:        GPL-2.0-or-later AND ISC AND LGPL-2.0-or-later AND BSD-2-Clause AND BSD-3-Clause AND (GPL-2.0-or-later  OR ISC) AND MIT
+URL:            http://www.frrouting.org
+Source0:        https://github.com/FRRouting/frr/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
+Source1:        %{name}-tmpfiles.conf
+Source2:        %{name}-sysusers.conf
+#Decentralized SELinux policy
+Source3:        frr.fc
+Source4:        frr.te
+Source5:        frr.if
+
+Patch0000:      0000-remove-babeld-and-ldpd.patch
+Patch0002:      0002-enable-openssl.patch
+Patch0003:      0003-disable-eigrp-crypto.patch
+Patch0004:      0004-fips-mode.patch
+Patch0005:      0005-remove-grpc-test.patch
+
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  bison >= 2.7
+BuildRequires:  c-ares-devel
+BuildRequires:  flex
+BuildRequires:  gcc
+BuildRequires:  gcc-c++
+BuildRequires:  git-core
+BuildRequires:  groff
+%if %{with grpc}
+BuildRequires:  grpc-devel
+BuildRequires:  grpc-plugins
+%endif
+BuildRequires:  json-c-devel
+BuildRequires:  libcap-devel
+BuildRequires:  libtool
+BuildRequires:  libyang-devel >= 2.0.0
+BuildRequires:  make
+BuildRequires:  ncurses
+BuildRequires:  ncurses-devel
+BuildRequires:  net-snmp-devel
+BuildRequires:  pam-devel
+BuildRequires:  patch
+BuildRequires:  perl-XML-LibXML
+BuildRequires:  perl-generators
+BuildRequires:  python3-devel
+BuildRequires:  python3-pytest
+BuildRequires:  python3-sphinx
+BuildRequires:  readline-devel
+BuildRequires:  systemd-devel
+BuildRequires:  systemd-rpm-macros
+BuildRequires:  texinfo
+
+Requires:       ncurses
+Requires:       net-snmp
+Requires(post): hostname
+%{?sysusers_requires_compat}
+Requires(post): systemd
+Requires(postun): systemd
+Requires(preun): systemd
+
+%if 0%{?with_selinux}
+Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
+%endif
+
+Obsoletes:      quagga < 1.2.4-17
+Provides:       routingdaemon = %{version}-%{release}
 
 %description
 FRRouting is free software that manages TCP/IP based routing protocols. It takes
 a multi-server and multi-threaded approach to resolve the current complexity
 of the Internet.
 
-FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP and BFD.
+FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR,
+EIGRP and BFD.
 
 FRRouting is a fork of Quagga.
 
+%if 0%{?with_selinux}
+%package selinux
+Summary:  Selinux policy for FRR
+BuildArch:  noarch
+Requires:  selinux-policy-%{selinuxtype}
+Requires(post):  selinux-policy-%{selinuxtype}
+BuildRequires:  selinux-policy-devel
+%{?selinux_requires}
+
+%description selinux
+SELinux policy modules for FRR package
+
+%endif
+
 %prep
 %autosetup -S git
+#Selinux
+mkdir selinux
+cp -p %{SOURCE3} %{SOURCE4} %{SOURCE5} selinux
+# C++14 or later needed for abseil-cpp 20230125; string_view needs C++17:
+sed -r -i 's/(AX_CXX_COMPILE_STDCXX\(\[)11(\])/\117\2/' configure.ac
 
 %build
 autoreconf -ivf
@@ -58,7 +117,7 @@ autoreconf -ivf
     --sysconfdir=%{_sysconfdir}/frr \
     --libdir=%{_libdir}/frr \
     --libexecdir=%{_libexecdir}/frr \
-    --localstatedir=%{_localstatedir}/run/frr \
+    --localstatedir=/run/frr \
     --enable-multipath=64 \
     --enable-vtysh=yes \
     --disable-ospfclient \
@@ -76,59 +135,65 @@ autoreconf -ivf
     --with-moduledir=%{_libdir}/frr/modules \
     --with-crypto=openssl \
     --with-vici-socket=/run/strongswan/charon.vici \
-    --enable-fpm
+    --enable-fpm \
+    %{?with_grpc:--enable-grpc}
 
