v.ims.1 - Bump version

Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>

.gitignore

@@ -13,3 +13,7 @@
 /frr-8.3.1.tar.gz
 /frr-8.4.tar.gz
 /frr-8.4.1.tar.gz
+/frr-8.4.2.tar.gz
+/frr-8.5.tar.gz
+/frr-8.5.1.tar.gz
+/frr-8.5.2.tar.gz

0004-fips-mode.patch

@@ -101,3 +101,15 @@ index 5bb81ef..02a09ef 100644
  	nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY,
  			      strmatch(mode, "md5") ? "md5" : "plain-text");
  	if (strmatch(mode, "md5"))
+diff --git a/lib/zebra.h b/lib/zebra.h
+index 53ae5b4..930307f 100644
+--- a/lib/zebra.h
++++ b/lib/zebra.h
+@@ -114,6 +114,7 @@
+ #ifdef CRYPTO_OPENSSL
+ #include <openssl/evp.h>
+ #include <openssl/hmac.h>
++#include <openssl/fips.h>
+ #endif
+
+ #include "openbsd-tree.h"

frr.fc

@@ -0,0 +1,29 @@
+/usr/libexec/frr/(.*)?              gen_context(system_u:object_r:frr_exec_t,s0)
+
+/usr/lib/systemd/system/frr.*   gen_context(system_u:object_r:frr_unit_file_t,s0)
+
+/etc/frr(/.*)?                  gen_context(system_u:object_r:frr_conf_t,s0)
+
+/var/log/frr(/.*)?              gen_context(system_u:object_r:frr_log_t,s0)
+/var/tmp/frr(/.*)?              gen_context(system_u:object_r:frr_tmp_t,s0)
+
+/var/lock/subsys/bfdd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/bgpd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/eigrpd     --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/fabricd    --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/isisd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/nhrpd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/ospf6d     --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/ospfd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/pbrd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/pimd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/ripd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/ripngd     --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/staticd    --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/zebra      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/vrrpd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/pathd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+
+/var/run/frr(/.*)?              gen_context(system_u:object_r:frr_var_run_t,s0)
+
+/usr/bin/vtysh              --  gen_context(system_u:object_r:frr_exec_t,s0)

frr.if

@@ -0,0 +1,215 @@
+## <summary>policy for frr</summary>
+
+########################################
+## <summary>
+##	Execute frr_exec_t in the frr domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`frr_domtrans',`
+	gen_require(`
+		type frr_t, frr_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, frr_exec_t, frr_t)
+')
+
+######################################
+## <summary>
+##	Execute frr in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_exec',`
+	gen_require(`
+		type frr_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, frr_exec_t)
+')
+
+########################################
+## <summary>
+##	Read frr's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`frr_read_log',`
+	gen_require(`
+		type frr_log_t;
+	')
+
+	read_files_pattern($1, frr_log_t, frr_log_t)
+	optional_policy(`
+		logging_search_logs($1)
+	')
+')
+
+########################################
+## <summary>
+##	Append to frr log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_append_log',`
+	gen_require(`
+		type frr_log_t;
+	')
+
+	append_files_pattern($1, frr_log_t, frr_log_t)
+	optional_policy(`
+		logging_search_logs($1)
+	')
+')
+
+########################################
+## <summary>
+##	Manage frr log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_manage_log',`
+	gen_require(`
+		type frr_log_t;
+	')
+
+	manage_dirs_pattern($1, frr_log_t, frr_log_t)
+	manage_files_pattern($1, frr_log_t, frr_log_t)
+	manage_lnk_files_pattern($1, frr_log_t, frr_log_t)
+	optional_policy(`
+		logging_search_logs($1)
+	')
+')
+
+########################################
+## <summary>
+##	Read frr PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_read_pid_files',`
+	gen_require(`
+		type frr_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, frr_var_run_t, frr_var_run_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an frr environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_admin',`
+	gen_require(`
+		type frr_t;
+		type frr_log_t;
+		type frr_var_run_t;
+	')
+
+	allow $1 frr_t:process { signal_perms };
+	ps_process_pattern($1, frr_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 frr_t:process ptrace;
+	')
+
+	admin_pattern($1, frr_log_t)
+
+	files_search_pids($1)
+	admin_pattern($1, frr_var_run_t)
+	optional_policy(`
+		logging_search_logs($1)
+	')
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
+
+########################################
+#
+# Interface compatibility blocks
+#
+# The following definitions ensure compatibility with distribution policy
+# versions that do not contain given interfaces (epel, or older Fedora
+# releases).
+# Each block tests for existence of given interface and defines it if needed.
+#
+
+######################################
+## <summary>
+##	Watch ifconfig_var_run_t directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+ifndef(`sysnet_watch_ifconfig_run',`
+	interface(`sysnet_watch_ifconfig_run',`
+		gen_require(`
+			type ifconfig_var_run_t;
+		')
+
+		watch_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+	')
+')
+
+########################################
+## <summary>
+##	Read ifconfig_var_run_t files and link files
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+ifndef(`sysnet_read_ifconfig_run',`
+	interface(`sysnet_read_ifconfig_run',`
+		gen_require(`
+			type ifconfig_var_run_t;
+		')
+
+		list_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+		read_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+		read_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+	')
+')
+

