v.ims.1 - Bump version

Resolves: #2011868 - systemctl frr reload does not stop daemons that are not enabled in /etc/frr/daemons

.fmf/version

@@ -1 +0,0 @@
-1

.gitignore

@@ -6,12 +6,6 @@
 /frr-7.4.tar.gz
 /frr-7.5.tar.gz
 /frr-7.5.1.tar.gz
-/frr-8.0.tar.gz
 /frr-8.0.1.tar.gz
 /frr-8.2.tar.gz
 /frr-8.2.2.tar.gz
-/frr-8.3.1.tar.gz
-/frr-8.4.tar.gz
-/frr-8.4.1.tar.gz
-/frr-8.4.2.tar.gz
-/frr-8.5.tar.gz

0000-remove-babeld-and-ldpd.patch

@@ -27,29 +27,3 @@ index 5be3264..33abc1d 100644
  	lib/Makefile \
  	nhrpd/Makefile \
  	ospf6d/Makefile \
-diff --git a/tools/etc/frr/daemons b/tools/etc/frr/daemons
-index 8aa0887..c92dcca 100644
---- a/tools/etc/frr/daemons
-+++ b/tools/etc/frr/daemons
-@@ -22,10 +22,8 @@ ripngd=no
- isisd=no
- pimd=no
- pim6d=no
--ldpd=no
- nhrpd=no
- eigrpd=no
--babeld=no
- sharpd=no
- pbrd=no
- bfdd=no
-@@ -48,10 +46,8 @@ ripngd_options=" -A ::1"
- isisd_options="  -A 127.0.0.1"
- pimd_options="   -A 127.0.0.1"
- pim6d_options="  -A ::1"
--ldpd_options="   -A 127.0.0.1"
- nhrpd_options="  -A 127.0.0.1"
- eigrpd_options=" -A 127.0.0.1"
--babeld_options=" -A 127.0.0.1"
- sharpd_options=" -A 127.0.0.1"
- pbrd_options="   -A 127.0.0.1"
- staticd_options="-A 127.0.0.1"

0004-fips-mode.patch

@@ -101,15 +101,3 @@ index 5bb81ef..02a09ef 100644
  	nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY,
  			      strmatch(mode, "md5") ? "md5" : "plain-text");
  	if (strmatch(mode, "md5"))
-diff --git a/lib/zebra.h b/lib/zebra.h
-index 53ae5b4..930307f 100644
---- a/lib/zebra.h
-+++ b/lib/zebra.h
-@@ -114,6 +114,7 @@
- #ifdef CRYPTO_OPENSSL
- #include <openssl/evp.h>
- #include <openssl/hmac.h>
-+#include <openssl/fips.h>
- #endif
-
- #include "openbsd-tree.h"