 %make_build MAKEINFO="makeinfo --no-split" PYTHON=%{__python3}
 
-pushd doc
-make info
-popd
+# Build info documentation
+%make_build -C doc info
+
+#SELinux policy
+%if 0%{?with_selinux}
+make -C selinux -f %{_datadir}/selinux/devel/Makefile %{name}.pp
+bzip2 -9 selinux/%{name}.pp
+%endif
 
 %install
-mkdir -p %{buildroot}/etc/{frr,rc.d/init.d,sysconfig,logrotate.d,pam.d,default} \
-         %{buildroot}/var/log/frr %{buildroot}%{_infodir} \
+mkdir -p %{buildroot}%{_sysconfdir}/{frr,rc.d/init.d,sysconfig,logrotate.d,pam.d,default} \
+         %{buildroot}%{_localstatedir}/log/frr %{buildroot}%{_infodir} \
          %{buildroot}%{_unitdir}
 
 mkdir -p -m 0755 %{buildroot}%{_libdir}/frr
 mkdir -p %{buildroot}%{_tmpfilesdir}
+mkdir -p %{buildroot}%{_sysusersdir}
 
 %make_install
 
 # Remove this file, as it is uninstalled and causes errors when building on RH9
-rm -rf %{buildroot}/usr/share/info/dir
+rm -rf %{buildroot}%{_infodir}/dir
 
 install -p -m 644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/%{name}.conf
-install -p -m 644 %{_builddir}/%{name}-%{frrversion}/tools/etc/frr/daemons %{buildroot}/etc/frr/daemons
-install -p -m 644 %{_builddir}/%{name}-%{frrversion}/tools/frr.service %{buildroot}%{_unitdir}/frr.service
-install -p -m 755 %{_builddir}/%{name}-%{frrversion}/tools/frrinit.sh %{buildroot}%{frr_libdir}/frr
-install -p -m 755 %{_builddir}/%{name}-%{frrversion}/tools/frrcommon.sh %{buildroot}%{frr_libdir}/frrcommon.sh
-install -p -m 755 %{_builddir}/%{name}-%{frrversion}/tools/watchfrr.sh %{buildroot}%{frr_libdir}/watchfrr.sh
+install -p -m 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf
+install -p -m 644 tools/etc/frr/daemons %{buildroot}%{_sysconfdir}/frr/daemons
+install -p -m 644 tools/frr.service %{buildroot}%{_unitdir}/frr.service
+install -p -m 755 tools/frrinit.sh %{buildroot}%{frr_libdir}/frr
+install -p -m 755 tools/frrcommon.sh %{buildroot}%{frr_libdir}/frrcommon.sh
+install -p -m 755 tools/watchfrr.sh %{buildroot}%{frr_libdir}/watchfrr.sh
 
-install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.logrotate %{buildroot}/etc/logrotate.d/frr
-install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.pam %{buildroot}/etc/pam.d/frr
+install -p -m 644 redhat/frr.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/frr
+install -p -m 644 redhat/frr.pam %{buildroot}%{_sysconfdir}/pam.d/frr
 install -d -m 775 %{buildroot}/run/frr
 
-rm %{buildroot}%{_libdir}/frr/*.la
-rm %{buildroot}%{_libdir}/frr/modules/*.la
+%if 0%{?with_selinux}
+install -D -m 644 selinux/%{name}.pp.bz2 \
+  %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+install -D -m 644 selinux/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if
+%endif
+
+# Delete libtool archives
+find %{buildroot} -type f -name "*.la" -delete -print
 
 #Upstream does not maintain a stable API, these headers from -devel subpackage are no longer needed
 rm %{buildroot}%{_libdir}/frr/*.so
 rm -r %{buildroot}%{_includedir}/frr/
 
 %pre
-getent group frrvty >/dev/null 2>&1 || groupadd -r frrvty >/dev/null 2>&1 || :
-getent group frr >/dev/null 2>&1 || groupadd -r frr >/dev/null 2>&1 || :
-getent passwd frr >/dev/null 2>&1 || useradd -M -r -g frr -s /sbin/nologin \
- -c "FRRouting routing suite" -d %{_localstatedir}/run/frr frr || :
-usermod -aG frrvty frr
+%sysusers_create_compat %{SOURCE2}
 
