From 9ad5e09eac085e2c5fe5b469069b2633c3be949f Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Mar 28 2023 10:05:57 +0000
Subject: import frr-8.3.1-5.el9


---

diff --git a/.frr.metadata b/.frr.metadata
index abe9af6..3464e39 100644
--- a/.frr.metadata
+++ b/.frr.metadata
@@ -1 +1,2 @@
-6998ebd94682163feb82ee3bed875a5a7740edac SOURCES/frr-8.2.2.tar.gz
+467835eb73a6018948fd667663ce68282cf6d16b SOURCES/frr-8.3.1.tar.gz
+e25979fad0e873cd0196e528cae570ba18c11a8f SOURCES/frr.if
diff --git a/.gitignore b/.gitignore
index fbfb7f3..9268eb3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
-SOURCES/frr-8.2.2.tar.gz
+SOURCES/frr-8.3.1.tar.gz
+SOURCES/frr.if
diff --git a/SOURCES/0005-inactive-paths.patch b/SOURCES/0005-inactive-paths.patch
deleted file mode 100644
index 713500c..0000000
--- a/SOURCES/0005-inactive-paths.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-diff --git a/lib/routemap.c b/lib/routemap.c
-index 7f733c811..9afe18d10 100644
---- a/lib/routemap.c
-+++ b/lib/routemap.c
-@@ -1799,12 +1799,11 @@ static struct list *route_map_get_index_list(struct route_node **rn,
- /*
-  * This function returns the route-map index that best matches the prefix.
-  */
--static struct route_map_index *route_map_get_index(struct route_map *map,
--						   const struct prefix *prefix,
--						   void *object,
--						   uint8_t *match_ret)
-+static struct route_map_index *
-+route_map_get_index(struct route_map *map, const struct prefix *prefix,
-+		    void *object, enum route_map_cmd_result_t *match_ret)
- {
--	int ret = 0;
-+	enum route_map_cmd_result_t ret = RMAP_NOMATCH;
- 	struct list *candidate_rmap_list = NULL;
- 	struct route_node *rn = NULL;
- 	struct listnode *ln = NULL, *nn = NULL;
-@@ -2559,7 +2558,7 @@ route_map_result_t route_map_apply_ext(struct route_map *map,
- 	if ((!map->optimization_disabled)
- 	    && (map->ipv4_prefix_table || map->ipv6_prefix_table)) {
- 		index = route_map_get_index(map, prefix, match_object,
--					    (uint8_t *)&match_ret);
-+					    &match_ret);
- 		if (index) {
- 			index->applied++;
- 			if (rmap_debug)
diff --git a/SOURCES/0005-ospf-api.patch b/SOURCES/0005-ospf-api.patch
new file mode 100644
index 0000000..bd5bbcb
--- /dev/null
+++ b/SOURCES/0005-ospf-api.patch
@@ -0,0 +1,25 @@
+diff --git a/ospfd/ospf_spf.c b/ospfd/ospf_spf.c
+index 74a5674..aec9037 100644
+--- a/ospfd/ospf_spf.c
++++ b/ospfd/ospf_spf.c
+@@ -48,7 +48,10 @@
+ #include "ospfd/ospf_sr.h"
+ #include "ospfd/ospf_ti_lfa.h"
+ #include "ospfd/ospf_errors.h"
++
++#ifdef SUPPORT_OSPF_API
+ #include "ospfd/ospf_apiserver.h"
++#endif
+ 
+ /* Variables to ensure a SPF scheduled log message is printed only once */
+ 
+@@ -1897,7 +1900,9 @@ static void ospf_spf_calculate_schedule_worker(struct thread *thread)
+ 	/* Update all routers routing table */
+ 	ospf->oall_rtrs = ospf->all_rtrs;
+ 	ospf->all_rtrs = all_rtrs;
++#ifdef SUPPORT_OSPF_API
+ 	ospf_apiserver_notify_reachable(ospf->oall_rtrs, ospf->all_rtrs);
++#endif
+ 
+ 	/* Free old ABR/ASBR routing table */
+ 	if (ospf->old_rtrs)
diff --git a/SOURCES/0006-graceful-restart.patch b/SOURCES/0006-graceful-restart.patch
new file mode 100644
