v.ims.1 - Bump version

.gitignore

@@ -19,6 +19,3 @@
 /frr-8.5.2.tar.gz
 /frr-9.0.1.tar.gz
 /frr-9.1.tar.gz
-/frr-10.0.1.tar.gz
-/frr-10.1.tar.gz
-/frr-10.2.tar.gz

0004-fips-mode.patch

@@ -2,17 +2,6 @@ diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c
 index 631465f..e084ff3 100644
 --- a/ospfd/ospf_vty.c
 +++ b/ospfd/ospf_vty.c
-@@ -7,6 +7,10 @@
- #include <zebra.h>
- #include <string.h>
- 
-+#ifdef CRYPTO_OPENSSL
-+#include <openssl/fips.h>
-+#endif
-+
- #include "printfrr.h"
- #include "monotime.h"
- #include "memory.h"
 @@ -1136,6 +1136,11 @@ DEFUN (ospf_area_vlink,
  		vl_config.keychain = argv[idx+1]->arg;
  	} else if (argv_find(argv, argc, "message-digest", &idx)) {
@@ -69,17 +58,6 @@ diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c
 index 81b4b39..cce33d9 100644
 --- a/isisd/isis_circuit.c
 +++ b/isisd/isis_circuit.c
-@@ -13,6 +13,10 @@
- #include <netinet/if_ether.h>
- #endif
- 
-+#ifdef CRYPTO_OPENSSL
-+#include <openssl/fips.h>
-+#endif
-+
- #include "log.h"
- #include "memory.h"
- #include "vrf.h"
 @@ -1318,6 +1318,10 @@ static int isis_circuit_passwd_set(struct isis_circuit *circuit,
  		return ferr_code_bug(
  			"circuit password too long (max 254 chars)");
@@ -95,17 +73,6 @@ diff --git a/isisd/isisd.c b/isisd/isisd.c
 index 419127c..a6c36af 100644
 --- a/isisd/isisd.c
 +++ b/isisd/isisd.c
-@@ -9,6 +9,10 @@
- 
- #include <zebra.h>
- 
-+#ifdef CRYPTO_OPENSSL
-+#include <openssl/fips.h>
-+#endif
-+
- #include "frrevent.h"
- #include "vty.h"
- #include "command.h"
 @@ -1638,6 +1638,10 @@ static int isis_area_passwd_set(struct isis_area *area, int level,
  		if (len > 254)
  			return -1;
@@ -121,17 +88,6 @@ diff --git a/ripd/rip_cli.c b/ripd/rip_cli.c
 index 5bb81ef..02a09ef 100644
 --- a/ripd/rip_cli.c
 +++ b/ripd/rip_cli.c
-@@ -7,6 +7,10 @@
- 
- #include <zebra.h>
- 
-+#ifdef CRYPTO_OPENSSL
-+#include <openssl/fips.h>
-+#endif
-+
- #include "if.h"
- #include "if_rmap.h"
- #include "vrf.h"
 @@ -796,6 +796,12 @@ DEFPY (ip_rip_authentication_mode,
  			value = "20";
  	}
@@ -145,3 +101,15 @@ index 5bb81ef..02a09ef 100644
  	nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY,
  			      strmatch(mode, "md5") ? "md5" : "plain-text");
  	if (strmatch(mode, "md5"))
+diff --git a/lib/zebra.h b/lib/zebra.h
+index 53ae5b4..930307f 100644
+--- a/lib/zebra.h
++++ b/lib/zebra.h
+@@ -114,6 +114,7 @@
+ #ifdef CRYPTO_OPENSSL
+ #include <openssl/evp.h>
+ #include <openssl/hmac.h>
++#include <openssl/fips.h>
+ #endif
+
+ #include "openbsd-tree.h"