frr.spec

@@ -3,10 +3,12 @@
 %global frr_libdir %{_libexecdir}/frr
 
 %global _hardened_build 1
+%global selinuxtype targeted
 %define _legacy_common_support 1
+%bcond_without selinux
 
 Name:           frr
-Version:        8.4.1
+Version:        8.5.2
 Release:        1%{?dist}
 Summary:        Routing daemon
 License:        GPLv2+
@@ -14,6 +16,10 @@ URL:            http://www.frrouting.org
 Source0:        https://github.com/FRRouting/frr/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
 Source1:        %{name}-tmpfiles.conf
 Source2:        %{name}-sysusers.conf
+#Decentralized SELinux policy
+Source3:        frr.fc
+Source4:        frr.te
+Source5:        frr.if
 
 Patch0000:      0000-remove-babeld-and-ldpd.patch
 Patch0002:      0002-enable-openssl.patch
@@ -59,6 +65,11 @@ Requires(post): hostname
 Requires(post): systemd
 Requires(postun): systemd
 Requires(preun): systemd
+
+%if 0%{?with_selinux}
+Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
+%endif
+
 Obsoletes:      quagga < 1.2.4-17
 Provides:       routingdaemon = %{version}-%{release}
 
@@ -71,8 +82,25 @@ FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP
 
 FRRouting is a fork of Quagga.
 
+%if 0%{?with_selinux}
+%package selinux
+Summary:	Selinux policy for FRR
+BuildArch:	noarch
+Requires:	selinux-policy-%{selinuxtype}
+Requires(post):	selinux-policy-%{selinuxtype}
+BuildRequires:	selinux-policy-devel
+%{?selinux_requires}
+
+%description selinux
+SELinux policy modules for FRR package
+
+%endif
+
 %prep
 %autosetup -S git
+#Selinux
+mkdir selinux
+cp -p %{SOURCE3} %{SOURCE4} %{SOURCE5} selinux
 
 %build
 autoreconf -ivf
@@ -108,6 +136,12 @@ autoreconf -ivf
 # Build info documentation
 %make_build -C doc info
 
+#SELinux policy
+%if 0%{?with_selinux}
+make -C selinux -f %{_datadir}/selinux/devel/Makefile %{name}.pp
+bzip2 -9 selinux/%{name}.pp
+%endif
+
 %install
 mkdir -p %{buildroot}%{_sysconfdir}/{frr,rc.d/init.d,sysconfig,logrotate.d,pam.d,default} \
          %{buildroot}%{_localstatedir}/log/frr %{buildroot}%{_infodir} \
@@ -134,6 +168,12 @@ install -p -m 644 redhat/frr.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/fr
 install -p -m 644 redhat/frr.pam %{buildroot}%{_sysconfdir}/pam.d/frr
 install -d -m 775 %{buildroot}/run/frr
 
+%if 0%{?with_selinux}
+install -D -m 644 selinux/%{name}.pp.bz2 \
+	%{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+install -D -m 644 selinux/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if
+%endif
+
 # Delete libtool archives
 find %{buildroot} -type f -name "*.la" -delete -print
 
@@ -144,7 +184,6 @@ rm -r %{buildroot}%{_includedir}/frr/
 %pre
 %sysusers_create_compat %{SOURCE2}
 
-
 %post
 %systemd_post frr.service
 
@@ -168,6 +207,28 @@ fi
 %preun
 %systemd_preun frr.service
 
+#SELinux
+%if 0%{?with_selinux}
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+%selinux_relabel_post -s %{selinuxtype}
+#/var/tmp and /var/run need to be relabeled as well if FRR is running before upgrade
+if [ $1 == 2 ]; then
+    %{_sbindir}/restorecon -R /var/tmp/frr &> /dev/null
+    %{_sbindir}/restorecon -R /var/run/frr &> /dev/null
+fi
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{name}
+    %selinux_relabel_post -s %{selinuxtype}
+fi
+
+%endif
+
 %check
 #this should be temporary, the grpc test is just badly designed
 rm tests/lib/*grpc*
@@ -201,7 +262,30 @@ rm tests/lib/*grpc*
 %{_tmpfilesdir}/%{name}.conf
 %{_sysusersdir}/%{name}.conf
 