index 0000000..3c1cb44
--- /dev/null
+++ b/SOURCES/0006-graceful-restart.patch
@@ -0,0 +1,78 @@
+From 12f9f8472d0f8cfc026352906b8e5342df2846cc Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Tue, 27 Sep 2022 17:30:16 +0300
+Subject: [PATCH] bgpd: Do not send Deconfig/Shutdown message when restarting
+
+We might disable sending unconfig/shutdown notifications when
+Graceful-Restart is enabled and negotiated.
+
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+---
+ bgpd/bgpd.c | 35 ++++++++++++++++++++++++++---------
+ 1 file changed, 26 insertions(+), 9 deletions(-)
+
+diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c
+index 749e46ebe9d..ae1308db423 100644
+--- a/bgpd/bgpd.c
++++ b/bgpd/bgpd.c
+@@ -2755,11 +2755,34 @@ int peer_group_remote_as(struct bgp *bgp, const char *group_name, as_t *as,
+ 
+ void peer_notify_unconfig(struct peer *peer)
+ {
++	if (BGP_PEER_GRACEFUL_RESTART_CAPABLE(peer)) {
++		if (bgp_debug_neighbor_events(peer))
++			zlog_debug(
++				"%pBP configured Graceful-Restart, skipping unconfig notification",
++				peer);
++		return;
++	}
++
+ 	if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status))
+ 		bgp_notify_send(peer, BGP_NOTIFY_CEASE,
+ 				BGP_NOTIFY_CEASE_PEER_UNCONFIG);
+ }
+ 
++static void peer_notify_shutdown(struct peer *peer)
++{
++	if (BGP_PEER_GRACEFUL_RESTART_CAPABLE(peer)) {
++		if (bgp_debug_neighbor_events(peer))
++			zlog_debug(
++				"%pBP configured Graceful-Restart, skipping shutdown notification",
++				peer);
++		return;
++	}
++
++	if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status))
++		bgp_notify_send(peer, BGP_NOTIFY_CEASE,
++				BGP_NOTIFY_CEASE_ADMIN_SHUTDOWN);
++}
++
+ void peer_group_notify_unconfig(struct peer_group *group)
+ {
+ 	struct peer *peer, *other;
+@@ -3676,11 +3699,8 @@ int bgp_delete(struct bgp *bgp)
+ 	}
+ 
+ 	/* Inform peers we're going down. */
+-	for (ALL_LIST_ELEMENTS(bgp->peer, node, next, peer)) {
+-		if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status))
+-			bgp_notify_send(peer, BGP_NOTIFY_CEASE,
+-					BGP_NOTIFY_CEASE_ADMIN_SHUTDOWN);
+-	}
++	for (ALL_LIST_ELEMENTS(bgp->peer, node, next, peer))
++		peer_notify_shutdown(peer);
+ 
+ 	/* Delete static routes (networks). */
+ 	bgp_static_delete(bgp);
+@@ -8252,10 +8272,7 @@ void bgp_terminate(void)
+ 
+ 	for (ALL_LIST_ELEMENTS(bm->bgp, mnode, mnnode, bgp))
+ 		for (ALL_LIST_ELEMENTS(bgp->peer, node, nnode, peer))
+-			if (peer_established(peer) || peer->status == OpenSent
+-			    || peer->status == OpenConfirm)
+-				bgp_notify_send(peer, BGP_NOTIFY_CEASE,
+-						BGP_NOTIFY_CEASE_PEER_UNCONFIG);
++			peer_notify_unconfig(peer);
+ 
+ 	BGP_TIMER_OFF(bm->t_rmap_update);
+ 
diff --git a/SOURCES/0007-cve-2022-37032.patch b/SOURCES/0007-cve-2022-37032.patch
new file mode 100644
index 0000000..4899c72
--- /dev/null
+++ b/SOURCES/0007-cve-2022-37032.patch
@@ -0,0 +1,32 @@
+From ff6db1027f8f36df657ff2e5ea167773752537ed Mon Sep 17 00:00:00 2001
+From: Donald Sharp <sharpd@nvidia.com>
+Date: Thu, 21 Jul 2022 08:11:58 -0400
+Subject: [PATCH] bgpd: Make sure hdr length is at a minimum of what is
+ expected
+
+Ensure that if the capability length specified is enough data.
