View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0000421AlmaLinux-9frrpublic2023-08-26 00:182023-08-28 11:55
Reportermacwynkoop Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
OSAlma LinuxOS Version9 
Summary0000421: FRR user does not have sufficient caps to start vrrpd
DescriptionHello, when starting the FRR systemd daemon with VRRP enabled, the vrrpd daemon errors out with this:

2023/08/20 21:46:57 VRRP: [HEH72-5BR66] [CORE] [VRID 11] [IPv4] Interface: vrrp4-2-1
2023/08/20 21:46:57 VRRP: [MZG9J-C7D80] [CORE] [VRID 11] [IPv6] Interface: None (no interface found w/ MAC 00:00:5e:00:02:0b)
2023/08/20 21:46:57 VRRP: [R3SM7-1JZFQ] [CORE] [VRID 11] [IPv4] 'Startup' event
2023/08/20 21:46:57 VRRP: [T81B5-0TZTF] [CORE] [VRID 11] [IPv4] Failed to bind Rx socket to VRRP multicast group: Permission denied
2023/08/20 21:46:57 VRRP: [ZSJEW-4RZ0P] [CORE] [VRID 11] [IPv4] Failed to initialize VRRP router
2023/08/20 21:46:57 VRRP: [P485H-A79BW] [CORE] [VRID 11] [IPv6] Refusing to start Virtual Router: No VRRP interface

Digging deeper, this seems to be related to SELinux:

type=AVC msg=audit(1693007247.468:113045): avc: denied { node_bind } for pid=45940 comm="vrrpd" saddr=224.0.0.18 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket permissive=1
type=SYSCALL msg=audit(1693007247.468:113045): arch=c000003e syscall=49 success=yes exit=0 a0=11 a1=7fffaca815b0 a2=10 a3=56062a6c5234 items=0 ppid=1 pid=45940 auid=4294967295 uid=980 gid=979 euid=980 suid=980 fsuid=980 egid=979 sgid=979 fsgid=979 tty=(none) ses=4294967295 comm="vrrpd" exe="/usr/libexec/frr/vrrpd" subj=system_u:system_r:frr_t:s0 key=(null)ARCH=x86_64 SYSCALL=bind AUID="unset" UID="frr" GID="frr" EUID="frr" SUID="frr" FSUID="frr" EGID="frr" SGID="frr" FSGID="frr"

By adding this SELinux policy to the system:

module frr_vrrp 1.0;

require {
    type frr_t;
    type node_t;
    class rawip_socket node_bind;
}

# Allow frr_t to bind to VRRP address on rawip_socket
allow frr_t node_t:rawip_socket node_bind;

It seems to allow the frr_t domain the proper permissions.
Steps To ReproduceInstall FRR:

dnf install frr

Enable vrrpd:

sed -i 's/^vrrpd=no$/vrrpd=yes/' /etc/frr/daemons

Set up the MACVLAN device with the Virtual IP for VRRP:

ip link add vrrp4-2-1 link enp11s0 addrgenmode random type macvlan mode bridge
ip link set dev vrrp4-2-1 address 00:00:5e:00:01:0b
ip addr add 192.168.1.1/24 dev vrrp4-2-1
ip link set dev vrrp4-2-1 up

Add configuration to frr.conf:

echo -e "interface enp11s0" \
"\n ip address 192.168.1.254/24" \
"\n vrrp 11" \
"\n vrrp 11 priority 200" \
"\n vrrp 11 advertisement-interval 1500" \
"\n vrrp 11 ip 192.168.1.1" \
"\nexit" >> /etc/frr/frr.conf

And then start up frr:

systemctl start frr

With the current shipping package, this should cause the error.
TagsNo tags attached.

Activities

alukoshko

2023-08-28 11:55

administrator   ~0000965

Hi! Could you please check this on RHEL9 and CentOS Stream 9?
We need to understand if this issue specific to AlmaLinux or upstream one.

Issue History

Date Modified Username Field Change
2023-08-26 00:18 macwynkoop New Issue
2023-08-28 11:55 alukoshko Note Added: 0000965