+%if 0%{?with_selinux}
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.*
+%{_datadir}/selinux/devel/include/distributed/%{name}.if
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
+%endif
+
 %changelog
+* Fri Jun 30 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.2-1
+- New version 8.5.2
+- Fixing a couple of SELinux issues
+
+* Wed Apr 26 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.1-1
+- New version 8.5.1
+
+* Wed Apr 12 2023 Michal Ruprich <mruprich@redhat.com> - 8.5-1
+- New version 8.5
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 8.4.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Thu Jan 12 2023 Michal Ruprich <mruprich@redhat.com> - 8.4.2-1
+- New version 8.4.2
+
 * Fri Nov 25 2022 Michal Ruprich <mruprich@redhat.com> - 8.4.1-1
 - New version 8.4.1
 - Fix for rhbz #2140705
@@ -209,16 +293,57 @@ rm tests/lib/*grpc*
 * Thu Nov 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.4-1
 - New version 8.4
 
+* Fri Sep 16 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-5
+- Adding SELinux rule to enable zebra to write to sysctl_net_t
+- Adding SELinux rule to enable bgpd to call name_connect to bgp_port_t
+
+* Fri Sep 09 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-4
+- Fixing an error in post scriptlet
+
+* Fri Sep 09 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-3
+- Resolves: #2124254 - frr can no longer update routes
+
+* Wed Sep 07 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-2
+- Resolves: #2124253 - SELinux is preventing zebra from setattr access on the directory frr
+- Better handling FRR files during upgrade
+
 * Tue Sep 06 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-1
 - New version 8.3.1
 
+* Mon Aug 22 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-10
+- Rebuilding for new abseil-cpp and grpc updates
+
+* Wed Aug 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-9
+- Adding vrrpd and pathd as daemons to the policy
+
+* Wed Aug 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-8
+- Finalizing SELinux policy
+
+* Tue Aug 02 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-7
+- Fixing wrong path for vtysh in frr.fc
+
+* Fri Jul 29 2022 Benjamin A. Beasley <code@musicinmybrain.net> - 8.2.2-6
+- Rebuild with abseil-cpp-20211102.0-4.fc37 (RHBZ#2108658)
+
+* Wed Jul 27 2022 Michal Ruprich - 8.2.2-5
+- Packaging SELinux policy for FRR
+
+* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 8.2.2-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Tue May 17 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-3
+- Rebuild for grpc-1.46.1
+
 * Mon Apr 11 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-2
 - Fix for CVE-2022-16126
 
 * Tue Mar 15 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-1
 - New version 8.2.2
 
-* Thu Mar 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.2-1
+* Thu Mar 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.2-2
+- Rebuild for abseil-cpp 20211102.0
+
+* Wed Mar 09 2022 Michal Ruprich <mruprich@redhat.com> - 8.2-1
 - New version 8.2 (rhbz#2020439)
 - Resolves: #2011868 - systemctl frr reload does not stop daemons that are not enabled in /etc/frr/daemons
 

