diff --git a/.frr.metadata b/.frr.metadata index abe9af6..3464e39 100644 --- a/.frr.metadata +++ b/.frr.metadata @@ -1 +1,2 @@ -6998ebd94682163feb82ee3bed875a5a7740edac SOURCES/frr-8.2.2.tar.gz +467835eb73a6018948fd667663ce68282cf6d16b SOURCES/frr-8.3.1.tar.gz +e25979fad0e873cd0196e528cae570ba18c11a8f SOURCES/frr.if diff --git a/.gitignore b/.gitignore index fbfb7f3..9268eb3 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ -SOURCES/frr-8.2.2.tar.gz +SOURCES/frr-8.3.1.tar.gz +SOURCES/frr.if diff --git a/SOURCES/0005-inactive-paths.patch b/SOURCES/0005-inactive-paths.patch deleted file mode 100644 index 713500c..0000000 --- a/SOURCES/0005-inactive-paths.patch +++ /dev/null @@ -1,30 +0,0 @@ -diff --git a/lib/routemap.c b/lib/routemap.c -index 7f733c811..9afe18d10 100644 ---- a/lib/routemap.c -+++ b/lib/routemap.c -@@ -1799,12 +1799,11 @@ static struct list *route_map_get_index_list(struct route_node **rn, - /* - * This function returns the route-map index that best matches the prefix. - */ --static struct route_map_index *route_map_get_index(struct route_map *map, -- const struct prefix *prefix, -- void *object, -- uint8_t *match_ret) -+static struct route_map_index * -+route_map_get_index(struct route_map *map, const struct prefix *prefix, -+ void *object, enum route_map_cmd_result_t *match_ret) - { -- int ret = 0; -+ enum route_map_cmd_result_t ret = RMAP_NOMATCH; - struct list *candidate_rmap_list = NULL; - struct route_node *rn = NULL; - struct listnode *ln = NULL, *nn = NULL; -@@ -2559,7 +2558,7 @@ route_map_result_t route_map_apply_ext(struct route_map *map, - if ((!map->optimization_disabled) - && (map->ipv4_prefix_table || map->ipv6_prefix_table)) { - index = route_map_get_index(map, prefix, match_object, -- (uint8_t *)&match_ret); -+ &match_ret); - if (index) { - index->applied++; - if (rmap_debug) diff --git a/SOURCES/0005-ospf-api.patch b/SOURCES/0005-ospf-api.patch new file mode 100644 index 0000000..bd5bbcb --- /dev/null +++ b/SOURCES/0005-ospf-api.patch @@ -0,0 +1,25 @@ +diff --git a/ospfd/ospf_spf.c b/ospfd/ospf_spf.c +index 74a5674..aec9037 100644 +--- a/ospfd/ospf_spf.c ++++ b/ospfd/ospf_spf.c +@@ -48,7 +48,10 @@ + #include "ospfd/ospf_sr.h" + #include "ospfd/ospf_ti_lfa.h" + #include "ospfd/ospf_errors.h" ++ ++#ifdef SUPPORT_OSPF_API + #include "ospfd/ospf_apiserver.h" ++#endif + + /* Variables to ensure a SPF scheduled log message is printed only once */ + +@@ -1897,7 +1900,9 @@ static void ospf_spf_calculate_schedule_worker(struct thread *thread) + /* Update all routers routing table */ + ospf->oall_rtrs = ospf->all_rtrs; + ospf->all_rtrs = all_rtrs; ++#ifdef SUPPORT_OSPF_API + ospf_apiserver_notify_reachable(ospf->oall_rtrs, ospf->all_rtrs); ++#endif + + /* Free old ABR/ASBR routing table */ + if (ospf->old_rtrs) diff --git a/SOURCES/0006-graceful-restart.patch b/SOURCES/0006-graceful-restart.patch new file mode 100644 index 0000000..3c1cb44 --- /dev/null +++ b/SOURCES/0006-graceful-restart.patch @@ -0,0 +1,78 @@ +From 12f9f8472d0f8cfc026352906b8e5342df2846cc Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Tue, 27 Sep 2022 17:30:16 +0300 +Subject: [PATCH] bgpd: Do not send Deconfig/Shutdown message when restarting + +We might disable sending unconfig/shutdown