v10.3

Resolves: #2311120 - AVCs for using a netlink socket in FRR

.gitignore

@@ -16,3 +16,9 @@
 /frr-8.4.2.tar.gz
 /frr-8.5.tar.gz
 /frr-8.5.1.tar.gz
+/frr-8.5.2.tar.gz
+/frr-9.0.1.tar.gz
+/frr-9.1.tar.gz
+/frr-10.0.1.tar.gz
+/frr-10.1.tar.gz
+/frr-10.2.tar.gz

0000-remove-babeld-and-ldpd.patch

@@ -16,9 +16,9 @@ index 5be3264..33abc1d 100644
  	snapcraft/helpers \
  	snapcraft/snap \
 -	babeld/Makefile \
+ 	mgmtd/Makefile \
  	bgpd/Makefile \
  	bgpd/rfp-example/librfp/Makefile \
- 	bgpd/rfp-example/rfptest/Makefile \
 @@ -193,7 +190,6 @@ EXTRA_DIST += \
  	fpm/Makefile \
  	grpc/Makefile \

0002-enable-openssl.patch

@@ -8,8 +8,8 @@ index 0b7af18..0533e24 100644
  	lib/log_vty.c \
 -	lib/md5.c \
  	lib/memory.c \
- 	lib/mlag.c \
- 	lib/module.c \
+ 	lib/mgmt_be_client.c \
+ 	lib/mgmt_fe_client.c \
 @@ -64,7 +64,6 @@ lib_libfrr_la_SOURCES = \
  	lib/routemap_northbound.c \
  	lib/sbuf.c \
@@ -24,8 +24,8 @@ index 0b7af18..0533e24 100644
  	lib/log_vty.h \
 -	lib/md5.h \
  	lib/memory.h \
- 	lib/module.h \
- 	lib/monotime.h \
+ 	lib/mgmt.pb-c.h \
+ 	lib/mgmt_be_client.h \
 @@ -191,7 +190,6 @@ pkginclude_HEADERS += \
  	lib/route_opaque.h \
  	lib/sbuf.h \

0004-fips-mode.patch

@@ -2,9 +2,20 @@ diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c
 index 631465f..e084ff3 100644
 --- a/ospfd/ospf_vty.c
 +++ b/ospfd/ospf_vty.c
-@@ -1136,6 +1136,11 @@ DEFUN (ospf_area_vlink,
+@@ -7,6 +7,10 @@
+ #include <zebra.h>
+ #include <string.h>
  
- 	if (argv_find(argv, argc, "message-digest", &idx)) {
++#ifdef CRYPTO_OPENSSL
++#include <openssl/fips.h>
++#endif
++
+ #include "printfrr.h"
+ #include "monotime.h"
+ #include "memory.h"
+@@ -1136,6 +1136,11 @@ DEFUN (ospf_area_vlink,
+ 		vl_config.keychain = argv[idx+1]->arg;
+ 	} else if (argv_find(argv, argc, "message-digest", &idx)) {
  		/* authentication message-digest */
 +		if(FIPS_mode())
 +		{
@@ -41,7 +52,7 @@ index 631465f..e084ff3 100644
 +		}
  		SET_IF_PARAM(params, auth_type);
  		params->auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
- 		return CMD_SUCCESS;
+ 		UNSET_IF_PARAM(params, keychain_name);
 @@ -6971,6 +6990,11 @@ DEFUN (ip_ospf_message_digest_key,
         "The OSPF password (key)\n"
         "Address of interface\n")
@@ -58,6 +69,17 @@ diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c
 index 81b4b39..cce33d9 100644
 --- a/isisd/isis_circuit.c
 +++ b/isisd/isis_circuit.c
+@@ -13,6 +13,10 @@
+ #include <netinet/if_ether.h>
+ #endif
+ 
++#ifdef CRYPTO_OPENSSL
++#include <openssl/fips.h>
++#endif
++
+ #include "log.h"
+ #include "memory.h"
+ #include "vrf.h"
 @@ -1318,6 +1318,10 @@ static int isis_circuit_passwd_set(struct isis_circuit *circuit,
  		return ferr_code_bug(
  			"circuit password too long (max 254 chars)");
@@ -73,6 +95,17 @@ diff --git a/isisd/isisd.c b/isisd/isisd.c
 index 419127c..a6c36af 100644
 --- a/isisd/isisd.c
 +++ b/isisd/isisd.c
+@@ -9,6 +9,10 @@
+ 
+ #include <zebra.h>
+ 
++#ifdef CRYPTO_OPENSSL
++#include <openssl/fips.h>
++#endif
++
+ #include "frrevent.h"
+ #include "vty.h"
+ #include "command.h"
 @@ -1638,6 +1638,10 @@ static int isis_area_passwd_set(struct isis_area *area, int level,
  		if (len > 254)
  			return -1;
@@ -88,6 +121,17 @@ diff --git a/ripd/rip_cli.c b/ripd/rip_cli.c
 index 5bb81ef..02a09ef 100644
 --- a/ripd/rip_cli.c
 +++ b/ripd/rip_cli.c
+@@ -7,6 +7,10 @@
+ 
+ #include <zebra.h>
+ 
++#ifdef CRYPTO_OPENSSL
++#include <openssl/fips.h>
++#endif
++
+ #include "if.h"
+ #include "if_rmap.h"
+ #include "vrf.h"
 @@ -796,6 +796,12 @@ DEFPY (ip_rip_authentication_mode,
  			value = "20";
  	}
@@ -101,15 +145,3 @@ index 5bb81ef..02a09ef 100644
  	nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY,
  			      strmatch(mode, "md5") ? "md5" : "plain-text");
  	if (strmatch(mode, "md5"))
-diff --git a/lib/zebra.h b/lib/zebra.h
-index 53ae5b4..930307f 100644
---- a/lib/zebra.h
-+++ b/lib/zebra.h
-@@ -114,6 +114,7 @@
- #ifdef CRYPTO_OPENSSL
- #include <openssl/evp.h>
- #include <openssl/hmac.h>
-+#include <openssl/fips.h>
- #endif
-
- #include "openbsd-tree.h"