frr.te

@@ -0,0 +1,122 @@
+policy_module(frr, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type frr_t;
+type frr_exec_t;
+init_daemon_domain(frr_t, frr_exec_t)
+
+type frr_log_t;
+logging_log_file(frr_log_t)
+
+type frr_tmp_t;
+files_tmp_file(frr_tmp_t)
+
+type frr_lock_t;
+files_lock_file(frr_lock_t)
+
+type frr_conf_t;
+files_config_file(frr_conf_t)
+
+type frr_unit_file_t;
+systemd_unit_file(frr_unit_file_t)
+
+type frr_var_run_t;
+files_pid_file(frr_var_run_t)
+
+########################################
+#
+# frr local policy
+#
+allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin sys_admin };
+allow frr_t self:netlink_route_socket rw_netlink_socket_perms;
+allow frr_t self:packet_socket { create setopt };
+allow frr_t self:process { setcap setpgid };
+allow frr_t self:rawip_socket create_socket_perms;
+allow frr_t self:tcp_socket { connect connected_stream_socket_perms };
+allow frr_t self:udp_socket create_socket_perms;
+allow frr_t self:unix_stream_socket connectto;
+
+allow frr_t frr_conf_t:dir list_dir_perms;
+manage_files_pattern(frr_t, frr_conf_t, frr_conf_t)
+read_lnk_files_pattern(frr_t, frr_conf_t, frr_conf_t)
+
+manage_dirs_pattern(frr_t, frr_log_t, frr_log_t)
+manage_files_pattern(frr_t, frr_log_t, frr_log_t)
+manage_lnk_files_pattern(frr_t, frr_log_t, frr_log_t)
+logging_log_filetrans(frr_t, frr_log_t, { dir file lnk_file })
+
+allow frr_t frr_tmp_t:file map;
+manage_dirs_pattern(frr_t, frr_tmp_t, frr_tmp_t)
+manage_files_pattern(frr_t, frr_tmp_t, frr_tmp_t)
+files_tmp_filetrans(frr_t, frr_tmp_t, { file dir })
+
+manage_files_pattern(frr_t, frr_lock_t, frr_lock_t)
+manage_lnk_files_pattern(frr_t, frr_lock_t, frr_lock_t)
+files_lock_filetrans(frr_t, frr_lock_t, { file lnk_file })
+
+manage_dirs_pattern(frr_t, frr_var_run_t, frr_var_run_t)
+manage_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
+manage_lnk_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
+manage_sock_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
+files_pid_filetrans(frr_t, frr_var_run_t, { dir file lnk_file })
+
+allow frr_t frr_exec_t:dir search_dir_perms;
+can_exec(frr_t, frr_exec_t)
+
+kernel_read_network_state(frr_t)
+kernel_rw_net_sysctls(frr_t)
+kernel_read_system_state(frr_t)
+
+auth_use_nsswitch(frr_t)
+
+corecmd_exec_bin(frr_t)
+
+corenet_tcp_bind_appswitch_emp_port(frr_t)
+corenet_udp_bind_bfd_control_port(frr_t)
+corenet_udp_bind_bfd_echo_port(frr_t)
+corenet_udp_bind_bfd_multi_port(frr_t)
+corenet_tcp_bind_bgp_port(frr_t)
+corenet_tcp_connect_bgp_port(frr_t)
+corenet_tcp_bind_cmadmin_port(frr_t)
+corenet_udp_bind_cmadmin_port(frr_t)
+corenet_tcp_bind_firepower_port(frr_t)
+corenet_tcp_bind_generic_port(frr_t)
+corenet_tcp_bind_priority_e_com_port(frr_t)
+corenet_udp_bind_router_port(frr_t)
+corenet_tcp_bind_qpasa_agent_port(frr_t)
+corenet_tcp_bind_smntubootstrap_port(frr_t)
+corenet_tcp_bind_versa_tek_port(frr_t)
+corenet_tcp_bind_zebra_port(frr_t)
+
+domain_use_interactive_fds(frr_t)
+
+fs_read_nsfs_files(frr_t)
+
+sysnet_exec_ifconfig(frr_t)
+sysnet_read_ifconfig_run(frr_t)
+sysnet_watch_ifconfig_run(frr_t)
+
+userdom_read_admin_home_files(frr_t)
+
+optional_policy(`
+	logging_send_syslog_msg(frr_t)
+')
+
+optional_policy(`
+	modutils_exec_kmod(frr_t)
+	modutils_getattr_module_deps(frr_t)
+	modutils_read_module_config(frr_t)
+	modutils_read_module_deps_files(frr_t)
+')
+
+optional_policy(`
+	networkmanager_read_state(frr_t)
+')
+
+optional_policy(`
+	userdom_admin_home_dir_filetrans(frr_t, frr_conf_t, file, ".history_frr")
+')

sources

@@ -1,2 +1,2 @@
-SHA512 (frr-8.4.1.tar.gz) = bc29088979bf0a1383d5bdb1bbe93697941048a489993a276ba6e6aa994b1c651fc630b47fa847805d60278657f3c6b45c5150256d01058d5483fb0867f0589e
+SHA512 (frr-8.5.2.tar.gz) = a5eadd8c88966b58ebc0e7b92311bda16b391abe727861eed772ded678f5a84d84421fbfd4b23c4a2b18ab3d2dcd5b2c9099491dab6958b63c39a9c67c4508d2
 SHA512 (remove-babeld-ldpd.sh) = a5bf67a3722cb20d43cef1dac28f839db68df73a1b7d34d8438e4f9366da3b67d85c1f44281f93434e8dd8ebcb2d3dc258b77eaa5627475b7395d207f020839d