automatic import of frropeneuler24.03_LTS

17 files changed, 1686 insertions, 0 deletions

diff --git a/.gitignore b/.gitignore
index e69de29..16b767f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1 @@
+/frr-8.5.3.tar.gz
diff --git a/0000-remove-babeld-and-ldpd.patch b/0000-remove-babeld-and-ldpd.patch
new file mode 100644
index 0000000..4fac02b
--- /dev/null
+++ b/0000-remove-babeld-and-ldpd.patch
@@ -0,0 +1,55 @@
+diff --git a/Makefile.am b/Makefile.am
+index 5be3264..33abc1d 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -130,8 +130,6 @@ include ospf6d/subdir.am
+ include ospfclient/subdir.am
+ include isisd/subdir.am
+ include nhrpd/subdir.am
+-include ldpd/subdir.am
+-include babeld/subdir.am
+ include eigrpd/subdir.am
+ include sharpd/subdir.am
+ include pimd/subdir.am
+@@ -182,7 +180,6 @@ EXTRA_DIST += \
+ 	snapcraft/defaults \
+ 	snapcraft/helpers \
+ 	snapcraft/snap \
+-	babeld/Makefile \
+ 	bgpd/Makefile \
+ 	bgpd/rfp-example/librfp/Makefile \
+ 	bgpd/rfp-example/rfptest/Makefile \
+@@ -193,7 +190,6 @@ EXTRA_DIST += \
+ 	fpm/Makefile \
+ 	grpc/Makefile \
+ 	isisd/Makefile \
+-	ldpd/Makefile \
+ 	lib/Makefile \
+ 	nhrpd/Makefile \
+ 	ospf6d/Makefile \
+diff --git a/tools/etc/frr/daemons b/tools/etc/frr/daemons
+index 8aa0887..c92dcca 100644
+--- a/tools/etc/frr/daemons
++++ b/tools/etc/frr/daemons
+@@ -22,10 +22,8 @@ ripngd=no
+ isisd=no
+ pimd=no
+ pim6d=no
+-ldpd=no
+ nhrpd=no
+ eigrpd=no
+-babeld=no
+ sharpd=no
+ pbrd=no
+ bfdd=no
+@@ -48,10 +46,8 @@ ripngd_options=" -A ::1"
+ isisd_options="  -A 127.0.0.1"
+ pimd_options="   -A 127.0.0.1"
+ pim6d_options="  -A ::1"
+-ldpd_options="   -A 127.0.0.1"
+ nhrpd_options="  -A 127.0.0.1"
+ eigrpd_options=" -A 127.0.0.1"
+-babeld_options=" -A 127.0.0.1"
+ sharpd_options=" -A 127.0.0.1"
+ pbrd_options="   -A 127.0.0.1"
+ staticd_options="-A 127.0.0.1"
diff --git a/0002-enable-openssl.patch b/0002-enable-openssl.patch
new file mode 100644
index 0000000..fa30a88
--- /dev/null
+++ b/0002-enable-openssl.patch
@@ -0,0 +1,78 @@
+diff --git a/lib/subdir.am b/lib/subdir.am
+index 0b7af18..0533e24 100644
+--- a/lib/subdir.am
++++ b/lib/subdir.am
+@@ -41,7 +41,6 @@ lib_libfrr_la_SOURCES = \
+ 	lib/log.c \
+ 	lib/log_filter.c \
+ 	lib/log_vty.c \
+-	lib/md5.c \
+ 	lib/memory.c \
+ 	lib/mlag.c \
+ 	lib/module.c \
+@@ -64,7 +64,6 @@ lib_libfrr_la_SOURCES = \
+ 	lib/routemap_northbound.c \
+ 	lib/sbuf.c \
+ 	lib/seqlock.c \
+-	lib/sha256.c \
+ 	lib/sigevent.c \
+ 	lib/skiplist.c \
+ 	lib/sockopt.c \
+@@ -170,7 +170,6 @@ pkginclude_HEADERS += \
+ 	lib/link_state.h \
+ 	lib/log.h \
+ 	lib/log_vty.h \
+-	lib/md5.h \
+ 	lib/memory.h \
+ 	lib/module.h \
+ 	lib/monotime.h \
+@@ -191,7 +190,6 @@ pkginclude_HEADERS += \
+ 	lib/route_opaque.h \
+ 	lib/sbuf.h \
+ 	lib/seqlock.h \
+-	lib/sha256.h \
+ 	lib/sigevent.h \
+ 	lib/skiplist.h \
+ 	lib/smux.h \
+diff --git a/isisd/isis_lsp.c b/isisd/isis_lsp.c
+index 1991666..2e4fe55 100644
+--- a/isisd/isis_lsp.c
++++ b/isisd/isis_lsp.c
+@@ -35,7 +35,9 @@
+ #include "hash.h"
+ #include "if.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "table.h"
+ #include "srcdest_table.h"
+ #include "lib_errors.h"
+diff --git a/isisd/isis_pdu.c b/isisd/isis_pdu.c
+index 9c63311..7cf594c 100644
+--- a/isisd/isis_pdu.c
++++ b/isisd/isis_pdu.c
+@@ -33,7 +33,9 @@
+ #include "prefix.h"
+ #include "if.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "lib_errors.h"
+ 
+ #include "isisd/isis_constants.h"
+diff --git a/isisd/isis_te.c b/isisd/isis_te.c
+index 4ea6c2c..72ff0d2 100644
+--- a/isisd/isis_te.c
++++ b/isisd/isis_te.c
+@@ -38,7 +38,9 @@
+ #include "if.h"
+ #include "vrf.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "sockunion.h"
+ #include "network.h"
+ #include "sbuf.h"
diff --git a/0003-disable-eigrp-crypto.patch b/0003-disable-eigrp-crypto.patch
new file mode 100644
index 0000000..cd43569
--- /dev/null
+++ b/0003-disable-eigrp-crypto.patch
@@ -0,0 +1,252 @@
+diff --git a/eigrpd/eigrp_packet.c b/eigrpd/eigrp_packet.c
+index bedaf15..8dc09bf 100644
+--- a/eigrpd/eigrp_packet.c
++++ b/eigrpd/eigrp_packet.c
+@@ -40,8 +40,10 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
+ #include "sha256.h"
++#endif
+ #include "lib_errors.h"
+ 
+ #include "eigrpd/eigrp_structs.h"
+@@ -95,8 +97,12 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
+ 	struct key *key = NULL;
+ 	struct keychain *keychain;
+ 
++
+ 	unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN];
++#ifdef CRYPTO_OPENSSL
++#elif CRYPTO_INTERNAL
+ 	MD5_CTX ctx;
++#endif
+ 	uint8_t *ibuf;
+ 	size_t backup_get, backup_end;
+ 	struct TLV_MD5_Authentication_Type *auth_TLV;
+@@ -119,6 +125,9 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
+ 		return EIGRP_AUTH_TYPE_NONE;
+ 	}
+ 
++#ifdef CRYPTO_OPENSSL
++//TBD when this is fixed in upstream
++#elif CRYPTO_INTERNAL
+ 	memset(&ctx, 0, sizeof(ctx));
+ 	MD5Init(&ctx);
+ 
+@@ -146,7 +155,7 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
+ 	}
+ 
+ 	MD5Final(digest, &ctx);
+-
++#endif
+ 	/* Append md5 digest to the end of the stream. */
+ 	memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_MD5_LEN);
+ 
+@@ -162,7 +171,10 @@ int eigrp_check_md5_digest(struct stream *s,
+ 			   struct TLV_MD5_Authentication_Type *authTLV,
+ 			   struct eigrp_neighbor *nbr, uint8_t flags)
+ {
++#ifdef CRYPTO_OPENSSL
++#elif CRYPTO_INTERNAL
+ 	MD5_CTX ctx;
++#endif
+ 	unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN];
+ 	unsigned char orig[EIGRP_AUTH_TYPE_MD5_LEN];
+ 	struct key *key = NULL;
+@@ -203,6 +215,9 @@ int eigrp_check_md5_digest(struct stream *s,
+ 		return 0;
+ 	}
+ 
++#ifdef CRYPTO_OPENSSL
++	//TBD when eigrpd crypto is fixed in upstream
++#elif CRYPTO_INTERNAL
+ 	memset(&ctx, 0, sizeof(ctx));
+ 	MD5Init(&ctx);
+ 
+@@ -230,6 +245,7 @@ int eigrp_check_md5_digest(struct stream *s,
+ 	}
+ 
+ 	MD5Final(digest, &ctx);
++#endif
+ 
+ 	/* compare the two */
+ 	if (memcmp(orig, digest, EIGRP_AUTH_TYPE_MD5_LEN) != 0) {
