View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0000421 | AlmaLinux-9 | frr | public | 2023-08-26 00:18 | 2023-08-28 11:55 |
Reporter | macwynkoop | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | always |
Status | new | Resolution | open | ||
OS | Alma Linux | OS Version | 9 | ||
Summary | 0000421: FRR user does not have sufficient caps to start vrrpd | ||||
Description | Hello, when starting the FRR systemd daemon with VRRP enabled, the vrrpd daemon errors out with this: 2023/08/20 21:46:57 VRRP: [HEH72-5BR66] [CORE] [VRID 11] [IPv4] Interface: vrrp4-2-1 2023/08/20 21:46:57 VRRP: [MZG9J-C7D80] [CORE] [VRID 11] [IPv6] Interface: None (no interface found w/ MAC 00:00:5e:00:02:0b) 2023/08/20 21:46:57 VRRP: [R3SM7-1JZFQ] [CORE] [VRID 11] [IPv4] 'Startup' event 2023/08/20 21:46:57 VRRP: [T81B5-0TZTF] [CORE] [VRID 11] [IPv4] Failed to bind Rx socket to VRRP multicast group: Permission denied 2023/08/20 21:46:57 VRRP: [ZSJEW-4RZ0P] [CORE] [VRID 11] [IPv4] Failed to initialize VRRP router 2023/08/20 21:46:57 VRRP: [P485H-A79BW] [CORE] [VRID 11] [IPv6] Refusing to start Virtual Router: No VRRP interface Digging deeper, this seems to be related to SELinux: type=AVC msg=audit(1693007247.468:113045): avc: denied { node_bind } for pid=45940 comm="vrrpd" saddr=224.0.0.18 scontext=system_u:system_r:frr_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket permissive=1 type=SYSCALL msg=audit(1693007247.468:113045): arch=c000003e syscall=49 success=yes exit=0 a0=11 a1=7fffaca815b0 a2=10 a3=56062a6c5234 items=0 ppid=1 pid=45940 auid=4294967295 uid=980 gid=979 euid=980 suid=980 fsuid=980 egid=979 sgid=979 fsgid=979 tty=(none) ses=4294967295 comm="vrrpd" exe="/usr/libexec/frr/vrrpd" subj=system_u:system_r:frr_t:s0 key=(null)ARCH=x86_64 SYSCALL=bind AUID="unset" UID="frr" GID="frr" EUID="frr" SUID="frr" FSUID="frr" EGID="frr" SGID="frr" FSGID="frr" By adding this SELinux policy to the system: module frr_vrrp 1.0; require { type frr_t; type node_t; class rawip_socket node_bind; } # Allow frr_t to bind to VRRP address on rawip_socket allow frr_t node_t:rawip_socket node_bind; It seems to allow the frr_t domain the proper permissions. | ||||
Steps To Reproduce | Install FRR: dnf install frr Enable vrrpd: sed -i 's/^vrrpd=no$/vrrpd=yes/' /etc/frr/daemons Set up the MACVLAN device with the Virtual IP for VRRP: ip link add vrrp4-2-1 link enp11s0 addrgenmode random type macvlan mode bridge ip link set dev vrrp4-2-1 address 00:00:5e:00:01:0b ip addr add 192.168.1.1/24 dev vrrp4-2-1 ip link set dev vrrp4-2-1 up Add configuration to frr.conf: echo -e "interface enp11s0" \ "\n ip address 192.168.1.254/24" \ "\n vrrp 11" \ "\n vrrp 11 priority 200" \ "\n vrrp 11 advertisement-interval 1500" \ "\n vrrp 11 ip 192.168.1.1" \ "\nexit" >> /etc/frr/frr.conf And then start up frr: systemctl start frr With the current shipping package, this should cause the error. | ||||
Tags | No tags attached. | ||||
Date Modified | Username | Field | Change |
---|---|---|---|
2023-08-26 00:18 | macwynkoop | New Issue | |
2023-08-28 11:55 | alukoshko | Note Added: 0000965 |