Bug 162039
Summary: | Radvd daemon doesnt starts due uid problem | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Petr Krištof <petr> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4 | CC: | 2, jvdias |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-07-15 17:47:41 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Petr Krištof
2005-06-29 12:58:38 UTC
I was just talking to someone and this is an selinux policy bug (I believe it prevents radvd changing user using setuid). Petr, could you post the output of dmesg after trying to start radvd? Yes, it seems to be SElinux relative. Change on file /etc/sysconfig/selinux from SELINUX=enforcing to SELINUX=permissive allow radvd to start succefully. It seems there are some problems with the radvd SELinux policy , that do prevent radvd from starting: # service radvd start Starting radvd: [FAILED] # audit2allow < /var/log/audit/audit.log allow radvd_t self:capability setgid; allow radvd_t self:tcp_socket connect; allow radvd_t reserved_port_t:tcp_socket name_bind; allow radvd_t var_yp_t:dir search; # grep radvd_t /var/log/audit/audit.log type=AVC msg=audit(1120584547.204:11832): avc: denied { search } for pid=6020 comm="radvd" name=yp dev=hda7 ino=20481 scontext=root:system_r:radvd_t tcontext=system_u:object_r:var_yp_t tclass=dir type=AVC msg=audit(1120584547.204:11835): avc: denied { connect } for pid=6020 comm="radvd" lport=32935 scontext=root:system_r:radvd_t tcontext=root:system_r:radvd_t tclass=tcp_socket type=AVC msg=audit(1120584547.205:11838): avc: denied { name_bind } for pid=6020 comm="radvd" src=684 scontext=root:system_r:radvd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket type=AVC msg=audit(1120584547.206:11839): avc: denied { connect } for pid=6020 comm="radvd" scontext=root:system_r:radvd_t tcontext=root:system_r:radvd_t tclass=tcp_socket type=AVC msg=audit(1120584547.206:11843): avc: denied { connect } for pid=6020 comm="radvd" lport=32936 scontext=root:system_r:radvd_t tcontext=root:system_r:radvd_t tclass=tcp_socket type=AVC msg=audit(1120584547.207:11846): avc: denied { name_bind } for pid=6020 comm="radvd" src=685 scontext=root:system_r:radvd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket type=AVC msg=audit(1120584547.207:11847): avc: denied { connect } for pid=6020 comm="radvd" scontext=root:system_r:radvd_t tcontext=root:system_r:radvd_t tclass=tcp_socket type=AVC msg=audit(1120584547.209:11877): avc: denied { search } for pid=6020 comm="radvd" name=yp dev=hda7 ino=20481 scontext=root:system_r:radvd_t tcontext=system_u:object_r:var_yp_t tclass=dir type=AVC msg=audit(1120584547.209:11880): avc: denied { connect } for pid=6020 comm="radvd" lport=32937 scontext=root:system_r:radvd_t tcontext=root:system_r:radvd_t tclass=tcp_socket type=AVC msg=audit(1120584547.210:11883): avc: denied { name_bind } for pid=6020 comm="radvd" src=686 scontext=root:system_r:radvd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket type=AVC msg=audit(1120584547.210:11884): avc: denied { connect } for pid=6020 comm="radvd" scontext=root:system_r:radvd_t tcontext=root:system_r:radvd_t tclass=tcp_socket type=AVC msg=audit(1120584547.211:11896): avc: denied { setgid } for pid=6020 comm="radvd" capability=6 scontext=root:system_r:radvd_t tcontext=root:system_r:radvd_t tclass=capability The selinux-policy-targeted policy for radvd needs to be updated. Fixed in selinux-policy-targeted-1.25.1-7 No, it isnt. #audit2allow < /var/log/audit/audit.log allow radvd_t proc_net_t:dir search; allow radvd_t proc_net_t:file { getattr read }; allow radvd_t self:capability { setgid setuid }; grep radvd_t /var/log/audit/audit.log type=AVC msg=audit(1121162441.932:163462): avc: denied { setuid } for pid=1885 comm="radvd" capability=7 scontext=root:system_r:radvd_t tcontext=root:system_r:radvd_t tclass=capability How about selinux-policy-targeted-1.25.2-4 Yes. Package selinux-policy-targeted-1.25.2-4 is OK. It is working fine. radvd starts without problem. Thanks for rapid work. |