+@@ -254,7 +270,11 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
+ 	unsigned char digest[EIGRP_AUTH_TYPE_SHA256_LEN];
+ 	unsigned char buffer[1 + PLAINTEXT_LENGTH + 45 + 1] = {0};
+ 
++#ifdef CRYPTO_OPENSSL
++	//TBD when eigrpd crypto is fixed in upstream
++#elif CRYPTO_INTERNAL
+ 	HMAC_SHA256_CTX ctx;
++#endif
+ 	void *ibuf;
+ 	size_t backup_get, backup_end;
+ 	struct TLV_SHA256_Authentication_Type *auth_TLV;
+@@ -283,6 +303,9 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
+ 
+ 	inet_ntop(AF_INET, &ei->address.u.prefix4, source_ip, PREFIX_STRLEN);
+ 
++#ifdef CRYPTO_OPENSSL
++	//TBD when eigrpd crypto is fixed in upstream
++#elif CRYPTO_INTERNAL
+ 	memset(&ctx, 0, sizeof(ctx));
+ 	buffer[0] = '\n';
+ 	memcpy(buffer + 1, key, strlen(key->string));
+@@ -291,7 +314,7 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
+ 			  1 + strlen(key->string) + strlen(source_ip));
+ 	HMAC__SHA256_Update(&ctx, ibuf, strlen(ibuf));
+ 	HMAC__SHA256_Final(digest, &ctx);
+-
++#endif
+ 
+ 	/* Put hmac-sha256 digest to it's place */
+ 	memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_SHA256_LEN);
+diff --git a/eigrpd/eigrp_filter.c b/eigrpd/eigrp_filter.c
+index 93eed94..f1c7347 100644
+--- a/eigrpd/eigrp_filter.c
++++ b/eigrpd/eigrp_filter.c
+@@ -47,7 +47,9 @@
+ #include "if_rmap.h"
+ #include "plist.h"
+ #include "distribute.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "keychain.h"
+ #include "privs.h"
+ #include "vrf.h"
+diff --git a/eigrpd/eigrp_hello.c b/eigrpd/eigrp_hello.c
+index dacd5ca..b232cc5 100644
+--- a/eigrpd/eigrp_hello.c
++++ b/eigrpd/eigrp_hello.c
+@@ -43,7 +43,9 @@
+ #include "sockopt.h"
+ #include "checksum.h"
+ #include "vty.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ 
+ #include "eigrpd/eigrp_structs.h"
+ #include "eigrpd/eigrpd.h"
+diff --git a/eigrpd/eigrp_query.c b/eigrpd/eigrp_query.c
+index 84dcf5e..a2575e3 100644
+--- a/eigrpd/eigrp_query.c
++++ b/eigrpd/eigrp_query.c
+@@ -38,7 +38,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "vty.h"
+ 
+ #include "eigrpd/eigrp_structs.h"
+diff --git a/eigrpd/eigrp_reply.c b/eigrpd/eigrp_reply.c
+index ccf0496..2902365 100644
+--- a/eigrpd/eigrp_reply.c
++++ b/eigrpd/eigrp_reply.c
+@@ -42,7 +42,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "vty.h"
+ #include "keychain.h"
+ #include "plist.h"
+diff --git a/eigrpd/eigrp_siaquery.c b/eigrpd/eigrp_siaquery.c
+index ff38325..09b9369 100644
+--- a/eigrpd/eigrp_siaquery.c
++++ b/eigrpd/eigrp_siaquery.c
+@@ -38,7 +38,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "vty.h"
+ 
+ #include "eigrpd/eigrp_structs.h"
+diff --git a/eigrpd/eigrp_siareply.c b/eigrpd/eigrp_siareply.c
+index d3dd123..f6a2bd6 100644
+--- a/eigrpd/eigrp_siareply.c
++++ b/eigrpd/eigrp_siareply.c
+@@ -37,7 +37,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "vty.h"
+ 
+ #include "eigrpd/eigrp_structs.h"
+diff --git a/eigrpd/eigrp_snmp.c b/eigrpd/eigrp_snmp.c
+index 21c9238..cfb8890 100644
+--- a/eigrpd/eigrp_snmp.c
++++ b/eigrpd/eigrp_snmp.c
+@@ -42,7 +42,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "keychain.h"
+ #include "smux.h"
+ 
+diff --git a/eigrpd/eigrp_update.c b/eigrpd/eigrp_update.c
+index 8db4903..2a4f0bb 100644
+--- a/eigrpd/eigrp_update.c
++++ b/eigrpd/eigrp_update.c
+@@ -42,7 +42,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "vty.h"
+ #include "plist.h"
+ #include "plist_int.h"
+diff --git a/eigrpd/eigrp_cli.c b/eigrpd/eigrp_cli.c
+index a93d4c8..b01e121 100644
+--- a/eigrpd/eigrp_cli.c
++++ b/eigrpd/eigrp_cli.c
+@@ -25,6 +25,7 @@
+ #include "lib/command.h"
+ #include "lib/log.h"
+ #include "lib/northbound_cli.h"
++#include "lib/libfrr.h"
+ 
+ #include "eigrp_structs.h"
+ #include "eigrpd.h"
+@@ -726,6 +726,20 @@ DEFPY(
+ 	"Keyed message digest\n"
+ 	"HMAC SHA256 algorithm \n")
+ {
++	//EIGRP authentication is currently broken in FRR
++	switch (frr_get_cli_mode()) {
++	case FRR_CLI_CLASSIC:
++		vty_out(vty, "%% Eigrp Authentication is disabled\n\n");
++		break;
++	case FRR_CLI_TRANSACTIONAL:
++		vty_out(vty,
++			"%% Failed to edit candidate configuration - "
++			"Eigrp Authentication is disabled.\n\n");
++		break;
++	}
++
++	return CMD_WARNING_CONFIG_FAILED;
++
+ 	char xpath[XPATH_MAXLEN], xpath_auth[XPATH_MAXLEN + 64];
+ 
+ 	snprintf(xpath, sizeof(xpath), "./frr-eigrpd:eigrp/instance[asn='%s']",
diff --git a/0004-fips-mode.patch b/0004-fips-mode.patch
new file mode 100644
index 0000000..deedf14
--- /dev/null
+++ b/0004-fips-mode.patch
@@ -0,0 +1,115 @@
+diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c
+index 631465f..e084ff3 100644
+--- a/ospfd/ospf_vty.c
++++ b/ospfd/ospf_vty.c
+@@ -1136,6 +1136,11 @@ DEFUN (ospf_area_vlink,
+ 
+ 	if (argv_find(argv, argc, "message-digest", &idx)) {
+ 		/* authentication message-digest */
++		if(FIPS_mode())
++		{
++			vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
++			return CMD_WARNING_CONFIG_FAILED;
++		}
+ 		vl_config.auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
+ 	} else if (argv_find(argv, argc, "null", &idx)) {
+ 		/* "authentication null" */
+@@ -1993,6 +1998,15 @@ DEFUN (ospf_area_authentication_message_digest,
+ 				  ? OSPF_AUTH_NULL
+ 				  : OSPF_AUTH_CRYPTOGRAPHIC;
+ 
++	if(area->auth_type == OSPF_AUTH_CRYPTOGRAPHIC)
++	{
++		if(FIPS_mode())
++		{
++			vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
++			return CMD_WARNING_CONFIG_FAILED;
++		}
++	}
++
+ 	return CMD_SUCCESS;
+ }
+ 
+@@ -6665,6 +6679,11 @@ DEFUN (ip_ospf_authentication_args,
+ 
+ 	/* Handle message-digest authentication */
+ 	if (argv[idx_encryption]->arg[0] == 'm') {
++		if(FIPS_mode())
++		{
++			vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
++			return CMD_WARNING_CONFIG_FAILED;
++		}
+ 		SET_IF_PARAM(params, auth_type);
+ 		params->auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
+ 		return CMD_SUCCESS;
+@@ -6971,6 +6990,11 @@ DEFUN (ip_ospf_message_digest_key,
