path: root/frr.te

policy_module(frr, 1.0.0)

########################################
#
# Declarations
#

type frr_t;
type frr_exec_t;
init_daemon_domain(frr_t, frr_exec_t)

type frr_log_t;
logging_log_file(frr_log_t)

type frr_tmp_t;
files_tmp_file(frr_tmp_t)

type frr_lock_t;
files_lock_file(frr_lock_t)

type frr_conf_t;
files_config_file(frr_conf_t)

type frr_unit_file_t;
systemd_unit_file(frr_unit_file_t)

type frr_var_run_t;
files_pid_file(frr_var_run_t)

type frr_var_lib_t;
files_type(frr_var_lib_t)

########################################
#
# frr local policy
#
allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin sys_admin };
allow frr_t self:netlink_route_socket rw_netlink_socket_perms;
allow frr_t self:netlink_generic_socket create;
allow frr_t self:netlink_generic_socket setopt;
allow frr_t self:netlink_generic_socket getopt;
allow frr_t self:netlink_generic_socket getattr;
allow frr_t self:netlink_generic_socket bind;
allow frr_t self:packet_socket create_socket_perms;
allow frr_t self:process { setcap setpgid };
allow frr_t self:rawip_socket create_socket_perms;
allow frr_t self:tcp_socket { connect connected_stream_socket_perms };
allow frr_t self:udp_socket create_socket_perms;
allow frr_t self:unix_stream_socket connectto;

allow frr_t frr_conf_t:dir list_dir_perms;
manage_files_pattern(frr_t, frr_conf_t, frr_conf_t)
read_lnk_files_pattern(frr_t, frr_conf_t, frr_conf_t)

manage_dirs_pattern(frr_t, frr_log_t, frr_log_t)
manage_files_pattern(frr_t, frr_log_t, frr_log_t)
manage_lnk_files_pattern(frr_t, frr_log_t, frr_log_t)
logging_log_filetrans(frr_t, frr_log_t, { dir file lnk_file })

manage_dirs_pattern(frr_t, frr_var_lib_t, frr_var_lib_t)
manage_files_pattern(frr_t, frr_var_lib_t, frr_var_lib_t)
files_var_lib_filetrans(frr_t, frr_var_lib_t, { dir file })

allow frr_t frr_tmp_t:file map;
manage_dirs_pattern(frr_t, frr_tmp_t, frr_tmp_t)
manage_files_pattern(frr_t, frr_tmp_t, frr_tmp_t)
files_tmp_filetrans(frr_t, frr_tmp_t, { file dir })

manage_files_pattern(frr_t, frr_lock_t, frr_lock_t)
manage_lnk_files_pattern(frr_t, frr_lock_t, frr_lock_t)
files_lock_filetrans(frr_t, frr_lock_t, { file lnk_file })

manage_dirs_pattern(frr_t, frr_var_run_t, frr_var_run_t)
manage_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
manage_lnk_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
manage_sock_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
files_pid_filetrans(frr_t, frr_var_run_t, { dir file lnk_file })

allow frr_t frr_exec_t:dir search_dir_perms;
can_exec(frr_t, frr_exec_t)

kernel_read_network_state(frr_t)
kernel_rw_net_sysctls(frr_t)
kernel_read_system_state(frr_t)
kernel_request_load_module(frr_t)

auth_use_nsswitch(frr_t)

corecmd_exec_bin(frr_t)

corenet_tcp_bind_appswitch_emp_port(frr_t)
corenet_udp_bind_bfd_control_port(frr_t)
corenet_udp_bind_bfd_echo_port(frr_t)
corenet_udp_bind_bfd_multi_port(frr_t)
corenet_tcp_bind_bgp_port(frr_t)
corenet_tcp_connect_bgp_port(frr_t)
corenet_tcp_bind_cmadmin_port(frr_t)
corenet_udp_bind_cmadmin_port(frr_t)
corenet_tcp_bind_firepower_port(frr_t)
corenet_tcp_bind_generic_port(frr_t)
corenet_tcp_bind_priority_e_com_port(frr_t)
corenet_udp_bind_router_port(frr_t)
corenet_tcp_bind_qpasa_agent_port(frr_t)
corenet_tcp_bind_smntubootstrap_port(frr_t)
corenet_tcp_bind_versa_tek_port(frr_t)
corenet_tcp_bind_zebra_port(frr_t)

domain_use_interactive_fds(frr_t)

fs_read_nsfs_files(frr_t)

sysnet_exec_ifconfig(frr_t)
sysnet_read_ifconfig_run_files(frr_t)
sysnet_watch_ifconfig_run_dirs(frr_t)

ipsec_domtrans_mgmt(frr_t)

userdom_read_admin_home_files(frr_t)

optional_policy(`
	logging_send_syslog_msg(frr_t)
')

optional_policy(`
	modutils_exec_kmod(frr_t)
	modutils_getattr_module_deps(frr_t)
	modutils_read_module_config(frr_t)
	modutils_read_module_deps_files(frr_t)
')

optional_policy(`
	networkmanager_read_state(frr_t)
')

optional_policy(`
	userdom_admin_home_dir_filetrans(frr_t, frr_conf_t, file, ".history_frr")
')