0005-remove-grpc-test.patch

@@ -2,12 +2,12 @@ diff --git a/tests/lib/subdir.am b/tests/lib/subdir.am
 index 7b5eaa4..5c82f69 100644
 --- a/tests/lib/subdir.am
 +++ b/tests/lib/subdir.am
-@@ -18,18 +18,6 @@ tests_lib_test_frrscript_SOURCES = tests/lib/test_frrscript.c
- EXTRA_DIST += tests/lib/test_frrscript.py
- 
+@@ -18,22 +18,6 @@ tests_lib_test_frrscript_SOURCES = tests/lib/test_frrscript.c
+ 	test -e tests/lib/script1.lua || \
+ 	$(INSTALL_SCRIPT) $< tests/lib/script1.lua
  
 -##############################################################################
--GRPC_TESTS_LDADD = staticd/libstatic.a grpc/libfrrgrpc_pb.la -lgrpc++ -lprotobuf $(ALL_TESTS_LDADD) $(LIBYANG_LIBS) -lm
+-GRPC_TESTS_LDADD = mgmtd/libmgmt_be_nb.la staticd/libstatic.a grpc/libfrrgrpc_pb.la $(GRPC_LIBS) $(ALL_TESTS_LDADD) $(LIBYANG_LIBS) -lm
 -
 -if GRPC
 -check_PROGRAMS += tests/lib/test_grpc
@@ -16,6 +16,10 @@ index 7b5eaa4..5c82f69 100644
 -tests_lib_test_grpc_CPPFLAGS = $(TESTS_CPPFLAGS)
 -tests_lib_test_grpc_LDADD = $(GRPC_TESTS_LDADD)
 -tests_lib_test_grpc_SOURCES = tests/lib/test_grpc.cpp
+-nodist_tests_lib_test_grpc_SOURCES = \
+-	yang/frr-bfdd.yang.c \
+-	yang/frr-staticd.yang.c \
+-	# end
 -
 -
  ##############################################################################