+        "The OSPF password (key)\n"
+        "Address of interface\n")
+ {
++	if(FIPS_mode())
++	{
++		vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
++		return CMD_WARNING_CONFIG_FAILED;
++	}
+ 	VTY_DECLVAR_CONTEXT(interface, ifp);
+ 	struct crypt_key *ck;
+ 	uint8_t key_id;
+diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c
+index 81b4b39..cce33d9 100644
+--- a/isisd/isis_circuit.c
++++ b/isisd/isis_circuit.c
+@@ -1318,6 +1318,10 @@ static int isis_circuit_passwd_set(struct isis_circuit *circuit,
+ 		return ferr_code_bug(
+ 			"circuit password too long (max 254 chars)");
+ 
++	//When in FIPS mode, the password never gets set in MD5
++	if((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && FIPS_mode())
++		return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
++
+ 	circuit->passwd.len = len;
+ 	strlcpy((char *)circuit->passwd.passwd, passwd,
+ 		sizeof(circuit->passwd.passwd));
+diff --git a/isisd/isisd.c b/isisd/isisd.c
+index 419127c..a6c36af 100644
+--- a/isisd/isisd.c
++++ b/isisd/isisd.c
+@@ -1638,6 +1638,10 @@ static int isis_area_passwd_set(struct isis_area *area, int level,
+ 		if (len > 254)
+ 			return -1;
+ 
++		//When in FIPS mode, the password never get set in MD5
++		if ((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && (FIPS_mode()))
++			return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
++
+ 		modified.len = len;
+ 		strlcpy((char *)modified.passwd, passwd,
+ 			sizeof(modified.passwd));
+diff --git a/ripd/rip_cli.c b/ripd/rip_cli.c
+index 5bb81ef..02a09ef 100644
+--- a/ripd/rip_cli.c
++++ b/ripd/rip_cli.c
+@@ -796,6 +796,12 @@ DEFPY (ip_rip_authentication_mode,
+ 			value = "20";
+ 	}
+ 
++	if(strmatch(mode, "md5") && FIPS_mode())
++	{
++		vty_out(vty, "FIPS mode is enabled, md5 authentication id disabled\n");
++		return CMD_WARNING_CONFIG_FAILED;
++	}
++
+ 	nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY,
+ 			      strmatch(mode, "md5") ? "md5" : "plain-text");
+ 	if (strmatch(mode, "md5"))
+diff --git a/lib/zebra.h b/lib/zebra.h
+index 53ae5b4..930307f 100644
+--- a/lib/zebra.h
++++ b/lib/zebra.h
+@@ -114,6 +114,7 @@
+ #ifdef CRYPTO_OPENSSL
+ #include <openssl/evp.h>
+ #include <openssl/hmac.h>
++#include <openssl/fips.h>
+ #endif
+
+ #include "openbsd-tree.h"
diff --git a/0005-CVE-2023-47235.patch b/0005-CVE-2023-47235.patch
new file mode 100644
index 0000000..6d0504b
--- /dev/null
+++ b/0005-CVE-2023-47235.patch
@@ -0,0 +1,110 @@
+From 71422bfe269e34b69d78f9fb02f30426f2fdef48 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 13 Dec 2023 16:59:46 +0100
+Subject: [PATCH] bgpd: Treat EOR as withdrawn to avoid unwanted handling of 
+ malformed attrs
+
+Treat-as-withdraw, otherwise if we just ignore it, we will pass it to be
+processed as a normal UPDATE without mandatory attributes, that could lead
+to harmful behavior. In this case, a crash for route-maps with the configuration
+such as:
+
+```
+router bgp 65001
+ no bgp ebgp-requires-policy
+ neighbor 127.0.0.1 remote-as external
+ neighbor 127.0.0.1 passive
+ neighbor 127.0.0.1 ebgp-multihop
+ neighbor 127.0.0.1 disable-connected-check
+ neighbor 127.0.0.1 update-source 127.0.0.2
+ neighbor 127.0.0.1 timers 3 90
+ neighbor 127.0.0.1 timers connect 1
+ !
+ address-family ipv4 unicast
+  neighbor 127.0.0.1 addpath-tx-all-paths
+  neighbor 127.0.0.1 default-originate
+  neighbor 127.0.0.1 route-map RM_IN in
+ exit-address-family
+exit
+!
+route-map RM_IN permit 10
+ set as-path prepend 200
+exit
+```
+
+Send a malformed optional transitive attribute:
+
+```
+import socket
+import time
+
+OPEN = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+b"\xff\xff\x00\x62\x01\x04\xfd\xea\x00\x5a\x0a\x00\x00\x01\x45\x02"
+b"\x06\x01\x04\x00\x01\x00\x01\x02\x02\x02\x00\x02\x02\x46\x00\x02"
+b"\x06\x41\x04\x00\x00\xfd\xea\x02\x02\x06\x00\x02\x06\x45\x04\x00"
+b"\x01\x01\x03\x02\x0e\x49\x0c\x0a\x64\x6f\x6e\x61\x74\x61\x73\x2d"
+b"\x70\x63\x00\x02\x04\x40\x02\x00\x78\x02\x09\x47\x07\x00\x01\x01"
+b"\x80\x00\x00\x00")
+
+KEEPALIVE = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
+b"\xff\xff\xff\xff\xff\xff\x00\x13\x04")
+
+UPDATE = bytearray.fromhex("ffffffffffffffffffffffffffffffff002b0200000003c0ff00010100eb00ac100b0b001ad908ac100b0b")
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect(('127.0.0.2', 179))
+s.send(OPEN)
+data = s.recv(1024)
+s.send(KEEPALIVE)
+data = s.recv(1024)
+s.send(UPDATE)
+data = s.recv(1024)
+time.sleep(100)
+s.close()
+```
+
+Reported-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+
+(cherry picked from commit 6814f2e0138a6ea5e1f83bdd9085d9a77999900b)
+---
+ bgpd/bgp_attr.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index a121911..12a6953 100644
+--- a/bgpd/bgp_attr.c
++++ b/bgpd/bgp_attr.c
+@@ -3079,9 +3079,12 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr)
+ 	uint8_t type = 0;
+ 
+ 	/* BGP Graceful-Restart End-of-RIB for IPv4 unicast is signaled as an
+-	 * empty UPDATE.  */
++	 * empty UPDATE. Treat-as-withdraw, otherwise if we just ignore it,
++	 * we will pass it to be processed as a normal UPDATE without mandatory
++	 * attributes, that could lead to harmful behavior.
++	 */
+ 	if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag)
+-		return BGP_ATTR_PARSE_PROCEED;
++		return BGP_ATTR_PARSE_WITHDRAW;
+ 
+ 	/* "An UPDATE message that contains the MP_UNREACH_NLRI is not required
+ 	   to carry any other path attributes.", though if MP_REACH_NLRI or NLRI
+@@ -3507,7 +3510,13 @@ done:
+ 	aspath_unintern(&as4_path);
+ 
+ 	transit = bgp_attr_get_transit(attr);
+-	if (ret != BGP_ATTR_PARSE_ERROR) {
++	/* If we received an UPDATE with mandatory attributes, then
++	 * the unrecognized transitive optional attribute of that
++	 * path MUST be passed. Otherwise, it's an error, and from
++	 * security perspective it might be very harmful if we continue
++	 * here with the unrecognized attributes.