notifications when +Graceful-Restart is enabled and negotiated. + +Signed-off-by: Donatas Abraitis +--- + bgpd/bgpd.c | 35 ++++++++++++++++++++++++++--------- + 1 file changed, 26 insertions(+), 9 deletions(-) + +diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c +index 749e46ebe9d..ae1308db423 100644 +--- a/bgpd/bgpd.c ++++ b/bgpd/bgpd.c +@@ -2755,11 +2755,34 @@ int peer_group_remote_as(struct bgp *bgp, const char *group_name, as_t *as, + + void peer_notify_unconfig(struct peer *peer) + { ++ if (BGP_PEER_GRACEFUL_RESTART_CAPABLE(peer)) { ++ if (bgp_debug_neighbor_events(peer)) ++ zlog_debug( ++ "%pBP configured Graceful-Restart, skipping unconfig notification", ++ peer); ++ return; ++ } ++ + if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status)) + bgp_notify_send(peer, BGP_NOTIFY_CEASE, + BGP_NOTIFY_CEASE_PEER_UNCONFIG); + } + ++static void peer_notify_shutdown(struct peer *peer) ++{ ++ if (BGP_PEER_GRACEFUL_RESTART_CAPABLE(peer)) { ++ if (bgp_debug_neighbor_events(peer)) ++ zlog_debug( ++ "%pBP configured Graceful-Restart, skipping shutdown notification", ++ peer); ++ return; ++ } ++ ++ if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status)) ++ bgp_notify_send(peer, BGP_NOTIFY_CEASE, ++ BGP_NOTIFY_CEASE_ADMIN_SHUTDOWN); ++} ++ + void peer_group_notify_unconfig(struct peer_group *group) + { + struct peer *peer, *other; +@@ -3676,11 +3699,8 @@ int bgp_delete(struct bgp *bgp) + } + + /* Inform peers we're going down. */ +- for (ALL_LIST_ELEMENTS(bgp->peer, node, next, peer)) { +- if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status)) +- bgp_notify_send(peer, BGP_NOTIFY_CEASE, +- BGP_NOTIFY_CEASE_ADMIN_SHUTDOWN); +- } ++ for (ALL_LIST_ELEMENTS(bgp->peer, node, next, peer)) ++ peer_notify_shutdown(peer); + + /* Delete static routes (networks). */ + bgp_static_delete(bgp); +@@ -8252,10 +8272,7 @@ void bgp_terminate(void) + + for (ALL_LIST_ELEMENTS(bm->bgp, mnode, mnnode, bgp)) + for (ALL_LIST_ELEMENTS(bgp->peer, node, nnode, peer)) +- if (peer_established(peer) || peer->status == OpenSent +- || peer->status == OpenConfirm) +- bgp_notify_send(peer, BGP_NOTIFY_CEASE, +- BGP_NOTIFY_CEASE_PEER_UNCONFIG); ++ peer_notify_unconfig(peer); + + BGP_TIMER_OFF(bm->t_rmap_update); + diff --git a/SOURCES/0007-cve-2022-37032.patch b/SOURCES/0007-cve-2022-37032.patch new file mode 100644 index 0000000..4899c72 --- /dev/null +++ b/SOURCES/0007-cve-2022-37032.patch @@ -0,0 +1,32 @@ +From ff6db1027f8f36df657ff2e5ea167773752537ed Mon Sep 17 00:00:00 2001 +From: Donald Sharp +Date: Thu, 21 Jul 2022 08:11:58 -0400 +Subject: [PATCH] bgpd: Make sure hdr length is at a minimum of what is + expected + +Ensure that if the capability length specified is enough data. + +Signed-off-by: Donald Sharp +--- + bgpd/bgp_packet.