 %post
 %systemd_post frr.service
 
-if [ -f %{_infodir}/%{name}.inf* ]; then
-    install-info %{_infodir}/frr.info %{_infodir}/dir || :
-fi
-
 # Create dummy files if they don't exist so basic functions can be used.
 if [ ! -e %{_sysconfdir}/frr/frr.conf ]; then
     echo "hostname `hostname`" > %{_sysconfdir}/frr/frr.conf
@@ -136,60 +201,303 @@ if [ ! -e %{_sysconfdir}/frr/frr.conf ]; then
     chmod 640 %{_sysconfdir}/frr/frr.conf
 fi
 
+#still used by vtysh, this way no error is produced when using vtysh
+if [ ! -e %{_sysconfdir}/frr/vtysh.conf ]; then
+    touch %{_sysconfdir}/frr/vtysh.conf
+    chmod 640 %{_sysconfdir}/frr/vtysh.conf
+    chown frr:frrvty %{_sysconfdir}/frr/vtysh.conf
+fi
+
 %postun
 %systemd_postun_with_restart frr.service
 
 %preun
 %systemd_preun frr.service
 
-#only when removing frr
-if [ $1 -eq 0 ]; then
-	if [ -f %{_infodir}/%{name}.inf* ]; then
-    	install-info --delete %{_infodir}/frr.info %{_infodir}/dir || :
-	fi
+#SELinux
+%if 0%{?with_selinux}
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+%selinux_relabel_post -s %{selinuxtype}
+#/var/tmp and /var/run need to be relabeled as well if FRR is running before upgrade
+if [ $1 == 2 ]; then
+    %{_sbindir}/restorecon -R /var/tmp/frr &> /dev/null
+    %{_sbindir}/restorecon -R /var/run/frr &> /dev/null
 fi
 
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{name}
+    %selinux_relabel_post -s %{selinuxtype}
+fi
+
+%endif
+
 %check
-make check PYTHON=%{__python3}
+#this should be temporary, the grpc test is just badly designed
+rm tests/lib/*grpc*
+%make_build check PYTHON=%{__python3}
 
 %files
-%defattr(-,root,root)
 %license COPYING
-%doc zebra/zebra.conf.sample
-%doc isisd/isisd.conf.sample
-%doc ripd/ripd.conf.sample
-%doc bgpd/bgpd.conf.sample*
-%doc ospfd/ospfd.conf.sample
-%doc ospf6d/ospf6d.conf.sample
-%doc ripngd/ripngd.conf.sample
-%doc pimd/pimd.conf.sample
 %doc doc/mpls
-%dir %attr(640,frr,frr) %{_sysconfdir}/frr
-%dir %attr(755,frr,frr) /var/log/frr
+%dir %attr(750,frr,frr) %{_sysconfdir}/frr
+%dir %attr(755,frr,frr) %{_localstatedir}/log/frr
 %dir %attr(755,frr,frr) /run/frr
 %{_infodir}/*info*
-%{_mandir}/man*/*
+%{_mandir}/man1/frr.1*
+%{_mandir}/man1/vtysh.1*
+%{_mandir}/man8/frr-*.8*
+%{_mandir}/man8/mtracebis.8*
 %dir %{frr_libdir}/
 %{frr_libdir}/*
-%{_bindir}/*
+%{_bindir}/mtracebis
+%{_bindir}/vtysh
 %dir %{_libdir}/frr
 %{_libdir}/frr/*.so.*
 %dir %{_libdir}/frr/modules
 %{_libdir}/frr/modules/*
-%config(noreplace) %attr(644,root,root) /etc/logrotate.d/frr
-%config(noreplace) %attr(644,frr,frr) /etc/frr/daemons
-%config(noreplace) /etc/pam.d/frr
+%config(noreplace) %attr(644,root,root) %{_sysconfdir}/logrotate.d/frr
+%config(noreplace) %attr(644,frr,frr) %{_sysconfdir}/frr/daemons
+%config(noreplace) %{_sysconfdir}/pam.d/frr
 %{_unitdir}/*.service
-%dir /usr/share/yang
-/usr/share/yang/*.yang
+%dir %{_datadir}/yang
+%{_datadir}/yang/*.yang
 %{_tmpfilesdir}/%{name}.conf
-#%%{_libdir}/frr/frr/libyang_plugins/*
+%{_sysusersdir}/%{name}.conf
+
+%if 0%{?with_selinux}
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.*
+%{_datadir}/selinux/devel/include/distributed/%{name}.if
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
+%endif
 