++	 */
++	if (ret == BGP_ATTR_PARSE_PROCEED) {
+ 		/* Finally intern unknown attribute. */
+ 		if (transit)
+ 			bgp_attr_set_transit(attr, transit_intern(transit));
+-- 
+2.43.0
+
diff --git a/0006-CVE-2023-47234.patch b/0006-CVE-2023-47234.patch
new file mode 100644
index 0000000..39f1886
--- /dev/null
+++ b/0006-CVE-2023-47234.patch
@@ -0,0 +1,95 @@
+From 7fe95b24333cceb6cd04595694cd502fcd3666f6 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 13 Dec 2023 18:25:48 +0100
+Subject: [PATCH] bgpd: Ignore handling NLRIs if we received MP_UNREACH_NLRI
+
+If we receive MP_UNREACH_NLRI, we should stop handling remaining NLRIs if
+no mandatory path attributes received.
+
+In other words, if MP_UNREACH_NLRI received, the remaining NLRIs should be handled
+as a new data, but without mandatory attributes, it's a malformed packet.
+
+In normal case, this MUST not happen at all, but to avoid crashing bgpd, we MUST
+handle that.
+
+Reported-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+Signed-off-by: Christian Breunig <christian@breunig.cc>
+
+(cherry picked from commit c37119df45bbf4ef713bc10475af2ee06e12f3bf)
+---
+ bgpd/bgp_attr.c   | 19 ++++++++++---------
+ bgpd/bgp_attr.h   |  1 +
+ bgpd/bgp_packet.c |  7 ++++++-
+ 3 files changed, 17 insertions(+), 10 deletions(-)
+
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index 12a6953..8b02f2c 100644
+--- a/bgpd/bgp_attr.c
++++ b/bgpd/bgp_attr.c
+@@ -3086,15 +3086,6 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr)
+ 	if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag)
+ 		return BGP_ATTR_PARSE_WITHDRAW;
+ 
+-	/* "An UPDATE message that contains the MP_UNREACH_NLRI is not required
+-	   to carry any other path attributes.", though if MP_REACH_NLRI or NLRI
+-	   are present, it should.  Check for any other attribute being present
+-	   instead.
+-	 */
+-	if ((!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) &&
+-	     CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI))))
+-		return BGP_ATTR_PARSE_PROCEED;
+-
+ 	if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN)))
+ 		type = BGP_ATTR_ORIGIN;
+ 
+@@ -3113,6 +3104,16 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr)
+ 	    && !CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_LOCAL_PREF)))
+ 		type = BGP_ATTR_LOCAL_PREF;
+ 
++	/* An UPDATE message that contains the MP_UNREACH_NLRI is not required
++	 * to carry any other path attributes. Though if MP_REACH_NLRI or NLRI
++	 * are present, it should. Check for any other attribute being present
++	 * instead.
++	 */
++	if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) &&
++	    CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI)))
++		return type ? BGP_ATTR_PARSE_MISSING_MANDATORY
++			    : BGP_ATTR_PARSE_PROCEED;
++
+ 	/* If any of the well-known mandatory attributes are not present
+ 	 * in an UPDATE message, then "treat-as-withdraw" MUST be used.
+ 	 */
+diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h
+index 06f350b..b9dfec9 100644
+--- a/bgpd/bgp_attr.h
++++ b/bgpd/bgp_attr.h
+@@ -379,6 +379,7 @@ enum bgp_attr_parse_ret {
+ 	 */
+ 	BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3,
+ 	BGP_ATTR_PARSE_EOR = -4,
++	BGP_ATTR_PARSE_MISSING_MANDATORY = -5,
+ };
+ 
+ struct bpacket_attr_vec_arr;
+diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
+index a5f065a..cdf0734 100644
+--- a/bgpd/bgp_packet.c
++++ b/bgpd/bgp_packet.c
+@@ -1873,7 +1873,12 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size)
+ 	/* Network Layer Reachability Information. */
+ 	update_len = end - stream_pnt(s);
+ 
+-	if (update_len && attribute_len) {
++	/* If we received MP_UNREACH_NLRI attribute, but also NLRIs, then
++	 * NLRIs should be handled as a new data. Though, if we received
++	 * NLRIs without mandatory attributes, they should be ignored.
++	 */
++	if (update_len && attribute_len &&
++	    attr_parse_ret != BGP_ATTR_PARSE_MISSING_MANDATORY) {
+ 		/* Set NLRI portion to structure. */
+ 		nlris[NLRI_UPDATE].afi = AFI_IP;
+ 		nlris[NLRI_UPDATE].safi = SAFI_UNICAST;
+-- 
+2.43.0
+
diff --git a/0007-CVE-2023-46752.patch b/0007-CVE-2023-46752.patch
new file mode 100644
index 0000000..054853e
--- /dev/null
+++ b/0007-CVE-2023-46752.patch
@@ -0,0 +1,76 @@
+From b08afc81c60607a4f736f418f2e3eb06087f1a35 Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Fri, 20 Oct 2023 17:49:18 +0300
+Subject: [PATCH] bgpd: Handle MP_REACH_NLRI malformed packets with session
+ reset
+
+Avoid crashing bgpd.
+
+Reported-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+---
+ bgpd/bgp_attr.c   | 6 +-----
+ bgpd/bgp_attr.h   | 1 -
+ bgpd/bgp_packet.c | 6 +-----
+ 3 files changed, 2 insertions(+), 11 deletions(-)
+
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index 6925aff727e2..e7bb42a5d989 100644
+--- a/bgpd/bgp_attr.c
++++ b/bgpd/bgp_attr.c
+@@ -2421,7 +2421,7 @@ int bgp_mp_reach_parse(struct bgp_attr_parser_args *args,
+ 
+ 		mp_update->afi = afi;
+ 		mp_update->safi = safi;
+-		return BGP_ATTR_PARSE_EOR;
++		return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_MAL_ATTR, 0);
+ 	}
+ 
+ 	mp_update->afi = afi;
+@@ -3759,10 +3759,6 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
+ 			goto done;
+ 		}
+ 
+-		if (ret == BGP_ATTR_PARSE_EOR) {
+-			goto done;
+-		}
+-
+ 		if (ret == BGP_ATTR_PARSE_ERROR) {
+ 			flog_warn(EC_BGP_ATTRIBUTE_PARSE_ERROR,
+ 				  "%s: Attribute %s, parse error", peer->host,
+diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h
+index 961e5f122470..fc347e7a1b4b 100644
+--- a/bgpd/bgp_attr.h
++++ b/bgpd/bgp_attr.h
+@@ -364,7 +364,6 @@ enum bgp_attr_parse_ret {
+ 	/* only used internally, send notify + convert to BGP_ATTR_PARSE_ERROR
+ 	 */
+ 	BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3,
+-	BGP_ATTR_PARSE_EOR = -4,
+ 	BGP_ATTR_PARSE_MISSING_MANDATORY = -5,
+ };
+ 
+diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
+index b585591e2f69..5ecf343b6657 100644
+--- a/bgpd/bgp_packet.c
++++ b/bgpd/bgp_packet.c
+@@ -2397,8 +2397,7 @@ static int bgp_update_receive(struct peer_connection *connection,
+ 	 * Non-MP IPv4/Unicast EoR is a completely empty UPDATE
+ 	 * and MP EoR should have only an empty MP_UNREACH
+ 	 */
+-	if ((!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0)
+-	    || (attr_parse_ret == BGP_ATTR_PARSE_EOR)) {
++	if (!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0) {
+ 		afi_t afi = 0;
+ 		safi_t safi;
+ 		struct graceful_restart_info *gr_info;
+@@ -2419,9 +2418,6 @@ static int bgp_update_receive(struct peer_connection *connection,
+ 			   && nlris[NLRI_MP_WITHDRAW].length == 0) {
+ 			afi = nlris[NLRI_MP_WITHDRAW].afi;
+ 			safi = nlris[NLRI_MP_WITHDRAW].safi;
+-		} else if (attr_parse_ret == BGP_ATTR_PARSE_EOR) {
+-			afi = nlris[NLRI_MP_UPDATE].afi;
+-			safi = nlris[NLRI_MP_UPDATE].safi;
+ 		}
+ 
+ 		if (afi && peer->afc[afi][safi]) {
diff --git a/0008-CVE-2023-46753.patch b/0008-CVE-2023-46753.patch
new file mode 100644
index 0000000..f1f0611
--- /dev/null
+++ b/0008-CVE-2023-46753.patch
@@ -0,0 +1,60 @@
+From d8482bf011cb2b173e85b65b4bf3d5061250cdb9 Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Mon, 23 Oct 2023 23:34:10 +0300
+Subject: [PATCH] bgpd: Check mandatory attributes more carefully for UPDATE
+ message
+
+If we send a crafted BGP UPDATE message without mandatory attributes, we do
+not check if the length of the path attributes is zero or not. We only check
+if attr->flag is at least set or not. Imagine we send only unknown transit
+attribute, then attr->flag is always 0. Also, this is true only if graceful-restart
+capability is received.