+
+Signed-off-by: Donald Sharp <sharpd@nvidia.com>
+---
+ bgpd/bgp_packet.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
+index dbf6c0b2e99..45752a8ab6d 100644
+--- a/bgpd/bgp_packet.c
++++ b/bgpd/bgp_packet.c
+@@ -2620,6 +2620,14 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
+ 				"%s CAPABILITY has action: %d, code: %u, length %u",
+ 				peer->host, action, hdr->code, hdr->length);
+ 
++		if (hdr->length < sizeof(struct capability_mp_data)) {
++			zlog_info(
++				"%pBP Capability structure is not properly filled out, expected at least %zu bytes but header length specified is %d",
++				peer, sizeof(struct capability_mp_data),
++				hdr->length);
++			return BGP_Stop;
++		}
++
+ 		/* Capability length check. */
+ 		if ((pnt + hdr->length + 3) > end) {
+ 			zlog_info("%s Capability length error", peer->host);
diff --git a/SOURCES/0008-frr-non-root-user.patch b/SOURCES/0008-frr-non-root-user.patch
new file mode 100644
index 0000000..6a0803c
--- /dev/null
+++ b/SOURCES/0008-frr-non-root-user.patch
@@ -0,0 +1,67 @@
+From 1d42fb941af17a29346b2af03338f8e18470f009 Mon Sep 17 00:00:00 2001
+From: Michal Ruprich <michalruprich@gmail.com>
+Date: Tue, 22 Nov 2022 12:38:05 +0100
+Subject: [PATCH] tools: Enable start of FRR for non-root user
+
+There might be use cases when this would make sense, for example
+running FRR in a container as a designated user.
+
+Signed-off-by: Michal Ruprich <mruprich@redhat.com>
+---
+ tools/etc/frr/daemons | 5 +++++
+ tools/frrcommon.sh.in | 4 ++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/tools/etc/frr/daemons b/tools/etc/frr/daemons
+index 8aa08871e35..2427bfff777 100644
+--- a/tools/etc/frr/daemons
++++ b/tools/etc/frr/daemons
+@@ -91,6 +91,12 @@ pathd_options="  -A 127.0.0.1"
+ # say BGP.
+ #MAX_FDS=1024
+ 
++# Uncomment this option if you want to run FRR as a non-root user. Note that
++# you should know what you are doing since most of the daemons need root
++# to work. This could be useful if you want to run FRR in a container
++# for instance.
++# FRR_NO_ROOT="yes"
++
+ # The list of daemons to watch is automatically generated by the init script.
+ #watchfrr_options=""
+ 
+diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in
+index 3c16c27c6df..4f095a176e4 100755
+--- a/tools/frrcommon.sh.in
++++ b/tools/frrcommon.sh.in
+@@ -43,6 +43,10 @@ RELOAD_SCRIPT="$D_PATH/frr-reload.py"
+ #
+ 
+ is_user_root () {
++	if [[ ! -z $FRR_NO_ROOT  &&  "${FRR_NO_ROOT}" == "yes" ]]; then
++		return 0
++	fi
++
+ 	[ "${EUID:-$(id -u)}" -eq 0 ] || {
+ 		log_failure_msg "Only users having EUID=0 can start/stop daemons"
+ 		return 1
+diff --git a/doc/user/setup.rst b/doc/user/setup.rst
+index 25934df..51ffd32 100644
+--- a/doc/user/setup.rst
++++ b/doc/user/setup.rst
+@@ -114,6 +114,16 @@ most operating systems is 1024.  If the operator plans to run bgp with
+ several thousands of peers than this is where we would modify FRR to
+ allow this to happen.
+ 
++::
++
++  FRR_NO_ROOT="yes"
++
++This option allows you to run FRR as a non-root user. Use this option
++only when you know what you are doing since most of the daemons