0006-cve-2022-26126.patch

@@ -0,0 +1,461 @@
+From ac3133450de12ba86c051265fc0f1b12bc57b40c Mon Sep 17 00:00:00 2001
+From: whichbug <whichbug@github.com>
+Date: Thu, 10 Feb 2022 22:49:41 -0500
+Subject: [PATCH] isisd: fix #10505 using base64 encoding
+
+Using base64 instead of the raw string to encode
+the binary data.
+
+Signed-off-by: whichbug <whichbug@github.com>
+---
+ isisd/isis_nb_notifications.c |  16 +--
+ lib/base64.c                  | 193 ++++++++++++++++++++++++++++++++++
+ lib/base64.h                  |  45 ++++++++
+ lib/subdir.am                 |   2 +
+ lib/yang_wrappers.c           |  59 +++++++++++
+ lib/yang_wrappers.h           |   7 ++
+ 6 files changed, 314 insertions(+), 8 deletions(-)
+ create mode 100644 lib/base64.c
+ create mode 100644 lib/base64.h
+
+diff --git a/isisd/isis_nb_notifications.c b/isisd/isis_nb_notifications.c
+index f219632acf7..fd7b1b3159a 100644
+--- a/isisd/isis_nb_notifications.c
++++ b/isisd/isis_nb_notifications.c
+@@ -245,7 +245,7 @@ void isis_notif_max_area_addr_mismatch(const struct isis_circuit *circuit,
+ 	data = yang_data_new_uint8(xpath_arg, max_area_addrs);
+ 	listnode_add(arguments, data);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
++	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_max_area_addr_mismatch, circuit, max_area_addrs,
+@@ -270,7 +270,7 @@ void isis_notif_authentication_type_failure(const struct isis_circuit *circuit,
+ 	notif_prep_instance_hdr(xpath, area, "default", arguments);
+ 	notif_prepr_iface_hdr(xpath, circuit, arguments);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
++	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_authentication_type_failure, circuit, raw_pdu,
+@@ -294,7 +294,7 @@ void isis_notif_authentication_failure(const struct isis_circuit *circuit,
+ 	notif_prep_instance_hdr(xpath, area, "default", arguments);
+ 	notif_prepr_iface_hdr(xpath, circuit, arguments);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
++	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_authentication_failure, circuit, raw_pdu,
+@@ -361,7 +361,7 @@ void isis_notif_reject_adjacency(const struct isis_circuit *circuit,
+ 	data = yang_data_new_string(xpath_arg, reason);
+ 	listnode_add(arguments, data);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
++	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_reject_adjacency, circuit, raw_pdu, raw_pdu_len);
+@@ -384,7 +384,7 @@ void isis_notif_area_mismatch(const struct isis_circuit *circuit,
+ 	notif_prep_instance_hdr(xpath, area, "default", arguments);
+ 	notif_prepr_iface_hdr(xpath, circuit, arguments);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
++	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_area_mismatch, circuit, raw_pdu, raw_pdu_len);
+@@ -467,7 +467,7 @@ void isis_notif_id_len_mismatch(const struct isis_circuit *circuit,
+ 	data = yang_data_new_uint8(xpath_arg, rcv_id_len);
+ 	listnode_add(arguments, data);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
++	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_id_len_mismatch, circuit, rcv_id_len, raw_pdu,
+@@ -495,7 +495,7 @@ void isis_notif_version_skew(const struct isis_circuit *circuit,
+ 	data = yang_data_new_uint8(xpath_arg, version);
+ 	listnode_add(arguments, data);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
++	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_version_skew, circuit, version, raw_pdu,
+@@ -525,7 +525,7 @@ void isis_notif_lsp_error(const struct isis_circuit *circuit,
+ 	data = yang_data_new_string(xpath_arg, rawlspid_print(lsp_id));
+ 	listnode_add(arguments, data);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
++	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 	/* ignore offset and tlv_type which cannot be set properly */
+ 
+diff --git a/lib/base64.c b/lib/base64.c
+new file mode 100644
+index 00000000000..e3f238969b3
+--- /dev/null
++++ b/lib/base64.c
+@@ -0,0 +1,193 @@
++/*
++ * This is part of the libb64 project, and has been placed in the public domain.
++ * For details, see http://sourceforge.net/projects/libb64
++ */
++
++#include "base64.h"
++
++static const int CHARS_PER_LINE = 72;
++static const char *ENCODING =
++	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
++
++void base64_init_encodestate(struct base64_encodestate *state_in)
++{
++	state_in->step = step_A;
++	state_in->result = 0;
++	state_in->stepcount = 0;
++}
++
++char base64_encode_value(char value_in)
++{
++	if (value_in > 63)
++		return '=';
++	return ENCODING[(int)value_in];
++}
++