+
+Reported-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+---
+ bgpd/bgp_attr.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index 26fd3de..bcc4424 100644
+--- a/bgpd/bgp_attr.c
++++ b/bgpd/bgp_attr.c
+@@ -3400,7 +3400,8 @@ bgp_attr_unknown(struct bgp_attr_parser_args *args)
+ }
+ 
+ /* Well-known attribute check. */
+-static int bgp_attr_check(struct peer *peer, struct attr *attr)
++static int bgp_attr_check(struct peer *peer, struct attr *attr,
++           bgp_size_t length)
+ {
+ 	uint8_t type = 0;
+ 
+@@ -3409,7 +3410,8 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr)
+ 	 * we will pass it to be processed as a normal UPDATE without mandatory
+ 	 * attributes, that could lead to harmful behavior.
+ 	 */
+-	if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag)
++	if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag &&
++      !length)
+ 		return BGP_ATTR_PARSE_WITHDRAW;
+ 
+ 	if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN)))
+@@ -3462,7 +3464,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
+ 	enum bgp_attr_parse_ret ret;
+ 	uint8_t flag = 0;
+ 	uint8_t type = 0;
+-	bgp_size_t length;
++	bgp_size_t length = 0;
+ 	uint8_t *startp, *endp;
+ 	uint8_t *attr_endp;
+ 	uint8_t seen[BGP_ATTR_BITMAP_SIZE];
+@@ -3785,7 +3787,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
+ 	}
+ 
+ 	/* Check all mandatory well-known attributes are present */
+-	ret = bgp_attr_check(peer, attr);
++	ret = bgp_attr_check(peer, attr, length);
+ 	if (ret < 0)
+ 		goto done;
+ 
diff --git a/frr-sysusers.conf b/frr-sysusers.conf
new file mode 100644
index 0000000..9632955
--- /dev/null
+++ b/frr-sysusers.conf
@@ -0,0 +1,4 @@
+#Type Name   ID     GECOS                        Home directory  Shell
+g     frrvty -
+u     frr    -      "FRRouting routing suite"    /var/run/frr    /sbin/nologin
+m     frr    frrvty
diff --git a/frr-tmpfiles.conf b/frr-tmpfiles.conf
new file mode 100644
index 0000000..c1613b2
--- /dev/null
+++ b/frr-tmpfiles.conf
@@ -0,0 +1 @@
+d /run/frr 0755 frr frr -
diff --git a/frr.fc b/frr.fc
new file mode 100644
index 0000000..a6eac2c
--- /dev/null
+++ b/frr.fc
@@ -0,0 +1,29 @@
+/usr/libexec/frr/(.*)?              gen_context(system_u:object_r:frr_exec_t,s0)
+
+/usr/lib/systemd/system/frr.*   gen_context(system_u:object_r:frr_unit_file_t,s0)
+
+/etc/frr(/.*)?                  gen_context(system_u:object_r:frr_conf_t,s0)
+
+/var/log/frr(/.*)?              gen_context(system_u:object_r:frr_log_t,s0)
+/var/tmp/frr(/.*)?              gen_context(system_u:object_r:frr_tmp_t,s0)
+
+/var/lock/subsys/bfdd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/bgpd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/eigrpd     --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/fabricd    --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/isisd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/nhrpd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/ospf6d     --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/ospfd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/pbrd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/pimd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/ripd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/ripngd     --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/staticd    --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/zebra      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/vrrpd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/pathd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+
+/var/run/frr(/.*)?              gen_context(system_u:object_r:frr_var_run_t,s0)
+
+/usr/bin/vtysh              --  gen_context(system_u:object_r:frr_exec_t,s0)
diff --git a/frr.if b/frr.if
new file mode 100644
index 0000000..8dbabba
--- /dev/null
+++ b/frr.if
@@ -0,0 +1,214 @@
+## <summary>policy for frr</summary>
+
+########################################
+## <summary>
+##	Execute frr_exec_t in the frr domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`frr_domtrans',`
+	gen_require(`
+		type frr_t, frr_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, frr_exec_t, frr_t)
+')
+
+######################################
+## <summary>
+##	Execute frr in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_exec',`
+	gen_require(`
+		type frr_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, frr_exec_t)
+')
+
+########################################
+## <summary>
+##	Read frr's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`frr_read_log',`
+	gen_require(`
+		type frr_log_t;
+	')
+
+	read_files_pattern($1, frr_log_t, frr_log_t)
+	optional_policy(`
+		logging_search_logs($1)
+	')
+')
+
+########################################
+## <summary>
+##	Append to frr log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_append_log',`
+	gen_require(`
+		type frr_log_t;
+	')
+
+	append_files_pattern($1, frr_log_t, frr_log_t)
+	optional_policy(`
+		logging_search_logs($1)
+	')
+')
+
+########################################
+## <summary>
+##	Manage frr log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_manage_log',`
+	gen_require(`
+		type frr_log_t;
+	')
+
+	manage_dirs_pattern($1, frr_log_t, frr_log_t)
+	manage_files_pattern($1, frr_log_t, frr_log_t)
+	manage_lnk_files_pattern($1, frr_log_t, frr_log_t)
+	optional_policy(`
+		logging_search_logs($1)
+	')
+')
+
+########################################
+## <summary>
+##	Read frr PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_read_pid_files',`
+	gen_require(`
+		type frr_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, frr_var_run_t, frr_var_run_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an frr environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_admin',`
+	gen_require(`
+		type frr_t;
+		type frr_log_t;
+		type frr_var_run_t;
+	')
+
+	allow $1 frr_t:process { signal_perms };
+	ps_process_pattern($1, frr_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 frr_t:process ptrace;
+	')
+
+	admin_pattern($1, frr_log_t)
+
+	files_search_pids($1)
+	admin_pattern($1, frr_var_run_t)
+	optional_policy(`
+		logging_search_logs($1)
+	')
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
+
+########################################
+#
+# Interface compatibility blocks
+#
+# The following definitions ensure compatibility with distribution policy
+# versions that do not contain given interfaces (epel, or older Fedora
+# releases).
+# Each block tests for existence of given interface and defines it if needed.