++in FRR will not be able to run under a regular user. This option
++is useful for example when you run FRR in a container with a designated
++user instead of root.
++
+ ::
+ 
+    zebra_options=" -s 90000000 --daemon -A 127.0.0.1"
diff --git a/SOURCES/frr.fc b/SOURCES/frr.fc
new file mode 100644
index 0000000..a6eac2c
--- /dev/null
+++ b/SOURCES/frr.fc
@@ -0,0 +1,29 @@
+/usr/libexec/frr/(.*)?              gen_context(system_u:object_r:frr_exec_t,s0)
+
+/usr/lib/systemd/system/frr.*   gen_context(system_u:object_r:frr_unit_file_t,s0)
+
+/etc/frr(/.*)?                  gen_context(system_u:object_r:frr_conf_t,s0)
+
+/var/log/frr(/.*)?              gen_context(system_u:object_r:frr_log_t,s0)
+/var/tmp/frr(/.*)?              gen_context(system_u:object_r:frr_tmp_t,s0)
+
+/var/lock/subsys/bfdd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/bgpd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/eigrpd     --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/fabricd    --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/isisd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/nhrpd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/ospf6d     --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/ospfd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/pbrd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/pimd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/ripd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/ripngd     --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/staticd    --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/zebra      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/vrrpd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/pathd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+
+/var/run/frr(/.*)?              gen_context(system_u:object_r:frr_var_run_t,s0)
+
+/usr/bin/vtysh              --  gen_context(system_u:object_r:frr_exec_t,s0)
diff --git a/SOURCES/frr.te b/SOURCES/frr.te
new file mode 100644
index 0000000..0178c2a
--- /dev/null
+++ b/SOURCES/frr.te
@@ -0,0 +1,123 @@
+policy_module(frr, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type frr_t;
+type frr_exec_t;
+init_daemon_domain(frr_t, frr_exec_t)
+
+type frr_log_t;
+logging_log_file(frr_log_t)
+
+type frr_tmp_t;
+files_tmp_file(frr_tmp_t)
+
+type frr_lock_t;
+files_lock_file(frr_lock_t)
+
+type frr_conf_t;
+files_config_file(frr_conf_t)
+
+type frr_unit_file_t;
+systemd_unit_file(frr_unit_file_t)
+
+type frr_var_run_t;
+files_pid_file(frr_var_run_t)
+
+########################################
+#
+# frr local policy
+#
+allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin };
+allow frr_t self:netlink_route_socket rw_netlink_socket_perms;
+allow frr_t self:packet_socket create;
+allow frr_t self:process { setcap setpgid };
+allow frr_t self:rawip_socket create_socket_perms;
+allow frr_t self:tcp_socket { connect connected_stream_socket_perms };
+allow frr_t self:udp_socket create_socket_perms;
+allow frr_t self:unix_stream_socket connectto;
+
+allow frr_t frr_conf_t:dir list_dir_perms;
+manage_files_pattern(frr_t, frr_conf_t, frr_conf_t)
+read_lnk_files_pattern(frr_t, frr_conf_t, frr_conf_t)