++int base64_encode_block(const char *plaintext_in, int length_in, char *code_out,
++			struct base64_encodestate *state_in)
++{
++	const char *plainchar = plaintext_in;
++	const char *const plaintextend = plaintext_in + length_in;
++	char *codechar = code_out;
++	char result;
++	char fragment;
++
++	result = state_in->result;
++
++	switch (state_in->step) {
++		while (1) {
++			case step_A:
++				if (plainchar == plaintextend) {
++					state_in->result = result;
++					state_in->step = step_A;
++					return codechar - code_out;
++				}
++				fragment = *plainchar++;
++				result = (fragment & 0x0fc) >> 2;
++				*codechar++ = base64_encode_value(result);
++				result = (fragment & 0x003) << 4;
++				/* fall through */
++			case step_B:
++				if (plainchar == plaintextend) {
++					state_in->result = result;
++					state_in->step = step_B;
++					return codechar - code_out;
++				}
++				fragment = *plainchar++;
++				result |= (fragment & 0x0f0) >> 4;
++				*codechar++ = base64_encode_value(result);
++				result = (fragment & 0x00f) << 2;
++				/* fall through */
++			case step_C:
++				if (plainchar == plaintextend) {
++					state_in->result = result;
++					state_in->step = step_C;
++					return codechar - code_out;
++				}
++				fragment = *plainchar++;
++				result |= (fragment & 0x0c0) >> 6;
++				*codechar++ = base64_encode_value(result);
++				result  = (fragment & 0x03f) >> 0;
++				*codechar++ = base64_encode_value(result);
++
++				++(state_in->stepcount);
++				if (state_in->stepcount == CHARS_PER_LINE/4) {
++					*codechar++ = '\n';
++					state_in->stepcount = 0;
++				}
++		}
++	}
++	/* control should not reach here */
++	return codechar - code_out;
++}
++
++int base64_encode_blockend(char *code_out, struct base64_encodestate *state_in)
++{
++	char *codechar = code_out;
++
++	switch (state_in->step) {
++	case step_B:
++		*codechar++ = base64_encode_value(state_in->result);
++		*codechar++ = '=';
++		*codechar++ = '=';
++		break;
++	case step_C:
++		*codechar++ = base64_encode_value(state_in->result);
++		*codechar++ = '=';
++		break;
++	case step_A:
++		break;
++	}
++	*codechar++ = '\n';
++
++	return codechar - code_out;
++}
++
++
++signed char base64_decode_value(signed char value_in)
++{
++	static const signed char decoding[] = {
++		62, -1, -1, -1, 63, 52, 53, 54,
++		55, 56, 57, 58, 59, 60, 61, -1,
++		-1, -1, -2, -1, -1, -1, 0, 1,
++		2,  3, 4, 5, 6, 7, 8, 9,
++		10, 11, 12, 13, 14, 15, 16, 17,
++		18, 19, 20, 21, 22, 23, 24, 25,
++		-1, -1, -1, -1, -1, -1, 26, 27,
++		28, 29, 30, 31, 32, 33, 34, 35,
++		36, 37, 38, 39, 40, 41, 42, 43,
++		44, 45, 46, 47, 48, 49, 50, 51
++	};
++	value_in -= 43;
++	if (value_in < 0 || value_in >= 80)
++		return -1;
++	return decoding[(int)value_in];
++}
++
++void base64_init_decodestate(struct base64_decodestate *state_in)
++{
++	state_in->step = step_a;
++	state_in->plainchar = 0;
++}
++
++int base64_decode_block(const char *code_in, int length_in, char *plaintext_out,
++			struct base64_decodestate *state_in)
++{
++	const char *codec = code_in;
++	char *plainc = plaintext_out;
++	signed char fragmt;
++
++	*plainc = state_in->plainchar;
++
++	switch (state_in->step) {
++		while (1) {
++			case step_a:
++				do {
++					if (codec == code_in+length_in) {
++						state_in->step = step_a;
++						state_in->plainchar = *plainc;
++						return plainc - plaintext_out;
++					}
++					fragmt = base64_decode_value(*codec++);
++				} while (fragmt < 0);
++				*plainc = (fragmt & 0x03f) << 2;
++				/* fall through */
++			case step_b:
++				do {
++					if (codec == code_in+length_in) {
++						state_in->step = step_b;
++						state_in->plainchar = *plainc;
++						return plainc - plaintext_out;
++					}
++					fragmt = base64_decode_value(*codec++);
++				} while (fragmt < 0);
++				*plainc++ |= (fragmt & 0x030) >> 4;
++				*plainc = (fragmt & 0x00f) << 4;
++				/* fall through */
++			case step_c:
++				do {
++					if (codec == code_in+length_in) {
++						state_in->step = step_c;
++						state_in->plainchar = *plainc;
++						return plainc - plaintext_out;
++					}
++					fragmt = base64_decode_value(*codec++);
++				} while (fragmt < 0);
++				*plainc++ |= (fragmt & 0x03c) >> 2;
++				*plainc = (fragmt & 0x003) << 6;
++				/* fall through */
++			case step_d:
++				do {
++					if (codec == code_in+length_in) {
++						state_in->step = step_d;
++						state_in->plainchar = *plainc;
++						return plainc - plaintext_out;
++					}
++					fragmt = base64_decode_value(*codec++);
++				} while (fragmt < 0);
++				*plainc++   |= (fragmt & 0x03f);
++		}
++	}