 %changelog
-* Thu Jun 18 2020 Michal Ruprich <michalruprich@gmail.com> - 7.3.1-1
+* Tue Oct 10 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.3-1
+- New version 8.5.3
+
+* Fri Sep 01 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.2-4
+- Adding a couple of SELinux rules, includes fix for rhbz#2149299
+
+* Wed Aug 30 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 8.5.2-3
+- Rebuilt for abseil-cpp 20230802.0
+
+* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 8.5.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Fri Jun 30 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.2-1
+- New version 8.5.2
+- Fixing some rpmlint warnings
+
+* Mon Jun 26 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.1-4
+- Resolves: #2216073 - SELinux is preventing FRR-Zebra to access to network namespaces.
+
+* Mon Jun 05 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 8.5.1-3
+- Disable grpc in RHEL builds
+
+* Fri May 19 2023 Petr Pisar <ppisar@redhat.com> - 8.5.1-2
+- Rebuild against rpm-4.19 (https://fedoraproject.org/wiki/Changes/RPM-4.19)
+
+* Wed Apr 26 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.1-1
+- New version 8.5.1
+
+* Wed Apr 12 2023 Michal Ruprich <mruprich@redhat.com> - 8.5-1
+- New version 8.5
+
+* Thu Mar 23 2023 Michal Ruprich <mruprich@redhat.com> - 8.4.2-5
+- Rebuilding for new abseil-cpp version
+
+* Wed Mar 22 2023 Michal Ruprich <mruprich@redhat.com> - 8.4.2-4
+- SPDX migration
+
+* Wed Mar 08 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 8.4.2-3
+- Build as C++17, required by abseil-cpp 20230125
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 8.4.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Thu Jan 12 2023 Michal Ruprich <mruprich@redhat.com> - 8.4.2-1
+- New version 8.4.2
+
+* Fri Nov 25 2022 Michal Ruprich <mruprich@redhat.com> - 8.4.1-1
+- New version 8.4.1
+- Fix for rhbz #2140705
+
+* Thu Nov 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.4-1
+- New version 8.4
+
+* Fri Sep 16 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-5
+- Adding SELinux rule to enable zebra to write to sysctl_net_t
+- Adding SELinux rule to enable bgpd to call name_connect to bgp_port_t
+
+* Fri Sep 09 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-4
+- Fixing an error in post scriptlet
+
+* Fri Sep 09 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-3
+- Resolves: #2124254 - frr can no longer update routes
+
+* Wed Sep 07 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-2
+- Resolves: #2124253 - SELinux is preventing zebra from setattr access on the directory frr
+- Better handling FRR files during upgrade
+
+* Tue Sep 06 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-1
+- New version 8.3.1
+
+* Mon Aug 22 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-10
+- Rebuilding for new abseil-cpp and grpc updates
+
+* Wed Aug 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-9
+- Adding vrrpd and pathd as daemons to the policy
+
+* Wed Aug 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-8
+- Finalizing SELinux policy
+
+* Tue Aug 02 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-7
+- Fixing wrong path for vtysh in frr.fc
+
+* Fri Jul 29 2022 Benjamin A. Beasley <code@musicinmybrain.net> - 8.2.2-6
+- Rebuild with abseil-cpp-20211102.0-4.fc37 (RHBZ#2108658)
+
+* Wed Jul 27 2022 Michal Ruprich - 8.2.2-5
+- Packaging SELinux policy for FRR
+
+* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 8.2.2-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Tue May 17 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-3
+- Rebuild for grpc-1.46.1
+
+* Mon Apr 11 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-2
+- Fix for CVE-2022-16126
+
+* Tue Mar 15 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-1
+- New version 8.2.2
+