0005-remove-grpc-test.patch

@@ -2,12 +2,12 @@ diff --git a/tests/lib/subdir.am b/tests/lib/subdir.am
 index 7b5eaa4..5c82f69 100644
 --- a/tests/lib/subdir.am
 +++ b/tests/lib/subdir.am
-@@ -18,22 +18,6 @@ tests_lib_test_frrscript_SOURCES = tests/lib/test_frrscript.c
+@@ -18,18 +18,6 @@ tests_lib_test_frrscript_SOURCES = tests/lib/test_frrscript.c
  	test -e tests/lib/script1.lua || \
  	$(INSTALL_SCRIPT) $< tests/lib/script1.lua
  
 -##############################################################################
--GRPC_TESTS_LDADD = mgmtd/libmgmt_be_nb.la staticd/libstatic.a grpc/libfrrgrpc_pb.la $(GRPC_LIBS) $(ALL_TESTS_LDADD) $(LIBYANG_LIBS) -lm
+-GRPC_TESTS_LDADD = staticd/libstatic.a grpc/libfrrgrpc_pb.la -lgrpc++ -lprotobuf $(ALL_TESTS_LDADD) $(LIBYANG_LIBS) -lm
 -
 -if GRPC
 -check_PROGRAMS += tests/lib/test_grpc
@@ -16,10 +16,6 @@ index 7b5eaa4..5c82f69 100644
 -tests_lib_test_grpc_CPPFLAGS = $(TESTS_CPPFLAGS)
 -tests_lib_test_grpc_LDADD = $(GRPC_TESTS_LDADD)
 -tests_lib_test_grpc_SOURCES = tests/lib/test_grpc.cpp
--nodist_tests_lib_test_grpc_SOURCES = \
--	yang/frr-bfdd.yang.c \
--	yang/frr-staticd.yang.c \
--	# end
 -
 -
  ##############################################################################

0006-autorp-segfault.patch

@@ -1,41 +0,0 @@
-From 37b88191fb4736ff0a1e565fc22003d0ab853ea2 Mon Sep 17 00:00:00 2001
-From: Donald Sharp <sharpd@nvidia.com>
-Date: Wed, 4 Dec 2024 10:47:33 -0500
-Subject: [PATCH] pimd: Prevent crash of pim when auto-rp's socket is not
- initialized
-
-If the socket associated with the auto-rp fails to initialize then
-the memory for the auto-rp is just dropped on the floor.  Additionally
-any type of attempt at using the feature will just cause pimd to crash,
-when the pointer is derefed.  Since it is derefed all over the place
-without checking.
-
-Clearly if you cannot bind/use the socket let's allow continuation.
-
-Fixes: #17540
-Signed-off-by: Donald Sharp <sharpd@nvidia.com>
----
- pimd/pim_autorp.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/pimd/pim_autorp.c b/pimd/pim_autorp.c
-index 3fb10f4..91ed005 100644
---- a/pimd/pim_autorp.c
-+++ b/pimd/pim_autorp.c
-@@ -1014,12 +1014,14 @@ void pim_autorp_init(struct pim_instance *pim)
- 	autorp->announce_interval = DEFAULT_ANNOUNCE_INTERVAL;
- 	autorp->announce_holdtime = DEFAULT_ANNOUNCE_HOLDTIME;
- 
-+	pim->autorp = autorp;
-+
- 	if (!pim_autorp_socket_enable(autorp)) {
--		zlog_err("%s: AutoRP failed to initialize", __func__);
-+		zlog_err("%s: AutoRP failed to initialize, feature will not work correctly",
-+				__func__);
- 		return;
- 	}
- 
--	pim->autorp = autorp;
- 	if (PIM_DEBUG_AUTORP)
- 		zlog_debug("%s: AutoRP Initialized", __func__);
- 

frr.fc

@@ -6,7 +6,6 @@
 
 /var/log/frr(/.*)?              gen_context(system_u:object_r:frr_log_t,s0)
 /var/tmp/frr(/.*)?              gen_context(system_u:object_r:frr_tmp_t,s0)
-/var/lib/frr(/.*)?              gen_context(system_u:object_r:frr_var_lib_t,s0)
 