0006-autorp-segfault.patch

@@ -0,0 +1,41 @@
+From 37b88191fb4736ff0a1e565fc22003d0ab853ea2 Mon Sep 17 00:00:00 2001
+From: Donald Sharp <sharpd@nvidia.com>
+Date: Wed, 4 Dec 2024 10:47:33 -0500
+Subject: [PATCH] pimd: Prevent crash of pim when auto-rp's socket is not
+ initialized
+
+If the socket associated with the auto-rp fails to initialize then
+the memory for the auto-rp is just dropped on the floor.  Additionally
+any type of attempt at using the feature will just cause pimd to crash,
+when the pointer is derefed.  Since it is derefed all over the place
+without checking.
+
+Clearly if you cannot bind/use the socket let's allow continuation.
+
+Fixes: #17540
+Signed-off-by: Donald Sharp <sharpd@nvidia.com>
+---
+ pimd/pim_autorp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/pimd/pim_autorp.c b/pimd/pim_autorp.c
+index 3fb10f4..91ed005 100644
+--- a/pimd/pim_autorp.c
++++ b/pimd/pim_autorp.c
+@@ -1014,12 +1014,14 @@ void pim_autorp_init(struct pim_instance *pim)
+ 	autorp->announce_interval = DEFAULT_ANNOUNCE_INTERVAL;
+ 	autorp->announce_holdtime = DEFAULT_ANNOUNCE_HOLDTIME;
+ 
++	pim->autorp = autorp;
++
+ 	if (!pim_autorp_socket_enable(autorp)) {
+-		zlog_err("%s: AutoRP failed to initialize", __func__);
++		zlog_err("%s: AutoRP failed to initialize, feature will not work correctly",
++				__func__);
+ 		return;
+ 	}
+ 
+-	pim->autorp = autorp;
+ 	if (PIM_DEBUG_AUTORP)
+ 		zlog_debug("%s: AutoRP Initialized", __func__);
+ 

frr.fc

@@ -6,24 +6,25 @@
 
 /var/log/frr(/.*)?              gen_context(system_u:object_r:frr_log_t,s0)
 /var/tmp/frr(/.*)?              gen_context(system_u:object_r:frr_tmp_t,s0)
+/var/lib/frr(/.*)?              gen_context(system_u:object_r:frr_var_lib_t,s0)
 
-/var/lock/subsys/bfdd       --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/bgpd       --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/eigrpd     --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/fabricd    --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/isisd      --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/nhrpd      --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/ospf6d     --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/ospfd      --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/pbrd       --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/pimd       --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/ripd       --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/ripngd     --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/staticd    --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/zebra      --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/vrrpd      --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/pathd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/run/lock/subsys/bfdd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/run/lock/subsys/bgpd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/run/lock/subsys/eigrpd     --  gen_context(system_u:object_r:frr_lock_t,s0)
+/run/lock/subsys/fabricd    --  gen_context(system_u:object_r:frr_lock_t,s0)
+/run/lock/subsys/isisd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/run/lock/subsys/nhrpd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/run/lock/subsys/ospf6d     --  gen_context(system_u:object_r:frr_lock_t,s0)
+/run/lock/subsys/ospfd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/run/lock/subsys/pbrd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/run/lock/subsys/pimd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/run/lock/subsys/ripd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/run/lock/subsys/ripngd     --  gen_context(system_u:object_r:frr_lock_t,s0)
+/run/lock/subsys/staticd    --  gen_context(system_u:object_r:frr_lock_t,s0)
+/run/lock/subsys/zebra      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/run/lock/subsys/vrrpd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/run/lock/subsys/pathd      --  gen_context(system_u:object_r:frr_lock_t,s0)
 
-/var/run/frr(/.*)?              gen_context(system_u:object_r:frr_var_run_t,s0)
+/run/frr(/.*)?              gen_context(system_u:object_r:frr_var_run_t,s0)
 
 /usr/bin/vtysh              --  gen_context(system_u:object_r:frr_exec_t,s0)

frr.if

@@ -160,3 +160,55 @@ interface(`frr_admin',`
 		systemd_read_fifo_file_passwd_run($1)
 	')
 ')
+
+########################################
+#
+# Interface compatibility blocks
+#
+# The following definitions ensure compatibility with distribution policy
+# versions that do not contain given interfaces (epel, or older Fedora
+# releases).
+# Each block tests for existence of given interface and defines it if needed.
+#
+
+######################################
+## <summary>
+##	Watch ifconfig_var_run_t directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+ifndef(`sysnet_watch_ifconfig_run_dirs',`
+	interface(`sysnet_watch_ifconfig_run_dirs',`
+		gen_require(`
+			type ifconfig_var_run_t;
+		')
+
+		watch_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+	')
+')
+
+########################################
+## <summary>
+##	Read ifconfig_var_run_t files and link files
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+ifndef(`sysnet_read_ifconfig_run_files',`
+	interface(`sysnet_read_ifconfig_run_files',`
+		gen_require(`
+			type ifconfig_var_run_t;
+		')
+
+		list_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+		read_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+		read_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+	')
+')

frr.spec

@@ -5,13 +5,15 @@
 %global _hardened_build 1
 %global selinuxtype targeted
 %define _legacy_common_support 1
-%bcond_without selinux
+
+%bcond grpc %{undefined rhel}
+%bcond selinux 1
 