+* Thu Mar 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.2-2
+- Rebuild for abseil-cpp 20211102.0
+
+* Wed Mar 09 2022 Michal Ruprich <mruprich@redhat.com> - 8.2-1
+- New version 8.2 (rhbz#2020439)
+- Resolves: #2011868 - systemctl frr reload does not stop daemons that are not enabled in /etc/frr/daemons
+
+* Tue Feb 01 2022 Michal Ruprich <mruprich@redhat.com> - 8.0.1-11
+- Rebuilding for FTBFS in Rawhide(rhbz#2045399)
+
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 8.0.1-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Sat Jan 08 2022 Miro Hrončok <mhroncok@redhat.com> - 8.0.1-9
+- Rebuilt for libre2.so.9
+
+* Sat Nov 06 2021 Adrian Reber <adrian@lisas.de> - 8.0.1-8
+- Rebuilt for protobuf 3.19.0
+
+* Mon Oct 25 2021 Adrian Reber <adrian@lisas.de> - 8.0.1-7
+- Rebuilt for protobuf 3.18.1
+
+* Fri Oct 15 2021 Michal Ruprich <mruprich@redhat.com> - 8.0.1-6
+- Obsoleting quagga so that it may be retired
+
+* Thu Oct 07 2021 Michal Ruprich <mruprich@redhat.com> - 8.0.1-5
+- Rebuilding for grpc 1.41
+
+* Thu Sep 30 2021 Michal Ruprich <mruprich@redhat.com> - 8.0.1-4
+- Rebuild for new version of libyang
+
+* Sat Sep 18 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 8.0.1-3
+- Rebuild for grpc 1.40
+
+* Thu Sep 16 2021 Sahana Prasad <sahana@redhat.com> - 8.0.1-2
+- Rebuilt with OpenSSL 3.0.0
+
+* Thu Sep 16 2021 Michal Ruprich <mruprich@redhat.com> - 8.0.1-1
+- New version 8.0.1
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 8.0-2
+- Rebuilt with OpenSSL 3.0.0
+
+* Wed Aug 11 2021 Michal Ruprich <mruprich@redhat.com> - 8.0-1
+- New version 8.0
+
+* Wed Aug 04 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 7.5.1-9
+- Rebuild for grpc 1.39
+
+* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 7.5.1-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Tue Jul 20 2021 Michal Ruprich <mruprich@redhat.com> - 7.5.1-7
+- Resolves: #1983278 - ospfd crashes in route_node_delete with assertion fail
+
+* Sat Jul 10 2021 Björn Esser <besser82@fedoraproject.org> - 7.5.1-6
+- Rebuild for versioned symbols in json-c
+
+* Wed Jul 07 2021 Neal Gompa <ngompa@datto.com> - 7.5.1-5
+- Clean up the spec file for legibility and modern spec standards
+- Remove unneeded info scriptlets
+- Use systemd-sysusers for frr user and frrvty group
+- Use git-core instead of git for applying patches
+- Drop redundant build dependencies
+
+* Wed Jul 07 2021 Michal Ruprich <mruprich@redhat.com> - 7.5.1-4
+- Rebuild for newer abseil-cpp
+
+* Tue May 11 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 7.5.1-3
+- Rebuild for grpc 1.37
+
+* Fri Apr 23 2021 Michal Ruprich <mruprich@redhat.com> - 7.5.1-2
+- Fixing permissions on config files in /etc/frr
+- Enabling integrated configuration option for frr
+
+* Fri Mar 12 2021 Michal Ruprich <mruprich@redhat.com> - 7.5.1-1
+- New version 7.5.1
+- Enabling grpc, adding hostname for post scriptlet
+- Moving files to libexec due to selinux issues
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 7.5-4
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
+* Tue Feb 16 2021 Michal Ruprich <mruprich@redhat.com> - 7.5-3
+- Fixing FTBS - icc options are confusing the new gcc
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 7.5-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Fri Jan 01 2021 Michal Ruprich <mruprich@redhat.com> - 7.5-1
+- New version 7.5
+
+* Mon Sep 21 2020 Michal Ruprich <mruprich@redhat.com> - 7.4-1
+- New version 7.4
+
+* Thu Aug 27 2020 Josef Řídký <jridky@redhat.com> - 7.3.1-4
+- Rebuilt for new net-snmp release
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7.3.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Thu Jun 18 2020 Michal Ruprich <mruprich@redhat.com> - 7.3.1-1
 - New version 7.3.1
 - Fixes a couple of bugs(#1832259, #1835039, #1830815, #1830808, #1830806, #1830800, #1830798, #1814773)
 