+#
+
+######################################
+## <summary>
+##	Watch ifconfig_var_run_t directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+ifndef(`sysnet_watch_ifconfig_run',`
+	interface(`sysnet_watch_ifconfig_run',`
+		gen_require(`
+			type ifconfig_var_run_t;
+		')
+
+		watch_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+	')
+')
+
+########################################
+## <summary>
+##	Read ifconfig_var_run_t files and link files
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+ifndef(`sysnet_read_ifconfig_run',`
+	interface(`sysnet_read_ifconfig_run',`
+		gen_require(`
+			type ifconfig_var_run_t;
+		')
+
+		list_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+		read_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+		read_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+	')
+')
diff --git a/frr.spec b/frr.spec
new file mode 100644
index 0000000..e9b8a38
--- /dev/null
+++ b/frr.spec
@@ -0,0 +1,452 @@
+%global frr_libdir %{_libexecdir}/frr
+
+%global _hardened_build 1
+%define _legacy_common_support 1
+%global selinuxtype targeted
+%bcond_without selinux
+
+Name: frr
+Version: 8.5.3
+Release: 4%{?checkout}%{?dist}
+Summary: Routing daemon
+License: GPLv2+
+URL: http://www.frrouting.org
+Source0: https://github.com/FRRouting/frr/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
+Source1: %{name}-tmpfiles.conf
+Source2: frr-sysusers.conf
+Source3: frr.fc
+Source4: frr.te
+Source5: frr.if
+Source6: remove-babeld-ldpd.sh
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  bison >= 2.7
+BuildRequires:  c-ares-devel
+BuildRequires:  flex
+BuildRequires:  gcc
+BuildRequires:  gcc-c++
+BuildRequires:  git-core
+BuildRequires:  groff
+BuildRequires:  json-c-devel
+BuildRequires:  libcap-devel
+BuildRequires:  libtool
+BuildRequires:  libyang-devel >= 2.0.0
+BuildRequires:  make
+BuildRequires:  ncurses
+BuildRequires:  ncurses-devel
+BuildRequires:  net-snmp-devel
+BuildRequires:  pam-devel
+BuildRequires:  patch
+BuildRequires:  perl-XML-LibXML
+BuildRequires:  perl-generators
+BuildRequires:  python3-devel
+BuildRequires:  python3-pytest
+BuildRequires:  python3-sphinx
+BuildRequires:  readline-devel
+BuildRequires:  systemd-devel
+BuildRequires:  systemd-rpm-macros
+BuildRequires:  texinfo
+
+Requires: net-snmp
+Requires: ncurses
+Requires(post): systemd
+Requires(post): /sbin/install-info
+Requires(post): hostname
+Requires(preun): systemd
+Requires(preun): /sbin/install-info
+Requires(postun): systemd
+
+%if 0%{?with_selinux}
+Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
+%endif
+
+Conflicts: quagga
+Provides: routingdaemon = %{version}-%{release}
+
+Patch0000: 0000-remove-babeld-and-ldpd.patch
+Patch0002: 0002-enable-openssl.patch
+Patch0003: 0003-disable-eigrp-crypto.patch
+Patch0004: 0004-fips-mode.patch
+Patch0005: 0005-CVE-2023-47235.patch
+Patch0006: 0006-CVE-2023-47234.patch
+Patch0007: 0007-CVE-2023-46752.patch
+Patch0008: 0008-CVE-2023-46753.patch
+
+%description
+FRRouting is free software that manages TCP/IP based routing protocols. It takes
+a multi-server and multi-threaded approach to resolve the current complexity
+of the Internet.
+
+FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP and BFD.
+
+FRRouting is a fork of Quagga.
+
+%if 0%{?with_selinux}
+%package selinux
+Summary:        Selinux policy for FRR
+BuildArch:      noarch
+Requires:       selinux-policy-%{selinuxtype}
+Requires(post): selinux-policy-%{selinuxtype}
+BuildRequires:  selinux-policy-devel
+%{?selinux_requires}
+
+%description selinux
+SELinux policy modules for FRR package
+
+%endif
+
+%prep
+%autosetup -S git
+mkdir selinux
+cp -p %{SOURCE3} %{SOURCE4} %{SOURCE5} selinux
+
+%build
+autoreconf -ivf
+
+%configure \
+    --sbindir=%{frr_libdir} \
+    --sysconfdir=%{_sysconfdir}/frr \
+    --libdir=%{_libdir}/frr \
+    --libexecdir=%{_libexecdir}/frr \
+    --localstatedir=%{_localstatedir}/run/frr \
+    --enable-multipath=64 \
+    --enable-vtysh=yes \
+    --disable-ospfclient \
+    --disable-ospfapi \
+    --enable-snmp=agentx \
+    --enable-user=frr \
+    --enable-group=frr \
+    --enable-vty-group=frrvty \
+    --enable-rtadv \
+    --disable-exampledir \
+    --enable-systemd=yes \
+    --enable-static=no \
+    --disable-ldpd \
+    --disable-babeld \
+    --with-moduledir=%{_libdir}/frr/modules \
+    --with-crypto=openssl \
+    --enable-fpm
+
+%make_build MAKEINFO="makeinfo --no-split" PYTHON=%{__python3}
+
+pushd doc
+make info
+popd
+
+%if 0%{?with_selinux}
+make -C selinux -f %{_datadir}/selinux/devel/Makefile %{name}.pp
+bzip2 -9 selinux/%{name}.pp
+%endif
+
+%install
+mkdir -p %{buildroot}/etc/{frr,rc.d/init.d,sysconfig,logrotate.d,pam.d,default} \
+         %{buildroot}/var/log/frr %{buildroot}%{_infodir} \
+         %{buildroot}%{_unitdir}
+
+mkdir -p -m 0755 %{buildroot}%{_libdir}/frr
+mkdir -p %{buildroot}%{_tmpfilesdir}
+
+%make_install
+
+# Remove this file, as it is uninstalled and causes errors when building on RH9
+rm -rf %{buildroot}/usr/share/info/dir
+
+install -p -m 644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/%{name}.conf
+install -p -m 644 tools/etc/frr/daemons %{buildroot}/etc/frr/daemons
+install -p -m 644 tools/frr.service %{buildroot}%{_unitdir}/frr.service
+install -p -m 755 tools/frrinit.sh %{buildroot}%{frr_libdir}/frr
+install -p -m 755 tools/frrcommon.sh %{buildroot}%{frr_libdir}/frrcommon.sh
+install -p -m 755 tools/watchfrr.sh %{buildroot}%{frr_libdir}/watchfrr.sh
+
+install -p -m 644 redhat/frr.logrotate %{buildroot}/etc/logrotate.d/frr
+install -p -m 644 redhat/frr.pam %{buildroot}/etc/pam.d/frr
+install -d -m 775 %{buildroot}/run/frr
+
+install -p -D -m 0644 %{SOURCE2} ${RPM_BUILD_ROOT}/%{_sysusersdir}/frr.conf
+
+%if 0%{?with_selinux}
+install -D -m 644 selinux/%{name}.pp.bz2 \
+        %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+install -D -m 644 selinux/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if
+%endif
+
+# Delete libtool archives
+find %{buildroot} -type f -name "*.la" -delete -print
+
+#Upstream does not maintain a stable API, these headers from -devel subpackage are no longer needed
+rm %{buildroot}%{_libdir}/frr/*.so
+rm -r %{buildroot}%{_includedir}/frr/
+
+%pre
+%sysusers_create_compat %{SOURCE2}
+exit 0
+
+%post
+%systemd_post frr.service
+
+if [ -f %{_infodir}/%{name}.inf* ]; then
+    install-info %{_infodir}/frr.info %{_infodir}/dir || :
+fi
+
+# Create dummy files if they don't exist so basic functions can be used.