 Name:           frr
-Version:        8.5.1
+Version:        10.3
 Release:        1%{?dist}
 Summary:        Routing daemon
-License:        GPLv2+
+License:        GPL-2.0-or-later AND ISC AND LGPL-2.0-or-later AND BSD-2-Clause AND BSD-3-Clause AND (GPL-2.0-or-later  OR ISC) AND MIT
 URL:            http://www.frrouting.org
 Source0:        https://github.com/FRRouting/frr/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
 Source1:        %{name}-tmpfiles.conf
@@ -26,6 +28,7 @@ Patch0002:      0002-enable-openssl.patch
 Patch0003:      0003-disable-eigrp-crypto.patch
 Patch0004:      0004-fips-mode.patch
 Patch0005:      0005-remove-grpc-test.patch
+Patch0006:      0006-autorp-segfault.patch
 
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -36,8 +39,10 @@ BuildRequires:  gcc
 BuildRequires:  gcc-c++
 BuildRequires:  git-core
 BuildRequires:  groff
+%if %{with grpc}
 BuildRequires:  grpc-devel
 BuildRequires:  grpc-plugins
+%endif
 BuildRequires:  json-c-devel
 BuildRequires:  libcap-devel
 BuildRequires:  libtool
@@ -57,6 +62,7 @@ BuildRequires:  readline-devel
 BuildRequires:  systemd-devel
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  texinfo
+BuildRequires:  protobuf-c-devel
 
 Requires:       ncurses
 Requires:       net-snmp
@@ -78,17 +84,18 @@ FRRouting is free software that manages TCP/IP based routing protocols. It takes
 a multi-server and multi-threaded approach to resolve the current complexity
 of the Internet.
 
-FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP and BFD.
+FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR,
+EIGRP and BFD.
 
 FRRouting is a fork of Quagga.
 
 %if 0%{?with_selinux}
 %package selinux
-Summary:	Selinux policy for FRR
-BuildArch:	noarch
-Requires:	selinux-policy-%{selinuxtype}
-Requires(post):	selinux-policy-%{selinuxtype}
-BuildRequires:	selinux-policy-devel
+Summary:  Selinux policy for FRR
+BuildArch:  noarch
+Requires:  selinux-policy-%{selinuxtype}
+Requires(post):  selinux-policy-%{selinuxtype}
+BuildRequires:  selinux-policy-devel
 %{?selinux_requires}
 
 %description selinux
@@ -101,6 +108,8 @@ SELinux policy modules for FRR package
 #Selinux
 mkdir selinux
 cp -p %{SOURCE3} %{SOURCE4} %{SOURCE5} selinux
+# C++14 or later needed for abseil-cpp 20230125; string_view needs C++17:
+sed -r -i 's/(AX_CXX_COMPILE_STDCXX\(\[)11(\])/\117\2/' configure.ac
 
 %build
 autoreconf -ivf
@@ -110,7 +119,7 @@ autoreconf -ivf
     --sysconfdir=%{_sysconfdir}/frr \
     --libdir=%{_libdir}/frr \
     --libexecdir=%{_libexecdir}/frr \
-    --localstatedir=/run/frr \
+    --localstatedir=/var \
     --enable-multipath=64 \
     --enable-vtysh=yes \
     --disable-ospfclient \
@@ -126,10 +135,11 @@ autoreconf -ivf
     --disable-ldpd \
     --disable-babeld \
     --with-moduledir=%{_libdir}/frr/modules \
+    --with-yangmodelsdir=%{_datadir}/frr-yang/ \
     --with-crypto=openssl \
     --with-vici-socket=/run/strongswan/charon.vici \
     --enable-fpm \
-    --enable-grpc
+    %{?with_grpc:--enable-grpc}
 