++	/* control should not reach here */
++	return plainc - plaintext_out;
++}
+diff --git a/lib/base64.h b/lib/base64.h
+new file mode 100644
+index 00000000000..3dc1559aa48
+--- /dev/null
++++ b/lib/base64.h
+@@ -0,0 +1,45 @@
++/*
++ * This is part of the libb64 project, and has been placed in the public domain.
++ * For details, see http://sourceforge.net/projects/libb64
++ */
++
++#ifndef _BASE64_H_
++#define _BASE64_H_
++
++enum base64_encodestep {
++	step_A, step_B, step_C
++};
++
++struct base64_encodestate {
++	enum base64_encodestep step;
++	char result;
++	int stepcount;
++};
++
++void base64_init_encodestate(struct base64_encodestate *state_in);
++
++char base64_encode_value(char value_in);
++
++int base64_encode_block(const char *plaintext_in, int length_in, char *code_out,
++			struct base64_encodestate *state_in);
++
++int base64_encode_blockend(char *code_out, struct base64_encodestate *state_in);
++
++
++enum base64_decodestep {
++	step_a, step_b, step_c, step_d
++};
++
++struct base64_decodestate {
++	enum base64_decodestep step;
++	char plainchar;
++};
++
++void base64_init_decodestate(struct base64_decodestate *state_in);
++
++signed char base64_decode_value(signed char value_in);
++
++int base64_decode_block(const char *code_in, int length_in, char *plaintext_out,
++			struct base64_decodestate *state_in);
++
++#endif /* _BASE64_H_ */
+diff --git a/lib/subdir.am b/lib/subdir.am
+index 648ab7f14a1..f8f82f2766f 100644
+--- a/lib/subdir.am
++++ b/lib/subdir.am
+@@ -8,6 +8,7 @@ lib_libfrr_la_LIBADD = $(LIBCAP) $(UNWIND_LIBS) $(LIBYANG_LIBS) $(LUA_LIB) $(UST
+ lib_libfrr_la_SOURCES = \
+ 	lib/agg_table.c \
+ 	lib/atomlist.c \
++	lib/base64.c \
+ 	lib/bfd.c \
+ 	lib/buffer.c \
+ 	lib/checksum.c \
+@@ -177,6 +178,7 @@ clippy_scan += \
+ pkginclude_HEADERS += \
+ 	lib/agg_table.h \
+ 	lib/atomlist.h \
++	lib/base64.h \
+ 	lib/bfd.h \
+ 	lib/bitfield.h \
+ 	lib/buffer.h \
+diff --git a/lib/yang_wrappers.c b/lib/yang_wrappers.c
+index 85aa003db72..bee76c6e0f5 100644
+--- a/lib/yang_wrappers.c
++++ b/lib/yang_wrappers.c
+@@ -19,6 +19,7 @@
+ 
+ #include <zebra.h>
+ 
++#include "base64.h"
+ #include "log.h"
+ #include "lib_errors.h"
+ #include "northbound.h"
+@@ -676,6 +677,64 @@ void yang_get_default_string_buf(char *buf, size_t size, const char *xpath_fmt,
+ 			  xpath);
+ }
+ 
++/*
++ * Primitive type: binary.
++ */
++struct yang_data *yang_data_new_binary(const char *xpath, const char *value,
++				       size_t len)
++{
++	char *value_str;
++	struct base64_encodestate s;
++	int cnt;
++	char *c;
++	struct yang_data *data;
++
++	value_str = (char *)malloc(len * 2);
++	base64_init_encodestate(&s);
++	cnt = base64_encode_block(value, len, value_str, &s);
++	c = value_str + cnt;
++	cnt = base64_encode_blockend(c, &s);
++	c += cnt;
++	*c = 0;
++	data = yang_data_new(xpath, value_str);
++	free(value_str);
++	return data;
++}
++
++size_t yang_dnode_get_binary_buf(char *buf, size_t size,
++				 const struct lyd_node *dnode,
++				 const char *xpath_fmt, ...)
++{
++	const char *canon;
++	size_t cannon_len;
++	size_t decode_len;
++	size_t ret_len;
++	size_t cnt;
++	char *value_str;
++	struct base64_decodestate s;
++
++	canon = YANG_DNODE_XPATH_GET_CANON(dnode, xpath_fmt);
++	cannon_len = strlen(canon);
++	decode_len = cannon_len;
++	value_str = (char *)malloc(decode_len);
++	base64_init_decodestate(&s);
++	cnt = base64_decode_block(canon, cannon_len, value_str, &s);
++
++	ret_len = size > cnt ? cnt : size;
++	memcpy(buf, value_str, ret_len);
++	if (size < cnt) {
++		char xpath[XPATH_MAXLEN];
++
++		yang_dnode_get_path(dnode, xpath, sizeof(xpath));
++		flog_warn(EC_LIB_YANG_DATA_TRUNCATED,
++			  "%s: value was truncated [xpath %s]", __func__,
++			  xpath);
++	}
++	free(value_str);
++	return ret_len;
++}
++
++
+ /*
+  * Primitive type: empty.
+  */
+diff --git a/lib/yang_wrappers.h b/lib/yang_wrappers.h
+index d781dfb1e42..56b314876f2 100644
+--- a/lib/yang_wrappers.h
++++ b/lib/yang_wrappers.h
+@@ -118,6 +118,13 @@ extern const char *yang_get_default_string(const char *xpath_fmt, ...);
+ extern void yang_get_default_string_buf(char *buf, size_t size,
+ 					const char *xpath_fmt, ...);
+ 
++/* binary */
++extern struct yang_data *yang_data_new_binary(const char *xpath,
++					      const char *value, size_t len);
++extern size_t yang_dnode_get_binary_buf(char *buf, size_t size,
++					const struct lyd_node *dnode,
++					const char *xpath_fmt, ...);
++
+ /* empty */
+ extern struct yang_data *yang_data_new_empty(const char *xpath);
+ extern bool yang_dnode_get_empty(const struct lyd_node *dnode,