 /run/lock/subsys/bfdd       --  gen_context(system_u:object_r:frr_lock_t,s0)
 /run/lock/subsys/bgpd       --  gen_context(system_u:object_r:frr_lock_t,s0)

frr.spec

@@ -10,8 +10,8 @@
 %bcond selinux 1
 
 Name:           frr
-Version:        10.2
-Release:        2%{?dist}
+Version:        9.1
+Release:        3%{?dist}
 Summary:        Routing daemon
 License:        GPL-2.0-or-later AND ISC AND LGPL-2.0-or-later AND BSD-2-Clause AND BSD-3-Clause AND (GPL-2.0-or-later  OR ISC) AND MIT
 URL:            http://www.frrouting.org
@@ -28,7 +28,6 @@ Patch0002:      0002-enable-openssl.patch
 Patch0003:      0003-disable-eigrp-crypto.patch
 Patch0004:      0004-fips-mode.patch
 Patch0005:      0005-remove-grpc-test.patch
-Patch0006:      0006-autorp-segfault.patch
 
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -119,7 +118,7 @@ autoreconf -ivf
     --sysconfdir=%{_sysconfdir}/frr \
     --libdir=%{_libdir}/frr \
     --libexecdir=%{_libexecdir}/frr \
-    --localstatedir=/var \
+    --localstatedir=/run/frr \
     --enable-multipath=64 \
     --enable-vtysh=yes \
     --disable-ospfclient \
@@ -135,7 +134,6 @@ autoreconf -ivf
     --disable-ldpd \
     --disable-babeld \
     --with-moduledir=%{_libdir}/frr/modules \
-    --with-yangmodelsdir=%{_datadir}/frr-yang/ \
     --with-crypto=openssl \
     --with-vici-socket=/run/strongswan/charon.vici \
     --enable-fpm \
@@ -267,8 +265,8 @@ rm tests/lib/*grpc*
 %config(noreplace) %attr(644,frr,frr) %{_sysconfdir}/frr/daemons
 %config(noreplace) %{_sysconfdir}/pam.d/frr
 %{_unitdir}/*.service
-%dir %{_datadir}/frr-yang
-%{_datadir}/frr-yang/*.yang
+%dir %{_datadir}/yang
+%{_datadir}/yang/*.yang
 %{_tmpfilesdir}/%{name}.conf
 %{_sysusersdir}/%{name}.conf
 
@@ -280,37 +278,8 @@ rm tests/lib/*grpc*
 %endif
 
 %changelog
-* Thu Dec 05 2024 Michal Ruprich <mruprich@redhat.com> - 10.2-2
-- Resolves: rhbz#2329643 - upgrading frr to 10.2 causes pimd crashes
-
-* Fri Nov 22 2024 Michal Ruprich <mruprich@redhat.com> - 10.2-1
-- New version 10.2
-
-* Tue Sep 10 2024 Michal Ruprich <mruprich@redhat.com> - 10.1-4
-- Resolves: #2311119 - Multiple AVCs for accessing lib_t in FRR-10.1
-- Resolves: #2311120 - AVCs for using a netlink socket in FRR
-
-* Sun Aug 25 2024 Benjamin A. Beasley <code@musicinmybrain.net> - 10.1-3
-- Rebuilt for abseil-cpp-20240722.0
-
-* Thu Aug 15 2024 Michal Ruprich <mruprich@redhat.com> - 10.1-2
-- Rebuilding for the libre soname bump
-
-* Mon Aug 12 2024 Michal Ruprich <mruprich@redhat.com> - 10.1-1
-- New version 10.1
-
-* Wed Jul 31 2024 Michal Ruprich <mruprich@redhat.com> - 10.0.1-1
-- New version 10.0.1
-
-* Wed Jul 17 2024 Fedora Release Engineering <releng@fedoraproject.org> - 9.1-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
-
-* Wed Apr 17 2024 Michal Ruprich <mruprich@redhat.com> - 9.1-4
-- Moving yang modules to frr specific dir to avoid conflicts
-- Adding rpminspect.yaml
-
-* Sat Feb 24 2024 Paul Wouters <paul.wouters@aiven.io> - 9.1-3
-- Rebuild for libre2.so.11 bump
+* Wed Apr 10 2024 Michal Ruprich <mruprich@redhat.com> - 9.1-3
+- Resolves: #2273524 - frr fails to start: SELinux is preventing watchfrr from create access on the sock_file
 