+* Tue May 19 2020 Michal Ruprich <mruprich@redhat.com> - 7.3-6
+- Removing texi2html, it is not available in Rawhide anymore
+
+* Mon May 18 2020 Michal Ruprich <mruprich@redhat.com> - 7.3-5
+- Rebuild for new version of libyang
+
+* Tue Apr 21 2020 Björn Esser <besser82@fedoraproject.org> - 7.3-4
+- Rebuild (json-c)
+
+* Mon Apr 13 2020 Björn Esser <besser82@fedoraproject.org> - 7.3-3
+- Update json-c-0.14 patch with a solution from upstream
+
+* Mon Apr 13 2020 Björn Esser <besser82@fedoraproject.org> - 7.3-2
+- Add support for upcoming json-c 0.14.0
+
 * Wed Feb 19 2020 Michal Ruprich <mruprich@redhat.com> - 7.3-1
 - New version 7.3
 
@@ -219,4 +527,3 @@ make check PYTHON=%{__python3}
 
 * Wed Jun 19 2019 Michal Ruprich <mruprich@redhat.com> - 7.0-2
 - Initial build
-

frr.te

@@ -0,0 +1,125 @@
+policy_module(frr, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type frr_t;
+type frr_exec_t;
+init_daemon_domain(frr_t, frr_exec_t)
+
+type frr_log_t;
+logging_log_file(frr_log_t)
+
+type frr_tmp_t;
+files_tmp_file(frr_tmp_t)
+
+type frr_lock_t;
+files_lock_file(frr_lock_t)
+
+type frr_conf_t;
+files_config_file(frr_conf_t)
+
+type frr_unit_file_t;
+systemd_unit_file(frr_unit_file_t)
+
+type frr_var_run_t;
+files_pid_file(frr_var_run_t)
+
+########################################
+#
+# frr local policy
+#
+allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin sys_admin };
+allow frr_t self:netlink_route_socket rw_netlink_socket_perms;
+allow frr_t self:packet_socket create_socket_perms;
+allow frr_t self:process { setcap setpgid };
+allow frr_t self:rawip_socket create_socket_perms;
+allow frr_t self:tcp_socket { connect connected_stream_socket_perms };
+allow frr_t self:udp_socket create_socket_perms;
+allow frr_t self:unix_stream_socket connectto;
+
+allow frr_t frr_conf_t:dir list_dir_perms;
+manage_files_pattern(frr_t, frr_conf_t, frr_conf_t)
+read_lnk_files_pattern(frr_t, frr_conf_t, frr_conf_t)
+
+manage_dirs_pattern(frr_t, frr_log_t, frr_log_t)
+manage_files_pattern(frr_t, frr_log_t, frr_log_t)
+manage_lnk_files_pattern(frr_t, frr_log_t, frr_log_t)
+logging_log_filetrans(frr_t, frr_log_t, { dir file lnk_file })
+
+allow frr_t frr_tmp_t:file map;
+manage_dirs_pattern(frr_t, frr_tmp_t, frr_tmp_t)
+manage_files_pattern(frr_t, frr_tmp_t, frr_tmp_t)
+files_tmp_filetrans(frr_t, frr_tmp_t, { file dir })
+
+manage_files_pattern(frr_t, frr_lock_t, frr_lock_t)
+manage_lnk_files_pattern(frr_t, frr_lock_t, frr_lock_t)
+files_lock_filetrans(frr_t, frr_lock_t, { file lnk_file })
+
+manage_dirs_pattern(frr_t, frr_var_run_t, frr_var_run_t)
+manage_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
+manage_lnk_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
+manage_sock_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