frr.fc

@@ -1,29 +0,0 @@
-/usr/libexec/frr/(.*)?              gen_context(system_u:object_r:frr_exec_t,s0)
-
-/usr/lib/systemd/system/frr.*   gen_context(system_u:object_r:frr_unit_file_t,s0)
-
-/etc/frr(/.*)?                  gen_context(system_u:object_r:frr_conf_t,s0)
-
-/var/log/frr(/.*)?              gen_context(system_u:object_r:frr_log_t,s0)
-/var/tmp/frr(/.*)?              gen_context(system_u:object_r:frr_tmp_t,s0)
-
-/var/lock/subsys/bfdd       --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/bgpd       --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/eigrpd     --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/fabricd    --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/isisd      --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/nhrpd      --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/ospf6d     --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/ospfd      --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/pbrd       --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/pimd       --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/ripd       --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/ripngd     --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/staticd    --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/zebra      --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/vrrpd      --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/pathd      --  gen_context(system_u:object_r:frr_lock_t,s0)
-
-/var/run/frr(/.*)?              gen_context(system_u:object_r:frr_var_run_t,s0)
-
-/usr/bin/vtysh              --  gen_context(system_u:object_r:frr_exec_t,s0)

frr.if

@@ -1,162 +0,0 @@
-## <summary>policy for frr</summary>
-
-########################################
-## <summary>
-##	Execute frr_exec_t in the frr domain.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`frr_domtrans',`
-	gen_require(`
-		type frr_t, frr_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, frr_exec_t, frr_t)
-')
-
-######################################
-## <summary>
-##	Execute frr in the caller domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`frr_exec',`
-	gen_require(`
-		type frr_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	can_exec($1, frr_exec_t)
-')
-
-########################################
-## <summary>
-##	Read frr's log files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`frr_read_log',`
-	gen_require(`
-		type frr_log_t;
-	')
-
-	read_files_pattern($1, frr_log_t, frr_log_t)
-	optional_policy(`
-		logging_search_logs($1)
-	')
-')
-
-########################################
-## <summary>
-##	Append to frr log files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`frr_append_log',`
-	gen_require(`
-		type frr_log_t;
-	')
-
-	append_files_pattern($1, frr_log_t, frr_log_t)
-	optional_policy(`
-		logging_search_logs($1)
-	')
-')
-
-########################################
-## <summary>
-##	Manage frr log files
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`frr_manage_log',`
-	gen_require(`
-		type frr_log_t;
-	')
-
-	manage_dirs_pattern($1, frr_log_t, frr_log_t)
-	manage_files_pattern($1, frr_log_t, frr_log_t)
-	manage_lnk_files_pattern($1, frr_log_t, frr_log_t)
-	optional_policy(`
-		logging_search_logs($1)
-	')
-')
-
-########################################
-## <summary>
-##	Read frr PID files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`frr_read_pid_files',`
-	gen_require(`
-		type frr_var_run_t;
-	')
-
-	files_search_pids($1)
-	read_files_pattern($1, frr_var_run_t, frr_var_run_t)
-')
-
-########################################
-## <summary>
-##	All of the rules required to administrate
-##	an frr environment
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`frr_admin',`
-	gen_require(`
-		type frr_t;
-		type frr_log_t;
-		type frr_var_run_t;
-	')
-
-	allow $1 frr_t:process { signal_perms };
-	ps_process_pattern($1, frr_t)
-
-	tunable_policy(`deny_ptrace',`',`
-		allow $1 frr_t:process ptrace;
-	')
-
-	admin_pattern($1, frr_log_t)
-
-	files_search_pids($1)
-	admin_pattern($1, frr_var_run_t)
-	optional_policy(`
-		logging_search_logs($1)
-	')
-	optional_policy(`
-		systemd_passwd_agent_exec($1)
-		systemd_read_fifo_file_passwd_run($1)
-	')
-')

frr.spec

@@ -3,29 +3,24 @@
 %global frr_libdir %{_libexecdir}/frr
 
 %global _hardened_build 1
-%global selinuxtype targeted
 %define _legacy_common_support 1
-%bcond_without selinux
 
 Name:           frr
-Version:        8.5
-Release:        1%{?dist}
+Version:        8.2.2
+Release:        2%{?dist}
 Summary:        Routing daemon
 License:        GPLv2+
 URL:            http://www.frrouting.org
 Source0:        https://github.com/FRRouting/frr/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
 Source1:        %{name}-tmpfiles.conf
 Source2:        %{name}-sysusers.conf
-#Decentralized SELinux policy
-Source3:        frr.fc
-Source4:        frr.te
-Source5:        frr.if
 
 Patch0000:      0000-remove-babeld-and-ldpd.patch
 Patch0002:      0002-enable-openssl.patch
 Patch0003:      0003-disable-eigrp-crypto.patch
 Patch0004:      0004-fips-mode.patch
 Patch0005:      0005-remove-grpc-test.patch
+Patch0006:      0006-cve-2022-26126.patch
 
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -41,7 +36,7 @@ BuildRequires:  grpc-plugins
 BuildRequires:  json-c-devel
 BuildRequires:  libcap-devel
 BuildRequires:  libtool
-BuildRequires:  libyang-devel >= 2.0.0
+BuildRequires:  libyang-devel >= 0.16.74
 BuildRequires:  make
 BuildRequires:  ncurses
 BuildRequires:  ncurses-devel
@@ -65,12 +60,7 @@ Requires(post): hostname
 Requires(post): systemd
 Requires(postun): systemd
 Requires(preun): systemd
-
-%if 0%{?with_selinux}
-Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
-%endif
-
-Obsoletes:      quagga < 1.2.4-17
+Conflicts:      quagga
 Provides:       routingdaemon = %{version}-%{release}
 
 %description
@@ -82,25 +72,8 @@ FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP
 
 FRRouting is a fork of Quagga.
 