 %make_build MAKEINFO="makeinfo --no-split" PYTHON=%{__python3}
 
@@ -170,7 +180,7 @@ install -d -m 775 %{buildroot}/run/frr
 
 %if 0%{?with_selinux}
 install -D -m 644 selinux/%{name}.pp.bz2 \
-	%{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+  %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
 install -D -m 644 selinux/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if
 %endif
 
@@ -257,8 +267,8 @@ rm tests/lib/*grpc*
 %config(noreplace) %attr(644,frr,frr) %{_sysconfdir}/frr/daemons
 %config(noreplace) %{_sysconfdir}/pam.d/frr
 %{_unitdir}/*.service
-%dir %{_datadir}/yang
-%{_datadir}/yang/*.yang
+%dir %{_datadir}/frr-yang
+%{_datadir}/frr-yang/*.yang
 %{_tmpfilesdir}/%{name}.conf
 %{_sysusersdir}/%{name}.conf
 
@@ -270,12 +280,90 @@ rm tests/lib/*grpc*
 %endif
 
 %changelog
+* Thu Dec 05 2024 Michal Ruprich <mruprich@redhat.com> - 10.2-2
+- Resolves: rhbz#2329643 - upgrading frr to 10.2 causes pimd crashes
+
+* Fri Nov 22 2024 Michal Ruprich <mruprich@redhat.com> - 10.2-1
+- New version 10.2
+
+* Tue Sep 10 2024 Michal Ruprich <mruprich@redhat.com> - 10.1-4
+- Resolves: #2311119 - Multiple AVCs for accessing lib_t in FRR-10.1
+- Resolves: #2311120 - AVCs for using a netlink socket in FRR
+
+* Sun Aug 25 2024 Benjamin A. Beasley <code@musicinmybrain.net> - 10.1-3
+- Rebuilt for abseil-cpp-20240722.0
+
+* Thu Aug 15 2024 Michal Ruprich <mruprich@redhat.com> - 10.1-2
+- Rebuilding for the libre soname bump
+
+* Mon Aug 12 2024 Michal Ruprich <mruprich@redhat.com> - 10.1-1
+- New version 10.1
+
+* Wed Jul 31 2024 Michal Ruprich <mruprich@redhat.com> - 10.0.1-1
+- New version 10.0.1
+
+* Wed Jul 17 2024 Fedora Release Engineering <releng@fedoraproject.org> - 9.1-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+* Wed Apr 17 2024 Michal Ruprich <mruprich@redhat.com> - 9.1-4
+- Moving yang modules to frr specific dir to avoid conflicts
+- Adding rpminspect.yaml
+
+* Sat Feb 24 2024 Paul Wouters <paul.wouters@aiven.io> - 9.1-3
+- Rebuild for libre2.so.11 bump
+
+* Sun Feb 04 2024 Benjamin A. Beasley <code@musicinmybrain.net> - 9.1-2
+- Rebuilt for abseil-cpp-20240116.0
+
+* Thu Jan 25 2024 Michal Ruprich <mruprich@redhat.com> - 9.1-1
+- New version 9.1
+
+* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 9.0.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 9.0.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Mon Oct 16 2023 Michal Ruprich <mruprich@redhat.com> - 9.0.1-1
+- New version 9.0.1
+
+* Fri Sep 01 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.2-4
+- Adding a couple of SELinux rules, includes fix for rhbz#2149299
+
+* Wed Aug 30 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 8.5.2-3
+- Rebuilt for abseil-cpp 20230802.0
+
+* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 8.5.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Fri Jun 30 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.2-1
+- New version 8.5.2
+- Fixing some rpmlint warnings
+
+* Mon Jun 26 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.1-4
+- Resolves: #2216073 - SELinux is preventing FRR-Zebra to access to network namespaces.
+
+* Mon Jun 05 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 8.5.1-3
+- Disable grpc in RHEL builds
+
+* Fri May 19 2023 Petr Pisar <ppisar@redhat.com> - 8.5.1-2
+- Rebuild against rpm-4.19 (https://fedoraproject.org/wiki/Changes/RPM-4.19)
+
 * Wed Apr 26 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.1-1
 - New version 8.5.1
 
 * Wed Apr 12 2023 Michal Ruprich <mruprich@redhat.com> - 8.5-1
 - New version 8.5
 