+# Only create frr.conf when first installing, otherwise it can change
+# the behavior of the package
+if [ $1 -eq 1 ]; then
+    if [ ! -e %{_sysconfdir}/frr/frr.conf ]; then
+        echo "hostname `hostname`" > %{_sysconfdir}/frr/frr.conf
+        chown frr:frr %{_sysconfdir}/frr/frr.conf
+        chmod 640 %{_sysconfdir}/frr/frr.conf
+    fi
+fi
+
+#still used by vtysh, this way no error is produced when using vtysh
+if [ ! -e %{_sysconfdir}/frr/vtysh.conf ]; then
+    touch %{_sysconfdir}/frr/vtysh.conf
+    chmod 640 %{_sysconfdir}/frr/vtysh.conf
+    chown frr:frrvty %{_sysconfdir}/frr/vtysh.conf
+fi
+
+
+%postun
+%systemd_postun_with_restart frr.service
+
+%preun
+%systemd_preun frr.service
+
+#only when removing frr
+if [ $1 -eq 0 ]; then
+	if [ -f %{_infodir}/%{name}.inf* ]; then
+    	install-info --delete %{_infodir}/frr.info %{_infodir}/dir || :
+	fi
+fi
+
+%if 0%{?with_selinux}
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+%selinux_relabel_post -s %{selinuxtype}
+#/var/tmp and /var/run need to be relabeled as well if FRR is running before upgrade
+if [ $1 == 2 ]; then
+    %{_sbindir}/restorecon -R /var/tmp/frr &> /dev/null
+    %{_sbindir}/restorecon -R /var/run/frr &> /dev/null
+fi
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{name}
+    %selinux_relabel_post -s %{selinuxtype}
+fi
+%endif
+
+%check
+make check PYTHON=%{__python3}
+
+%files
+%defattr(-,root,root)
+%license COPYING
+%doc doc/mpls
+%dir %attr(750,frr,frr) %{_sysconfdir}/frr
+%dir %attr(755,frr,frr) /var/log/frr
+%dir %attr(755,frr,frr) /run/frr
+%{_infodir}/*info*
+%{_mandir}/man*/*
+%dir %{frr_libdir}/
+%{frr_libdir}/*
+%{_bindir}/*
+%dir %{_libdir}/frr
+%{_libdir}/frr/*.so.*
+%dir %{_libdir}/frr/modules
+%{_libdir}/frr/modules/*
+%config(noreplace) %attr(644,root,root) /etc/logrotate.d/frr
+%config(noreplace) %attr(644,frr,frr) /etc/frr/daemons
+%config(noreplace) /etc/pam.d/frr
+%{_unitdir}/*.service
+%dir /usr/share/yang
+/usr/share/yang/*.yang
+%{_tmpfilesdir}/%{name}.conf
+%{_sysusersdir}/frr.conf
+
+%if 0%{?with_selinux}
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.*
+%{_datadir}/selinux/devel/include/distributed/%{name}.if
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
+%endif
+
+%changelog
+* Mon Feb 05 2024 Michal Ruprich <mruprich@redhat.com> - 8.5.3-4
+- Resolves: RHEL-14825 - crafted BGP UPDATE message leading to a crash
+
+* Mon Feb 05 2024 Michal Ruprich <mruprich@redhat.com> - 8.5.3-3
+- Resolves: RHEL-14822 - mishandled malformed data leading to a crash
+
+* Mon Dec 18 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.3-2
+- Resolves: RHEL-15915 - crash from specially crafted MP_UNREACH_NLRI-containing BGP UPDATE message
+- Resolves: RHEL-15918 - crash from malformed EOR-containing BGP UPDATE message
+
+* Thu Nov 23 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.3-1
+- Resolves: RHEL-15291 - Rebase FRR to version 8.5.3 in RHEL9
+
+* Fri Oct 13 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-12
+- Resolves: RHEL-3541 - Incorrect handling of a error in parsing of an invalid section of a BGP update can de-peer a router
+
+* Thu Sep 21 2023 Carlos Goncalves <cgoncalves@redhat.com> - 8.3.1-11
+- Resolves: RHEL-2263 - bgpd: Do not explicitly print MAXTTL value for ebgp-multihop vty output
+
+* Thu Aug 10 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-10
+- Related: #2216912 - adding sys_admin to capabilities
+
+* Tue Aug 08 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-9
+- Resolves: #2215346 - frr policy does not allow the execution of /usr/sbin/ipsec
+
+* Mon Aug 07 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-8
+- Resolves: #2216912 - SELinux is preventing FRR-Zebra to access to network namespaces
+
+* Wed Jun 07 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-7
+- Resolves: #2168855 - BFD not working through VRF
+
+* Tue May 23 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-6
+- Resolves: #2184870 - Reachable assertion in peek_for_as4_capability function
+- Resolves: #2196795 - denial of service by crafting a BGP OPEN message with an option of type 0xff
+- Resolves: #2196796 - denial of service by crafting a BGP OPEN message with an option of type 0xff
+- Resolves: #2196794 - out-of-bounds read exists in the BGP daemon of FRRouting
+
+* Mon Nov 28 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-5
+- Resolves: #2147522 - It is not possible to run FRR as a non-root user
+
+* Thu Nov 24 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-4
+- Resolves: #2144500 - AVC error when reloading FRR with provided reload script
+
+* Wed Oct 19 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-3
+- Related: #2129743 - Adding missing rules for vtysh and other daemons
+
+* Mon Oct 17 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-2
+- Resolves: #2128738 - out-of-bounds read in the BGP daemon may lead to information disclosure or denial of service
+
+* Thu Oct 13 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-1
+- Resolves: #2129731 - Rebase FRR to the latest version
+- Resolves: #2129743 - Add targeted SELinux policy for FRR
+- Resolves: #2127494 - BGP incorrectly withdraws routes on graceful restart capable routers 
+
+* Tue Jun 14 2022 Michal Ruprich - 8.2.2-4
+- Resolves: #2095404 - frr use systemd-sysusers
+
+* Tue May 24 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-3
+- Resolves: #2081304 - Enhanced TMT testing for centos-stream
+
+* Mon May 02 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-2
+- Resolves: #2069571 - the dynamic routing setup does not work any more
+
+* Mon May 02 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-1
+- Resolves: #2069563 - Rebase frr to version 8.2.2
+
+* Tue Nov 16 2021 Michal Ruprich <mruprich@redhat.com> - 8.0-5
+- Resolves: #2023318 - Rebuilding for the new json-c library
+
+* Wed Sep 01 2021 Michal Ruprich <mruprich@redhat.com> - 8.0-4
+- Resolves: #1997603 - ospfd not running with ospf opaque-lsa option used
+
+* Mon Aug 16 2021 Michal Ruprich <mruprich@redhat.com> - 8.0-3
+- Related: #1990858 - Fixing prefix-list duplication check
+
+* Thu Aug 12 2021 Michal Ruprich <mruprich@redhat.com> - 8.0-2
+- Related: #1990858 - Frr needs higher version of libyang
+
+* Tue Aug 10 2021 Michal Ruprich <mruprich@redhat.com> - 8.0-1
+- Resolves: #1990858 - Possible rebase of frr to version 8.0
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 7.5.1-7
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Wed Jul 21 2021 Michal Ruprich <mruprich@redhat.com> - 7.5.1-6
+- Resolves: #1983967 - ospfd crashes in route_node_delete with assertion fail
+
+* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 7.5.1-5
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+  Related: rhbz#1971065
+
+* Fri Jun 04 2021 Michal Ruprich <mruprich@redhat.com> - 7.5.1-4
+- Resolves: #1958155 - Upgrading frr unconditionally creates /etc/frr/frr.conf, breaking existing configuration
+
+* Fri Apr 23 2021 Michal Ruprich <mruprich@redhat.com> - 7.5.1-3
+- Resolves: #1939456 - /etc/frr permissions are bogus
+- Resolves: #1951303 - FTBFS in CentOS Stream