-%if 0%{?with_selinux}
-%package selinux
-Summary:	Selinux policy for FRR
-BuildArch:	noarch
-Requires:	selinux-policy-%{selinuxtype}
-Requires(post):	selinux-policy-%{selinuxtype}
-BuildRequires:	selinux-policy-devel
-%{?selinux_requires}
-
-%description selinux
-SELinux policy modules for FRR package
-
-%endif
-
 %prep
 %autosetup -S git
-#Selinux
-mkdir selinux
-cp -p %{SOURCE3} %{SOURCE4} %{SOURCE5} selinux
 
 %build
 autoreconf -ivf
@@ -110,7 +83,7 @@ autoreconf -ivf
     --sysconfdir=%{_sysconfdir}/frr \
     --libdir=%{_libdir}/frr \
     --libexecdir=%{_libexecdir}/frr \
-    --localstatedir=/run/frr \
+    --localstatedir=%{_localstatedir}/run/frr \
     --enable-multipath=64 \
     --enable-vtysh=yes \
     --disable-ospfclient \
@@ -136,12 +109,6 @@ autoreconf -ivf
 # Build info documentation
 %make_build -C doc info
 
-#SELinux policy
-%if 0%{?with_selinux}
-make -C selinux -f %{_datadir}/selinux/devel/Makefile %{name}.pp
-bzip2 -9 selinux/%{name}.pp
-%endif
-
 %install
 mkdir -p %{buildroot}%{_sysconfdir}/{frr,rc.d/init.d,sysconfig,logrotate.d,pam.d,default} \
          %{buildroot}%{_localstatedir}/log/frr %{buildroot}%{_infodir} \
@@ -168,12 +135,6 @@ install -p -m 644 redhat/frr.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/fr
 install -p -m 644 redhat/frr.pam %{buildroot}%{_sysconfdir}/pam.d/frr
 install -d -m 775 %{buildroot}/run/frr
 
-%if 0%{?with_selinux}
-install -D -m 644 selinux/%{name}.pp.bz2 \
-	%{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
-install -D -m 644 selinux/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if
-%endif
-
 # Delete libtool archives
 find %{buildroot} -type f -name "*.la" -delete -print
 
@@ -184,6 +145,7 @@ rm -r %{buildroot}%{_includedir}/frr/
 %pre
 %sysusers_create_compat %{SOURCE2}
 
+
 %post
 %systemd_post frr.service
 
@@ -207,28 +169,6 @@ fi
 %preun
 %systemd_preun frr.service
 
-#SELinux
-%if 0%{?with_selinux}
-%pre selinux
-%selinux_relabel_pre -s %{selinuxtype}
-
-%post selinux
-%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
-%selinux_relabel_post -s %{selinuxtype}
-#/var/tmp and /var/run need to be relabeled as well if FRR is running before upgrade
-if [ $1 == 2 ]; then
-    %{_sbindir}/restorecon -R /var/tmp/frr &> /dev/null
-    %{_sbindir}/restorecon -R /var/run/frr &> /dev/null
-fi
-
-%postun selinux
-if [ $1 -eq 0 ]; then
-    %selinux_modules_uninstall -s %{selinuxtype} %{name}
-    %selinux_relabel_post -s %{selinuxtype}
-fi
-
-%endif
-
 %check
 #this should be temporary, the grpc test is just badly designed
 rm tests/lib/*grpc*
@@ -241,14 +181,10 @@ rm tests/lib/*grpc*
 %dir %attr(755,frr,frr) %{_localstatedir}/log/frr
 %dir %attr(755,frr,frr) /run/frr
 %{_infodir}/*info*
-%{_mandir}/man1/frr.1*
-%{_mandir}/man1/vtysh.1*
-%{_mandir}/man8/frr-*.8*
-%{_mandir}/man8/mtracebis.8*
+%{_mandir}/man*/*
 %dir %{frr_libdir}/
 %{frr_libdir}/*
-%{_bindir}/mtracebis
-%{_bindir}/vtysh
+%{_bindir}/*
 %dir %{_libdir}/frr
 %{_libdir}/frr/*.so.*
 %dir %{_libdir}/frr/modules
@@ -262,122 +198,19 @@ rm tests/lib/*grpc*
 %{_tmpfilesdir}/%{name}.conf
 %{_sysusersdir}/%{name}.conf
 