+* Thu Mar 23 2023 Michal Ruprich <mruprich@redhat.com> - 8.4.2-5
+- Rebuilding for new abseil-cpp version
+
+* Wed Mar 22 2023 Michal Ruprich <mruprich@redhat.com> - 8.4.2-4
+- SPDX migration
+
+* Wed Mar 08 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 8.4.2-3
+- Build as C++17, required by abseil-cpp 20230125
+
 * Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 8.4.2-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
 

frr.te

@@ -27,13 +27,21 @@ systemd_unit_file(frr_unit_file_t)
 type frr_var_run_t;
 files_pid_file(frr_var_run_t)
 
+type frr_var_lib_t;
+files_type(frr_var_lib_t)
+
 ########################################
 #
 # frr local policy
 #
-allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin };
+allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin sys_admin };
 allow frr_t self:netlink_route_socket rw_netlink_socket_perms;
-allow frr_t self:packet_socket { create setopt };
+allow frr_t self:netlink_generic_socket create;
+allow frr_t self:netlink_generic_socket setopt;
+allow frr_t self:netlink_generic_socket getopt;
+allow frr_t self:netlink_generic_socket getattr;
+allow frr_t self:netlink_generic_socket bind;
+allow frr_t self:packet_socket create_socket_perms;
 allow frr_t self:process { setcap setpgid };
 allow frr_t self:rawip_socket create_socket_perms;
 allow frr_t self:tcp_socket { connect connected_stream_socket_perms };
@@ -49,6 +57,10 @@ manage_files_pattern(frr_t, frr_log_t, frr_log_t)
 manage_lnk_files_pattern(frr_t, frr_log_t, frr_log_t)
 logging_log_filetrans(frr_t, frr_log_t, { dir file lnk_file })
 
+manage_dirs_pattern(frr_t, frr_var_lib_t, frr_var_lib_t)
+manage_files_pattern(frr_t, frr_var_lib_t, frr_var_lib_t)
+files_var_lib_filetrans(frr_t, frr_var_lib_t, { dir file })
+
 allow frr_t frr_tmp_t:file map;
 manage_dirs_pattern(frr_t, frr_tmp_t, frr_tmp_t)
 manage_files_pattern(frr_t, frr_tmp_t, frr_tmp_t)
@@ -70,6 +82,7 @@ can_exec(frr_t, frr_exec_t)
 kernel_read_network_state(frr_t)
 kernel_rw_net_sysctls(frr_t)
 kernel_read_system_state(frr_t)
+kernel_request_load_module(frr_t)
 
 auth_use_nsswitch(frr_t)
 
@@ -91,12 +104,18 @@ corenet_tcp_bind_qpasa_agent_port(frr_t)
 corenet_tcp_bind_smntubootstrap_port(frr_t)
 corenet_tcp_bind_versa_tek_port(frr_t)
 corenet_tcp_bind_zebra_port(frr_t)
+# general reserved port for pimd
+corenet_tcp_bind_reserved_port(frr_t)
 
 domain_use_interactive_fds(frr_t)
 
 fs_read_nsfs_files(frr_t)
 
 sysnet_exec_ifconfig(frr_t)
+sysnet_read_ifconfig_run_files(frr_t)
+sysnet_watch_ifconfig_run_dirs(frr_t)
+
+ipsec_domtrans_mgmt(frr_t)
 
 userdom_read_admin_home_files(frr_t)
 

rpminspect.yaml

@@ -0,0 +1,7 @@
+---
+runpath:
+    allowed_paths:
+        - /usr/lib64/frr
+        - /usr/lib/frr
+inspections:
+    badfuncs: off

sources

@@ -1,2 +1,2 @@
-SHA512 (frr-8.5.1.tar.gz) = 90da4900a178dbe0ddd763e3e39734cf720fe255a4b56563b8f9200276c5e01668d0cf7bae399b25dd4753d574866a87200d1fcf2d03a7421a81104129abd29c
+SHA512 (frr-10.2.tar.gz) = 40a0e1f1a7f2cc137aac6e838b2f865b93fdc1cd6bd0f6c5b15b4507cbff87cb60092682e45aca68633cb053fb2ce663386edb78e5d3c5f890f4666e871ab8c5
 SHA512 (remove-babeld-ldpd.sh) = a5bf67a3722cb20d43cef1dac28f839db68df73a1b7d34d8438e4f9366da3b67d85c1f44281f93434e8dd8ebcb2d3dc258b77eaa5627475b7395d207f020839d