+
+* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 7.5.1-2
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Tue Mar 16 2021 Michal Ruprich <mruprich@redhat.com> - 7.5.1-1
+- New version 7.5.1
+- Enabling grpc, adding hostname for post scriptlet
+- Moving files to libexec due to selinux issues
+
+* Tue Feb 16 2021 Michal Ruprich <mruprich@redhat.com> - 7.5-3
+- Fixing FTBS - icc options are confusing the new gcc
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 7.5-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Fri Jan 01 2021 Michal Ruprich <mruprich@redhat.com> - 7.5-1
+- New version 7.5
+
+* Mon Sep 21 2020 Michal Ruprich <mruprich@redhat.com> - 7.4-1
+- New version 7.4
+
+* Thu Aug 27 2020 Josef Řídký <jridky@redhat.com> - 7.3.1-4
+- Rebuilt for new net-snmp release
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7.3.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Thu Jun 18 2020 Michal Ruprich <mruprich@redhat.com> - 7.3.1-1
+- New version 7.3.1
+- Fixes a couple of bugs(#1832259, #1835039, #1830815, #1830808, #1830806, #1830800, #1830798, #1814773)
+
+* Tue May 19 2020 Michal Ruprich <mruprich@redhat.com> - 7.3-6
+- Removing texi2html, it is not available in Rawhide anymore
+
+* Mon May 18 2020 Michal Ruprich <mruprich@redhat.com> - 7.3-5
+- Rebuild for new version of libyang
+
+* Tue Apr 21 2020 Björn Esser <besser82@fedoraproject.org> - 7.3-4
+- Rebuild (json-c)
+
+* Mon Apr 13 2020 Björn Esser <besser82@fedoraproject.org> - 7.3-3
+- Update json-c-0.14 patch with a solution from upstream
+
+* Mon Apr 13 2020 Björn Esser <besser82@fedoraproject.org> - 7.3-2
+- Add support for upcoming json-c 0.14.0
+
+* Wed Feb 19 2020 Michal Ruprich <mruprich@redhat.com> - 7.3-1
+- New version 7.3
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Mon Dec 16 2019 Michal Ruprich <mruprich@redhat.com> - 7.2-1
+- New version 7.2
+
+* Tue Nov 12 2019 Michal Ruprich <mruprich@redhat.com> - 7.1-5
+- Rebuilding for new version of libyang
+
+* Mon Oct 07 2019 Michal Ruprich <mruprich@redhat.com> - 7.1-4
+- Adding noreplace to the /etc/frr/daemons file
+
+* Fri Sep 13 2019 Michal Ruprich <mruprich@redhat.com> - 7.1-3
+- New way of finding python version during build
+- Replacing crypto of all routing daemons with openssl
+- Disabling EIGRP crypto because it is broken
+- Disabling crypto in FIPS mode
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Tue Jun 25 2019 Michal Ruprich <mruprich@redhat.com> - 7.1-1
+- New version 7.1
+
+* Wed Jun 19 2019 Michal Ruprich <mruprich@redhat.com> - 7.0-2
+- Initial build
+
diff --git a/frr.te b/frr.te
new file mode 100644
index 0000000..d9d1169
--- /dev/null
+++ b/frr.te
@@ -0,0 +1,127 @@
+policy_module(frr, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type frr_t;
+type frr_exec_t;
+init_daemon_domain(frr_t, frr_exec_t)
+
+type frr_log_t;
+logging_log_file(frr_log_t)
+
+type frr_tmp_t;
+files_tmp_file(frr_tmp_t)
+
+type frr_lock_t;
+files_lock_file(frr_lock_t)
+
+type frr_conf_t;
+files_config_file(frr_conf_t)
+
+type frr_unit_file_t;
+systemd_unit_file(frr_unit_file_t)
+
+type frr_var_run_t;
+files_pid_file(frr_var_run_t)
+
+########################################
+#
+# frr local policy
+#
+allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin sys_admin };
+allow frr_t self:netlink_route_socket rw_netlink_socket_perms;
+allow frr_t self:packet_socket create_socket_perms;
+allow frr_t self:process { setcap setpgid };
+allow frr_t self:rawip_socket create_socket_perms;
+allow frr_t self:tcp_socket { connect connected_stream_socket_perms };
+allow frr_t self:udp_socket create_socket_perms;
+allow frr_t self:unix_stream_socket connectto;
+
+allow frr_t frr_conf_t:dir list_dir_perms;
+manage_files_pattern(frr_t, frr_conf_t, frr_conf_t)
+read_lnk_files_pattern(frr_t, frr_conf_t, frr_conf_t)
+
+manage_dirs_pattern(frr_t, frr_log_t, frr_log_t)
+manage_files_pattern(frr_t, frr_log_t, frr_log_t)
+manage_lnk_files_pattern(frr_t, frr_log_t, frr_log_t)
+logging_log_filetrans(frr_t, frr_log_t, { dir file lnk_file })
+
+allow frr_t frr_tmp_t:file map;
+manage_dirs_pattern(frr_t, frr_tmp_t, frr_tmp_t)
+manage_files_pattern(frr_t, frr_tmp_t, frr_tmp_t)
+files_tmp_filetrans(frr_t, frr_tmp_t, { file dir })
+
+manage_files_pattern(frr_t, frr_lock_t, frr_lock_t)
+manage_lnk_files_pattern(frr_t, frr_lock_t, frr_lock_t)
+files_lock_filetrans(frr_t, frr_lock_t, { file lnk_file })
+
+manage_dirs_pattern(frr_t, frr_var_run_t, frr_var_run_t)
+manage_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
+manage_lnk_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
+manage_sock_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
+files_pid_filetrans(frr_t, frr_var_run_t, { dir file lnk_file })
+
+allow frr_t frr_exec_t:dir search_dir_perms;
+can_exec(frr_t, frr_exec_t)
+
+kernel_read_network_state(frr_t)
+kernel_rw_net_sysctls(frr_t)
+kernel_read_system_state(frr_t)
+
+auth_use_nsswitch(frr_t)
+
+corecmd_exec_bin(frr_t)
+
+corenet_tcp_bind_appswitch_emp_port(frr_t)
+corenet_udp_bind_bfd_control_port(frr_t)
+corenet_udp_bind_bfd_echo_port(frr_t)
+corenet_tcp_bind_bgp_port(frr_t)
+corenet_tcp_connect_bgp_port(frr_t)
+corenet_udp_bind_all_unreserved_ports(frr_t);
+corenet_tcp_bind_generic_port(frr_t)
+corenet_tcp_bind_firepower_port(frr_t)
+corenet_tcp_bind_priority_e_com_port(frr_t)
+corenet_udp_bind_router_port(frr_t)
+corenet_tcp_bind_qpasa_agent_port(frr_t)
+corenet_tcp_bind_smntubootstrap_port(frr_t)
+corenet_tcp_bind_versa_tek_port(frr_t)
+corenet_tcp_bind_zebra_port(frr_t)
+
+domain_use_interactive_fds(frr_t)
+
+fs_read_nsfs_files(frr_t)
+
+sysnet_exec_ifconfig(frr_t)
+sysnet_read_ifconfig_run(frr_t)
+sysnet_watch_ifconfig_run(frr_t)
+
+ipsec_domtrans_mgmt(frr_t)
+
+userdom_read_admin_home_files(frr_t)
+
+init_signal(frr_t)
+unconfined_server_signull(frr_t)
+allow frr_t unconfined_service_t:process signal;
+
+optional_policy(`
+	logging_send_syslog_msg(frr_t)
+')
+
+optional_policy(`
+	modutils_exec_kmod(frr_t)
+	modutils_getattr_module_deps(frr_t)
+	modutils_read_module_config(frr_t)
+	modutils_read_module_deps_files(frr_t)
+')
+
+optional_policy(`
+	networkmanager_read_state(frr_t)
+')
+
+optional_policy(`
+	userdom_admin_home_dir_filetrans(frr_t, frr_conf_t, file, ".history_frr")
+	userdom_inherit_append_admin_home_files(frr_t, frr_conf_t, file, ".history_frr")
+')
diff --git a/remove-babeld-ldpd.sh b/remove-babeld-ldpd.sh
new file mode 100644
index 0000000..ae76a45
--- /dev/null
+++ b/remove-babeld-ldpd.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+#this script is used to remove babled and ldpd from the tar sources
+#Usage: sh remove-babeld-ldpd.sh <VERSION>
+#Example: sh remove-babeld-ldpd.sh 7.3.1 - this is for frr-7.3.1.tar.gz file
+
+VERSION=$1
+TAR=frr-${VERSION}.tar.gz
+DIR=frr-${VERSION}
+
+echo ${VERSION}
+echo ${TAR}
+echo ${DIR}
+
+tar -xzf ${TAR}
+rm -rf ${DIR}/babeld ${DIR}/ldpd
+tar -czf ${TAR} ${DIR}
diff --git a/sources b/sources
new file mode 100644
index 0000000..699c557
--- /dev/null
+++ b/sources
@@ -0,0 +1 @@
+f5aed1db70863722d6992150d36bc58c  frr-8.5.3.tar.gz