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c +index dbf6c0b2e99..45752a8ab6d 100644 +--- a/bgpd/bgp_packet.c ++++ b/bgpd/bgp_packet.c +@@ -2620,6 +2620,14 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, + "%s CAPABILITY has action: %d, code: %u, length %u", + peer->host, action, hdr->code, hdr->length); + ++ if (hdr->length < sizeof(struct capability_mp_data)) { ++ zlog_info( ++ "%pBP Capability structure is not properly filled out, expected at least %zu bytes but header length specified is %d", ++ peer, sizeof(struct capability_mp_data), ++ hdr->length); ++ return BGP_Stop; ++ } ++ + /* Capability length check. */ + if ((pnt + hdr->length + 3) > end) { + zlog_info("%s Capability length error", peer->host); diff --git a/SOURCES/0008-frr-non-root-user.patch b/SOURCES/0008-frr-non-root-user.patch new file mode 100644 index 0000000..6a0803c --- /dev/null +++ b/SOURCES/0008-frr-non-root-user.patch @@ -0,0 +1,67 @@ +From 1d42fb941af17a29346b2af03338f8e18470f009 Mon Sep 17 00:00:00 2001 +From: Michal Ruprich +Date: Tue, 22 Nov 2022 12:38:05 +0100 +Subject: [PATCH] tools: Enable start of FRR for non-root user + +There might be use cases when this would make sense, for example +running FRR in a container as a designated user. + +Signed-off-by: Michal Ruprich +--- + tools/etc/frr/daemons | 5 +++++ + tools/frrcommon.sh.in | 4 ++++ + 2 files changed, 9 insertions(+) + +diff --git a/tools/etc/frr/daemons b/tools/etc/frr/daemons +index 8aa08871e35..2427bfff777 100644 +--- a/tools/etc/frr/daemons ++++ b/tools/etc/frr/daemons +@@ -91,6 +91,12 @@ pathd_options=" -A 127.0.0.1" + # say BGP. + #MAX_FDS=1024 + ++# Uncomment this option if you want to run FRR as a non-root user. Note that ++# you should know what you are doing since most of the daemons need root ++# to work. This could be useful if you want to run FRR in a container ++# for instance. ++# FRR_NO_ROOT="yes" ++ + # The list of daemons to watch is automatically generated by the init script. + #watchfrr_options="" + +diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in +index 3c16c27c6df..4f095a176e4 100755 +--- a/tools/frrcommon.sh.in ++++ b/tools/frrcommon.sh.in +@@ -43,6 +43,10 @@ RELOAD_SCRIPT="$D_PATH/frr-reload.py" + # + + is_user_root () { ++ if [[ ! -z $FRR_NO_ROOT && "${FRR_NO_ROOT}" == "yes" ]]; then ++ return 0 ++ fi ++ + [ "${EUID:-$(id -u)}" -eq 0 ] || { + log_failure_msg "Only users having EUID=0 can start/stop daemons" + return 1 +diff --git a/doc/user/setup.rst b/doc/user/setup.rst +index 25934df..51ffd32 100644 +--- a/doc/user/setup.rst ++++ b/doc/user/setup.rst +@@ -114,6 +114,16 @@ most operating systems is 1024. If the operator plans to run bgp with + several thousands of peers than this is where we would modify FRR to + allow this to happen. + ++:: ++ ++ FRR_NO_ROOT="yes" ++ ++This option allows you to run FRR as a non-root user. Use this option ++only when you know what you are doing since most of the daemons ++in FRR will not be able to run under a regular user. This option ++is useful for example when you run FRR in a container with a designated ++user instead of root. ++ + :: + + zebra_options=" -s 90000000 --daemon -A 127.0.0.1" diff --git a/SOURCES/frr.fc b/SOURCES/frr.fc new file mode 100644 index 0000000..a6eac2c --- /dev/null +++ b/SOURCES/frr.fc @@ -0,0 +1,29 @@ +/usr/libexec/frr/(.*)? gen_context(system_u:object_r:frr_exec_t,s0) + +/usr/lib/systemd/system/frr.* gen_context(system_u:object_r:frr_unit_file_t,s0) + +/etc/frr(/.*)? gen_context(system_u:object_r:frr_conf_t,s0) + +/var/log/frr(/.*)? gen_context(system_u:object_r:frr_log_t,s0) +/var/tmp/frr(/.