+
+manage_dirs_pattern(frr_t, frr_log_t, frr_log_t)
+manage_files_pattern(frr_t, frr_log_t, frr_log_t)
+manage_lnk_files_pattern(frr_t, frr_log_t, frr_log_t)
+logging_log_filetrans(frr_t, frr_log_t, { dir file lnk_file })
+
+allow frr_t frr_tmp_t:file map;
+manage_dirs_pattern(frr_t, frr_tmp_t, frr_tmp_t)
+manage_files_pattern(frr_t, frr_tmp_t, frr_tmp_t)
+files_tmp_filetrans(frr_t, frr_tmp_t, { file dir })
+
+manage_files_pattern(frr_t, frr_lock_t, frr_lock_t)
+manage_lnk_files_pattern(frr_t, frr_lock_t, frr_lock_t)
+files_lock_filetrans(frr_t, frr_lock_t, { file lnk_file })
+
+manage_dirs_pattern(frr_t, frr_var_run_t, frr_var_run_t)
+manage_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
+manage_lnk_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
+manage_sock_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
+files_pid_filetrans(frr_t, frr_var_run_t, { dir file lnk_file })
+
+allow frr_t frr_exec_t:dir search_dir_perms;
+can_exec(frr_t, frr_exec_t)
+
+kernel_read_network_state(frr_t)
+kernel_rw_net_sysctls(frr_t)
+kernel_read_system_state(frr_t)
+
+auth_use_nsswitch(frr_t)
+
+corecmd_exec_bin(frr_t)
+
+corenet_tcp_bind_appswitch_emp_port(frr_t)
+corenet_udp_bind_bfd_control_port(frr_t)
+corenet_udp_bind_bfd_echo_port(frr_t)
+corenet_tcp_bind_bgp_port(frr_t)
+corenet_tcp_connect_bgp_port(frr_t)
+corenet_udp_bind_all_unreserved_ports(frr_t);
+corenet_tcp_bind_generic_port(frr_t)
+corenet_tcp_bind_firepower_port(frr_t)
+corenet_tcp_bind_priority_e_com_port(frr_t)
+corenet_udp_bind_router_port(frr_t)
+corenet_tcp_bind_qpasa_agent_port(frr_t)
+corenet_tcp_bind_smntubootstrap_port(frr_t)
+corenet_tcp_bind_versa_tek_port(frr_t)
+corenet_tcp_bind_zebra_port(frr_t)
+
+domain_use_interactive_fds(frr_t)
+
+fs_read_nsfs_files(frr_t)
+
+sysnet_exec_ifconfig(frr_t)
+
+userdom_read_admin_home_files(frr_t)
+
+init_signal(frr_t)
+unconfined_server_signull(frr_t)
+allow frr_t unconfined_service_t:process signal;
+
+optional_policy(`
+	logging_send_syslog_msg(frr_t)
+')
+
+optional_policy(`
+	modutils_exec_kmod(frr_t)
+	modutils_getattr_module_deps(frr_t)
+	modutils_read_module_config(frr_t)
+	modutils_read_module_deps_files(frr_t)
+')
+
+optional_policy(`
+	networkmanager_read_state(frr_t)
+')
+
+optional_policy(`
+	userdom_admin_home_dir_filetrans(frr_t, frr_conf_t, file, ".history_frr")
+	userdom_inherit_append_admin_home_files(frr_t, frr_conf_t, file, ".history_frr")
+')
diff --git a/SOURCES/remove-babeld-ldpd.sh b/SOURCES/remove-babeld-ldpd.sh
new file mode 100644
index 0000000..ae76a45
--- /dev/null
+++ b/SOURCES/remove-babeld-ldpd.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+#this script is used to remove babled and ldpd from the tar sources
+#Usage: sh remove-babeld-ldpd.sh <VERSION>
+#Example: sh remove-babeld-ldpd.sh 7.3.1 - this is for frr-7.3.1.tar.gz file
+
+VERSION=$1
+TAR=frr-${VERSION}.tar.gz
+DIR=frr-${VERSION}
+
+echo ${VERSION}
+echo ${TAR}
+echo ${DIR}
+
+tar -xzf ${TAR}
+rm -rf ${DIR}/babeld ${DIR}/ldpd
+tar -czf ${TAR} ${DIR}
diff --git a/SPECS/frr.spec b/SPECS/frr.spec
index dc1f060..3c7dbfc 100644
--- a/SPECS/frr.spec
+++ b/SPECS/frr.spec
@@ -2,16 +2,22 @@
 