 * Sun Feb 04 2024 Benjamin A. Beasley <code@musicinmybrain.net> - 9.1-2
 - Rebuilt for abseil-cpp-20240116.0

frr.te

@@ -27,20 +27,12 @@ systemd_unit_file(frr_unit_file_t)
 type frr_var_run_t;
 files_pid_file(frr_var_run_t)
 
-type frr_var_lib_t;
-files_type(frr_var_lib_t)
-
 ########################################
 #
 # frr local policy
 #
 allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin sys_admin };
 allow frr_t self:netlink_route_socket rw_netlink_socket_perms;
-allow frr_t self:netlink_generic_socket create;
-allow frr_t self:netlink_generic_socket setopt;
-allow frr_t self:netlink_generic_socket getopt;
-allow frr_t self:netlink_generic_socket getattr;
-allow frr_t self:netlink_generic_socket bind;
 allow frr_t self:packet_socket create_socket_perms;
 allow frr_t self:process { setcap setpgid };
 allow frr_t self:rawip_socket create_socket_perms;
@@ -57,10 +49,6 @@ manage_files_pattern(frr_t, frr_log_t, frr_log_t)
 manage_lnk_files_pattern(frr_t, frr_log_t, frr_log_t)
 logging_log_filetrans(frr_t, frr_log_t, { dir file lnk_file })
 
-manage_dirs_pattern(frr_t, frr_var_lib_t, frr_var_lib_t)
-manage_files_pattern(frr_t, frr_var_lib_t, frr_var_lib_t)
-files_var_lib_filetrans(frr_t, frr_var_lib_t, { dir file })
-
 allow frr_t frr_tmp_t:file map;
 manage_dirs_pattern(frr_t, frr_tmp_t, frr_tmp_t)
 manage_files_pattern(frr_t, frr_tmp_t, frr_tmp_t)
@@ -104,8 +92,6 @@ corenet_tcp_bind_qpasa_agent_port(frr_t)
 corenet_tcp_bind_smntubootstrap_port(frr_t)
 corenet_tcp_bind_versa_tek_port(frr_t)
 corenet_tcp_bind_zebra_port(frr_t)
-# general reserved port for pimd
-corenet_tcp_bind_reserved_port(frr_t)
 
 domain_use_interactive_fds(frr_t)
 

rpminspect.yaml

@@ -1,7 +0,0 @@
----
-runpath:
-    allowed_paths:
-        - /usr/lib64/frr
-        - /usr/lib/frr
-inspections:
-    badfuncs: off

sources

@@ -1,2 +1,2 @@
-SHA512 (frr-10.2.tar.gz) = 40a0e1f1a7f2cc137aac6e838b2f865b93fdc1cd6bd0f6c5b15b4507cbff87cb60092682e45aca68633cb053fb2ce663386edb78e5d3c5f890f4666e871ab8c5
+SHA512 (frr-9.1.tar.gz) = 5e77de9d26275ac8babd3bd467fe05c7fb6fa50c80fe61e13057784945372debe24f44557d9d52e76e2e785919cdfb4d5a80e7b2a06558f2a52745d0e0b92766
 SHA512 (remove-babeld-ldpd.sh) = a5bf67a3722cb20d43cef1dac28f839db68df73a1b7d34d8438e4f9366da3b67d85c1f44281f93434e8dd8ebcb2d3dc258b77eaa5627475b7395d207f020839d