*)? gen_context(system_u:object_r:frr_tmp_t,s0) + +/var/lock/subsys/bfdd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/bgpd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/eigrpd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/fabricd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/isisd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/nhrpd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/ospf6d -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/ospfd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/pbrd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/pimd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/ripd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/ripngd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/staticd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/zebra -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/vrrpd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/pathd -- gen_context(system_u:object_r:frr_lock_t,s0) + +/var/run/frr(/.*)? gen_context(system_u:object_r:frr_var_run_t,s0) + +/usr/bin/vtysh -- gen_context(system_u:object_r:frr_exec_t,s0) diff --git a/SOURCES/frr.te b/SOURCES/frr.te new file mode 100644 index 0000000..0178c2a --- /dev/null +++ b/SOURCES/frr.te @@ -0,0 +1,123 @@ +policy_module(frr, 1.0.0) + +######################################## +# +# Declarations +# + +type frr_t; +type frr_exec_t; +init_daemon_domain(frr_t, frr_exec_t) + +type frr_log_t; +logging_log_file(frr_log_t) + +type frr_tmp_t; +files_tmp_file(frr_tmp_t) + +type frr_lock_t; +files_lock_file(frr_lock_t) + +type frr_conf_t; +files_config_file(frr_conf_t) + +type frr_unit_file_t; +systemd_unit_file(frr_unit_file_t) + +type frr_var_run_t; +files_pid_file(frr_var_run_t) + +######################################## +# +# frr local policy +# +allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin }; +allow frr_t self:netlink_route_socket rw_netlink_socket_perms; +allow frr_t self:packet_socket create; +allow frr_t self:process { setcap setpgid }; +allow frr_t self:rawip_socket create_socket_perms; +allow frr_t self:tcp_socket { connect connected_stream_socket_perms }; +allow frr_t self:udp_socket create_socket_perms; +allow frr_t self:unix_stream_socket connectto; + +allow frr_t frr_conf_t:dir list_dir_perms; +manage_files_pattern(frr_t, frr_conf_t, frr_conf_t) +read_lnk_files_pattern(frr_t, frr_conf_t, frr_conf_t) + +manage_dirs_pattern(frr_t, frr_log_t, frr_log_t) +manage_files_pattern(frr_t, frr_log_t, frr_log_t) +manage_lnk_files_pattern(frr_t, frr_log_t, frr_log_t) +logging_log_filetrans(frr_t, frr_log_t, { dir file lnk_file }) + +allow frr_t frr_tmp_t:file map; +manage_dirs_pattern(frr_t, frr_tmp_t, frr_tmp_t) +manage_files_pattern(frr_t, frr_tmp_t, frr_tmp_t) +files_tmp_filetrans(frr_t, frr_tmp_t, { file dir }) + +manage_files_pattern(frr_t, frr_lock_t, frr_lock_t) +manage_lnk_files_pattern(frr_t, frr_lock_t, frr_lock_t) +files_lock_filetrans(frr_t, frr_lock_t, { file lnk_file }) + +manage_dirs_pattern(frr_t, frr_var_run_t, frr_var_run_t) +manage_files_pattern(frr_t, frr_var_run_t, frr_var_run_t) +manage_lnk_files_pattern(frr_t, frr_var_run_t, frr_var_run_t) +manage_sock_files_pattern(frr_t, frr_var_run_t, frr_var_run_t) +files_pid_filetrans(frr_t, frr_var_run_t, { dir file lnk_file }) + +allow frr_t frr_exec_t:dir