-%if 0%{?with_selinux}
-%files selinux
-%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.*
-%{_datadir}/selinux/devel/include/distributed/%{name}.if
-%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
-%endif
-
 %changelog
-* Wed Apr 12 2023 Michal Ruprich <mruprich@redhat.com> - 8.5-1
-- New version 8.5
-
-* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 8.4.2-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
-
-* Thu Jan 12 2023 Michal Ruprich <mruprich@redhat.com> - 8.4.2-1
-- New version 8.4.2
-
-* Fri Nov 25 2022 Michal Ruprich <mruprich@redhat.com> - 8.4.1-1
-- New version 8.4.1
-- Fix for rhbz #2140705
-
-* Thu Nov 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.4-1
-- New version 8.4
-
-* Fri Sep 16 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-5
-- Adding SELinux rule to enable zebra to write to sysctl_net_t
-- Adding SELinux rule to enable bgpd to call name_connect to bgp_port_t
-
-* Fri Sep 09 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-4
-- Fixing an error in post scriptlet
-
-* Fri Sep 09 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-3
-- Resolves: #2124254 - frr can no longer update routes
-
-* Wed Sep 07 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-2
-- Resolves: #2124253 - SELinux is preventing zebra from setattr access on the directory frr
-- Better handling FRR files during upgrade
-
-* Tue Sep 06 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-1
-- New version 8.3.1
-
-* Mon Aug 22 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-10
-- Rebuilding for new abseil-cpp and grpc updates
-
-* Wed Aug 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-9
-- Adding vrrpd and pathd as daemons to the policy
-
-* Wed Aug 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-8
-- Finalizing SELinux policy
-
-* Tue Aug 02 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-7
-- Fixing wrong path for vtysh in frr.fc
-
-* Fri Jul 29 2022 Benjamin A. Beasley <code@musicinmybrain.net> - 8.2.2-6
-- Rebuild with abseil-cpp-20211102.0-4.fc37 (RHBZ#2108658)
-
-* Wed Jul 27 2022 Michal Ruprich - 8.2.2-5
-- Packaging SELinux policy for FRR
-
-* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 8.2.2-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
-* Tue May 17 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-3
-- Rebuild for grpc-1.46.1
-
 * Mon Apr 11 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-2
 - Fix for CVE-2022-16126
 
 * Tue Mar 15 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-1
 - New version 8.2.2
 
-* Thu Mar 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.2-2
-- Rebuild for abseil-cpp 20211102.0
-
-* Wed Mar 09 2022 Michal Ruprich <mruprich@redhat.com> - 8.2-1
+* Thu Mar 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.2-1
 - New version 8.2 (rhbz#2020439)
 - Resolves: #2011868 - systemctl frr reload does not stop daemons that are not enabled in /etc/frr/daemons
 
-* Tue Feb 01 2022 Michal Ruprich <mruprich@redhat.com> - 8.0.1-11
-- Rebuilding for FTBFS in Rawhide(rhbz#2045399)
-
-* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 8.0.1-10
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
-* Sat Jan 08 2022 Miro Hrončok <mhroncok@redhat.com> - 8.0.1-9
-- Rebuilt for libre2.so.9
-
-* Sat Nov 06 2021 Adrian Reber <adrian@lisas.de> - 8.0.1-8
-- Rebuilt for protobuf 3.19.0
-
-* Mon Oct 25 2021 Adrian Reber <adrian@lisas.de> - 8.0.1-7
-- Rebuilt for protobuf 3.18.1
-
-* Fri Oct 15 2021 Michal Ruprich <mruprich@redhat.com> - 8.0.1-6
-- Obsoleting quagga so that it may be retired
-
-* Thu Oct 07 2021 Michal Ruprich <mruprich@redhat.com> - 8.0.1-5
-- Rebuilding for grpc 1.41
-
-* Thu Sep 30 2021 Michal Ruprich <mruprich@redhat.com> - 8.0.1-4
-- Rebuild for new version of libyang
-
-* Sat Sep 18 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 8.0.1-3
-- Rebuild for grpc 1.40
-
-* Thu Sep 16 2021 Sahana Prasad <sahana@redhat.com> - 8.0.1-2
-- Rebuilt with OpenSSL 3.0.0
-
-* Thu Sep 16 2021 Michal Ruprich <mruprich@redhat.com> - 8.0.1-1
-- New version 8.0.1
-
-* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 8.0-2
-- Rebuilt with OpenSSL 3.0.0
-
-* Wed Aug 11 2021 Michal Ruprich <mruprich@redhat.com> - 8.0-1
-- New version 8.0
+* Thu Jan 20 2022 Michal Ruprich <mruprich@redhat.com> - 8.0.1-1
+- Rebasing to 8.0.1 due to newer libyang library
 
 * Wed Aug 04 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 7.5.1-9
 - Rebuild for grpc 1.39