 %global _hardened_build 1
 %define _legacy_common_support 1
+%global selinuxtype targeted
+%bcond_without selinux
 
 Name: frr
-Version: 8.2.2
-Release: 4%{?checkout}%{?dist}
+Version: 8.3.1
+Release: 5%{?checkout}%{?dist}
 Summary: Routing daemon
 License: GPLv2+
 URL: http://www.frrouting.org
 Source0: https://github.com/FRRouting/frr/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
 Source1: %{name}-tmpfiles.conf
 Source2: frr-sysusers.conf
+Source3: frr.fc
+Source4: frr.te
+Source5: frr.if
+Source6: remove-babeld-ldpd.sh
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  bison >= 2.7
@@ -49,6 +55,11 @@ Requires(post): hostname
 Requires(preun): systemd
 Requires(preun): /sbin/install-info
 Requires(postun): systemd
+
+%if 0%{?with_selinux}
+Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
+%endif
+
 Conflicts: quagga
 Provides: routingdaemon = %{version}-%{release}
 
@@ -56,7 +67,10 @@ Patch0000: 0000-remove-babeld-and-ldpd.patch
 Patch0002: 0002-enable-openssl.patch
 Patch0003: 0003-disable-eigrp-crypto.patch
 Patch0004: 0004-fips-mode.patch
-Patch0005: 0005-inactive-paths.patch
+Patch0005: 0005-ospf-api.patch
+Patch0006: 0006-graceful-restart.patch
+Patch0007: 0007-cve-2022-37032.patch
+Patch0008: 0008-frr-non-root-user.patch
 
 %description
 FRRouting is free software that manages TCP/IP based routing protocols. It takes
@@ -67,8 +81,24 @@ FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP
 
 FRRouting is a fork of Quagga.
 
+%if 0%{?with_selinux}
+%package selinux
+Summary:        Selinux policy for FRR
+BuildArch:      noarch
+Requires:       selinux-policy-%{selinuxtype}
+Requires(post): selinux-policy-%{selinuxtype}
+BuildRequires:  selinux-policy-devel
+%{?selinux_requires}
+
+%description selinux
+SELinux policy modules for FRR package
+
+%endif
+
 %prep
 %autosetup -S git
+mkdir selinux
+cp -p %{SOURCE3} %{SOURCE4} %{SOURCE5} selinux
 
 %build
 autoreconf -ivf
@@ -103,6 +133,11 @@ pushd doc
 make info
 popd
 
+%if 0%{?with_selinux}
+make -C selinux -f %{_datadir}/selinux/devel/Makefile %{name}.pp
+bzip2 -9 selinux/%{name}.pp
+%endif
+
 %install
 mkdir -p %{buildroot}/etc/{frr,rc.d/init.d,sysconfig,logrotate.d,pam.d,default} \
          %{buildroot}/var/log/frr %{buildroot}%{_infodir} \
@@ -129,6 +164,12 @@ install -d -m 775 %{buildroot}/run/frr
 
 install -p -D -m 0644 %{SOURCE2} ${RPM_BUILD_ROOT}/%{_sysusersdir}/frr.conf
 
+%if 0%{?with_selinux}
+install -D -m 644 selinux/%{name}.pp.bz2 \
+        %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+install -D -m 644 selinux/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if
+%endif
+
 # Delete libtool archives
 find %{buildroot} -type f -name "*.la" -delete -print
 
@@ -179,6 +220,26 @@ if [ $1 -eq 0 ]; then
 	fi
 fi
 
+%if 0%{?with_selinux}
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+%selinux_relabel_post -s %{selinuxtype}
+#/var/tmp and /var/run need to be relabeled as well if FRR is running before upgrade
+if [ $1 == 2 ]; then
+    %{_sbindir}/restorecon -R /var/tmp/frr &> /dev/null
+    %{_sbindir}/restorecon -R /var/run/frr &> /dev/null
+fi
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{name}
+    %selinux_relabel_post -s %{selinuxtype}
+fi
+%endif
+
 %check
 make check PYTHON=%{__python3}
 
@@ -207,7 +268,31 @@ make check PYTHON=%{__python3}
 %{_tmpfilesdir}/%{name}.conf
 %{_sysusersdir}/frr.conf
 
+%if 0%{?with_selinux}
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.*
+%{_datadir}/selinux/devel/include/distributed/%{name}.if
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
+%endif
+
 %changelog
+* Mon Nov 28 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-5
+- Resolves: #2147522 - It is not possible to run FRR as a non-root user
+
+* Thu Nov 24 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-4
+- Resolves: #2144500 - AVC error when reloading FRR with provided reload script
+
+* Wed Oct 19 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-3
+- Related: #2129743 - Adding missing rules for vtysh and other daemons
+
+* Mon Oct 17 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-2
+- Resolves: #2128738 - out-of-bounds read in the BGP daemon may lead to information disclosure or denial of service
+
+* Thu Oct 13 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-1
+- Resolves: #2129731 - Rebase FRR to the latest version
+- Resolves: #2129743 - Add targeted SELinux policy for FRR
+- Resolves: #2127494 - BGP incorrectly withdraws routes on graceful restart capable routers 
+
 * Tue Jun 14 2022 Michal Ruprich - 8.2.2-4
 - Resolves: #2095404 - frr use systemd-sysusers