search_dir_perms; +can_exec(frr_t, frr_exec_t) + +kernel_read_network_state(frr_t) +kernel_rw_net_sysctls(frr_t) +kernel_read_system_state(frr_t) + +auth_use_nsswitch(frr_t) + +corecmd_exec_bin(frr_t) + +corenet_tcp_bind_appswitch_emp_port(frr_t) +corenet_udp_bind_bfd_control_port(frr_t) +corenet_udp_bind_bfd_echo_port(frr_t) +corenet_tcp_bind_bgp_port(frr_t) +corenet_tcp_connect_bgp_port(frr_t) +corenet_udp_bind_all_unreserved_ports(frr_t); +corenet_tcp_bind_generic_port(frr_t) +corenet_tcp_bind_firepower_port(frr_t) +corenet_tcp_bind_priority_e_com_port(frr_t) +corenet_udp_bind_router_port(frr_t) +corenet_tcp_bind_qpasa_agent_port(frr_t) +corenet_tcp_bind_smntubootstrap_port(frr_t) +corenet_tcp_bind_versa_tek_port(frr_t) +corenet_tcp_bind_zebra_port(frr_t) + +domain_use_interactive_fds(frr_t) + +fs_read_nsfs_files(frr_t) + +sysnet_exec_ifconfig(frr_t) + +userdom_read_admin_home_files(frr_t) + +init_signal(frr_t) +unconfined_server_signull(frr_t) +allow frr_t unconfined_service_t:process signal; + +optional_policy(` + logging_send_syslog_msg(frr_t) +') + +optional_policy(` + modutils_exec_kmod(frr_t) + modutils_getattr_module_deps(frr_t) + modutils_read_module_config(frr_t) + modutils_read_module_deps_files(frr_t) +') + +optional_policy(` + networkmanager_read_state(frr_t) +') + +optional_policy(` + userdom_admin_home_dir_filetrans(frr_t, frr_conf_t, file, ".history_frr") + userdom_inherit_append_admin_home_files(frr_t, frr_conf_t, file, ".history_frr") +') diff --git a/SOURCES/remove-babeld-ldpd.sh b/SOURCES/remove-babeld-ldpd.sh new file mode 100644 index 0000000..ae76a45 --- /dev/null +++ b/SOURCES/remove-babeld-ldpd.sh @@ -0,0 +1,16 @@ +#!/bin/sh +#this script is used to remove babled and ldpd from the tar sources +#Usage: sh remove-babeld-ldpd.sh +#Example: sh remove-babeld-ldpd.sh 7.3.1 - this is for frr-7.3.1.tar.gz file + +VERSION=$1 +TAR=frr-${VERSION}.tar.gz +DIR=frr-${VERSION} + +echo ${VERSION} +echo ${TAR} +echo ${DIR} + +tar -xzf ${TAR} +rm -rf ${DIR}/babeld ${DIR}/ldpd +tar -czf ${TAR} ${DIR} diff --git a/SPECS/frr.spec b/SPECS/frr.spec index dc1f060..3c7dbfc 100644 --- a/SPECS/frr.spec +++ b/SPECS/frr.spec @@ -2,16 +2,22 @@ %global _hardened_build 1 %define _legacy_common_support 1 +%global selinuxtype targeted +%bcond_without selinux Name: frr -Version: 8.2.2 -Release: 4%{?checkout}%{?dist} +Version: 8.3.1 +Release: 5%{?checkout}%{?dist} Summary: Routing daemon License: GPLv2+ URL: http://www.frrouting.org Source0: https://github.com/FRRouting/frr/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz Source1: %{name}-tmpfiles.conf Source2: frr-sysusers.conf +Source3: frr.fc +Source4: frr.te +Source5: frr.if +Source6: remove-babeld-ldpd.sh BuildRequires: autoconf BuildRequires: automake BuildRequires: bison >= 2.7 @@ -49,6 +55,11 @@ Requires(post): hostname Requires(preun): systemd Requires(preun): /sbin/install-info Requires(postun): systemd + +%if 0%{?with_selinux} +Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype}) +%endif + Conflicts: quagga Provides: routingdaemon = %{version}-%{release} @@ -56,7 +67,10 @@ Patch0000: 0000-remove-babeld-and-ldpd.patch Patch0002: 0002-enable-openssl.patch Patch0003: 0003-disable-eigrp-crypto.patch Patch0004: 0004-fips-mode.patch -Patch0005: 