frr.te

@@ -1,120 +0,0 @@
-policy_module(frr, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type frr_t;
-type frr_exec_t;
-init_daemon_domain(frr_t, frr_exec_t)
-
-type frr_log_t;
-logging_log_file(frr_log_t)
-
-type frr_tmp_t;
-files_tmp_file(frr_tmp_t)
-
-type frr_lock_t;
-files_lock_file(frr_lock_t)
-
-type frr_conf_t;
-files_config_file(frr_conf_t)
-
-type frr_unit_file_t;
-systemd_unit_file(frr_unit_file_t)
-
-type frr_var_run_t;
-files_pid_file(frr_var_run_t)
-
-########################################
-#
-# frr local policy
-#
-allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin };
-allow frr_t self:netlink_route_socket rw_netlink_socket_perms;
-allow frr_t self:packet_socket { create setopt };
-allow frr_t self:process { setcap setpgid };
-allow frr_t self:rawip_socket create_socket_perms;
-allow frr_t self:tcp_socket { connect connected_stream_socket_perms };
-allow frr_t self:udp_socket create_socket_perms;
-allow frr_t self:unix_stream_socket connectto;
-
-allow frr_t frr_conf_t:dir list_dir_perms;
-manage_files_pattern(frr_t, frr_conf_t, frr_conf_t)
-read_lnk_files_pattern(frr_t, frr_conf_t, frr_conf_t)
-
-manage_dirs_pattern(frr_t, frr_log_t, frr_log_t)
-manage_files_pattern(frr_t, frr_log_t, frr_log_t)
-manage_lnk_files_pattern(frr_t, frr_log_t, frr_log_t)
-logging_log_filetrans(frr_t, frr_log_t, { dir file lnk_file })
-
-allow frr_t frr_tmp_t:file map;
-manage_dirs_pattern(frr_t, frr_tmp_t, frr_tmp_t)
-manage_files_pattern(frr_t, frr_tmp_t, frr_tmp_t)
-files_tmp_filetrans(frr_t, frr_tmp_t, { file dir })
-
-manage_files_pattern(frr_t, frr_lock_t, frr_lock_t)
-manage_lnk_files_pattern(frr_t, frr_lock_t, frr_lock_t)
-files_lock_filetrans(frr_t, frr_lock_t, { file lnk_file })
-
-manage_dirs_pattern(frr_t, frr_var_run_t, frr_var_run_t)
-manage_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
-manage_lnk_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
-manage_sock_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
-files_pid_filetrans(frr_t, frr_var_run_t, { dir file lnk_file })
-
-allow frr_t frr_exec_t:dir search_dir_perms;
-can_exec(frr_t, frr_exec_t)
-
-kernel_read_network_state(frr_t)
-kernel_rw_net_sysctls(frr_t)
-kernel_read_system_state(frr_t)
-
-auth_use_nsswitch(frr_t)
-
-corecmd_exec_bin(frr_t)
-
-corenet_tcp_bind_appswitch_emp_port(frr_t)
-corenet_udp_bind_bfd_control_port(frr_t)
-corenet_udp_bind_bfd_echo_port(frr_t)
-corenet_udp_bind_bfd_multi_port(frr_t)
-corenet_tcp_bind_bgp_port(frr_t)
-corenet_tcp_connect_bgp_port(frr_t)
-corenet_tcp_bind_cmadmin_port(frr_t)
-corenet_udp_bind_cmadmin_port(frr_t)
-corenet_tcp_bind_firepower_port(frr_t)
-corenet_tcp_bind_generic_port(frr_t)
-corenet_tcp_bind_priority_e_com_port(frr_t)
-corenet_udp_bind_router_port(frr_t)
-corenet_tcp_bind_qpasa_agent_port(frr_t)
-corenet_tcp_bind_smntubootstrap_port(frr_t)
-corenet_tcp_bind_versa_tek_port(frr_t)
-corenet_tcp_bind_zebra_port(frr_t)
-
-domain_use_interactive_fds(frr_t)
-
-fs_read_nsfs_files(frr_t)
-
-sysnet_exec_ifconfig(frr_t)
-
-userdom_read_admin_home_files(frr_t)
-
-optional_policy(`
-	logging_send_syslog_msg(frr_t)
-')
-
-optional_policy(`
-	modutils_exec_kmod(frr_t)
-	modutils_getattr_module_deps(frr_t)
-	modutils_read_module_config(frr_t)
-	modutils_read_module_deps_files(frr_t)
-')
-
-optional_policy(`
-	networkmanager_read_state(frr_t)
-')
-
-optional_policy(`
-	userdom_admin_home_dir_filetrans(frr_t, frr_conf_t, file, ".history_frr")
-')

gating.yaml

@@ -1,16 +0,0 @@
---- !Policy
-product_versions:
-  - fedora-*
-decision_contexts: [bodhi_update_push_testing]
-subject_type: koji_build
-rules:
-  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
- 
-#gating rawhide
---- !Policy
-product_versions:
-  - fedora-*
-decision_contexts: [bodhi_update_push_stable]
-subject_type: koji_build
-rules:
-  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}

plans/all.fmf

@@ -1,6 +0,0 @@
-summary: Test plan with all Fedora tests
-discover:
-       how: fmf
-       url: https://src.fedoraproject.org/tests/frr.git
-execute:
-       how: tmt

sources

@@ -1,2 +1,2 @@
-SHA512 (frr-8.5.tar.gz) = 26a1bb752130bac684c8f83fb68d33fd16a94054904a37a9550d6028d6181663f757a700e967ae4265ca2a7c6e26b4f0d2fadcfae55a7101c6ce33ac83f2c9b9
+SHA512 (frr-8.2.2.tar.gz) = 2a3e189d8de09bd66bc4a49147bec681d48626d8cb268dc03f42b58064c066b35082114ff97d7333ae4029f759b78e216c8460c2611df7f6659675dc5f9b69b2
 SHA512 (remove-babeld-ldpd.sh) = a5bf67a3722cb20d43cef1dac28f839db68df73a1b7d34d8438e4f9366da3b67d85c1f44281f93434e8dd8ebcb2d3dc258b77eaa5627475b7395d207f020839d