+files_pid_filetrans(frr_t, frr_var_run_t, { dir file lnk_file })
+
+allow frr_t frr_exec_t:dir search_dir_perms;
+can_exec(frr_t, frr_exec_t)
+
+kernel_read_network_state(frr_t)
+kernel_rw_net_sysctls(frr_t)
+kernel_read_system_state(frr_t)
+kernel_request_load_module(frr_t)
+
+auth_use_nsswitch(frr_t)
+
+corecmd_exec_bin(frr_t)
+
+corenet_tcp_bind_appswitch_emp_port(frr_t)
+corenet_udp_bind_bfd_control_port(frr_t)
+corenet_udp_bind_bfd_echo_port(frr_t)
+corenet_udp_bind_bfd_multi_port(frr_t)
+corenet_tcp_bind_bgp_port(frr_t)
+corenet_tcp_connect_bgp_port(frr_t)
+corenet_tcp_bind_cmadmin_port(frr_t)
+corenet_udp_bind_cmadmin_port(frr_t)
+corenet_tcp_bind_firepower_port(frr_t)
+corenet_tcp_bind_generic_port(frr_t)
+corenet_tcp_bind_priority_e_com_port(frr_t)
+corenet_udp_bind_router_port(frr_t)
+corenet_tcp_bind_qpasa_agent_port(frr_t)
+corenet_tcp_bind_smntubootstrap_port(frr_t)
+corenet_tcp_bind_versa_tek_port(frr_t)
+corenet_tcp_bind_zebra_port(frr_t)
+
+domain_use_interactive_fds(frr_t)
+
+fs_read_nsfs_files(frr_t)
+
+sysnet_exec_ifconfig(frr_t)
+sysnet_read_ifconfig_run(frr_t)
+sysnet_watch_ifconfig_run(frr_t)
+
+ipsec_domtrans_mgmt(frr_t)
+
+userdom_read_admin_home_files(frr_t)
+
+optional_policy(`
+	logging_send_syslog_msg(frr_t)
+')
+
+optional_policy(`
+	modutils_exec_kmod(frr_t)
+	modutils_getattr_module_deps(frr_t)
+	modutils_read_module_config(frr_t)
+	modutils_read_module_deps_files(frr_t)
+')
+
+optional_policy(`
+	networkmanager_read_state(frr_t)
+')
+
+optional_policy(`
+	userdom_admin_home_dir_filetrans(frr_t, frr_conf_t, file, ".history_frr")
+')

gating.yaml

@@ -0,0 +1,16 @@
+--- !Policy
+product_versions:
+  - fedora-*
+decision_contexts: [bodhi_update_push_testing]
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
+ 
+#gating rawhide
+--- !Policy
+product_versions:
+  - fedora-*
+decision_contexts: [bodhi_update_push_stable]
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}

plans/all.fmf

@@ -0,0 +1,6 @@
+summary: Test plan with all Fedora tests
+discover:
+       how: fmf
+       url: https://src.fedoraproject.org/tests/frr.git
+execute:
+       how: tmt

sources

@@ -1,2 +1,2 @@
-SHA512 (remove-babeld-ldpd.sh) = 9cf3040bfac3620d97c323cc64e35ce2afaf943f6398d0b4187af7756897f2a4e68afedf5dc495f735132e577479aa1c142e6c111575ea6cd931295a7f6f1557
-SHA512 (frr-7.3.1.tar.gz) = 844c3163cd27169db06236ef64b0fc9dff69b7de22d2b11f418af7fea889fcba1ea90d2b25fb0195072d1577f20c8201619d9ff9219c524265ea7451011ba113
+SHA512 (frr-8.5.3.tar.gz) = 8d965670c03b4a40d880b72788b4940b8ac25953f0157419d9548672957554cfbd631707a9d6bf75cd33540c1b5af03687b2fe5f9c1df5736a52fc6524be9560
+SHA512 (remove-babeld-ldpd.sh) = a5bf67a3722cb20d43cef1dac28f839db68df73a1b7d34d8438e4f9366da3b67d85c1f44281f93434e8dd8ebcb2d3dc258b77eaa5627475b7395d207f020839d