0005-inactive-paths.patch +Patch0005: 0005-ospf-api.patch +Patch0006: 0006-graceful-restart.patch +Patch0007: 0007-cve-2022-37032.patch +Patch0008: 0008-frr-non-root-user.patch %description FRRouting is free software that manages TCP/IP based routing protocols. It takes @@ -67,8 +81,24 @@ FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP FRRouting is a fork of Quagga. +%if 0%{?with_selinux} +%package selinux +Summary: Selinux policy for FRR +BuildArch: noarch +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +BuildRequires: selinux-policy-devel +%{?selinux_requires} + +%description selinux +SELinux policy modules for FRR package + +%endif + %prep %autosetup -S git +mkdir selinux +cp -p %{SOURCE3} %{SOURCE4} %{SOURCE5} selinux %build autoreconf -ivf @@ -103,6 +133,11 @@ pushd doc make info popd +%if 0%{?with_selinux} +make -C selinux -f %{_datadir}/selinux/devel/Makefile %{name}.pp +bzip2 -9 selinux/%{name}.pp +%endif + %install mkdir -p %{buildroot}/etc/{frr,rc.d/init.d,sysconfig,logrotate.d,pam.d,default} \ %{buildroot}/var/log/frr %{buildroot}%{_infodir} \ @@ -129,6 +164,12 @@ install -d -m 775 %{buildroot}/run/frr install -p -D -m 0644 %{SOURCE2} ${RPM_BUILD_ROOT}/%{_sysusersdir}/frr.conf +%if 0%{?with_selinux} +install -D -m 644 selinux/%{name}.pp.bz2 \ + %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 +install -D -m 644 selinux/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if +%endif + # Delete libtool archives find %{buildroot} -type f -name "*.la" -delete -print @@ -179,6 +220,26 @@ if [ $1 -eq 0 ]; then fi fi +%if 0%{?with_selinux} +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 +%selinux_relabel_post -s %{selinuxtype} +#/var/tmp and /var/run need to be relabeled as well if FRR is running before upgrade +if [ $1 == 2 ]; then + %{_sbindir}/restorecon -R /var/tmp/frr &> /dev/null + %{_sbindir}/restorecon -R /var/run/frr &> /dev/null +fi + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{name} + %selinux_relabel_post -s %{selinuxtype} +fi +%endif + %check make check PYTHON=%{__python3} @@ -207,7 +268,31 @@ make check PYTHON=%{__python3} %{_tmpfilesdir}/%{name}.conf %{_sysusersdir}/frr.conf +%if 0%{?with_selinux} +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.* +%{_datadir}/selinux/devel/include/distributed/%{name}.if +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} +%endif + %changelog +* Mon Nov 28 2022 Michal Ruprich - 8.3.1-5 +- Resolves: #2147522 - It is not possible to run FRR as a non-root user + +* Thu Nov 24 2022 Michal Ruprich - 8.3.1-4 +- Resolves: #2144500 - AVC error when reloading FRR with provided reload script + +* Wed Oct 19 2022 Michal Ruprich - 8.3.1-3 +- Related: #2129743 - Adding missing rules for vtysh and other daemons + +* Mon Oct 17 2022 Michal Ruprich - 8.3.1-2 +- Resolves: #2128738 - out-of-bounds read in the BGP daemon may lead to information disclosure or denial of service + +* Thu Oct 13 2022 Michal Ruprich - 8.3.1-1 +- Resolves: #2129731 - Rebase FRR to the latest version +- Resolves: #2129743 - Add targeted SELinux policy for FRR +- Resolves: #2127494 - BGP incorrectly withdraws routes on graceful restart capable routers + * Tue Jun 14 2022 Michal Ruprich - 8.2.2-4 - Resolves: #2095404 - frr use systemd-sysusers