Bug 162039

Summary: Radvd daemon doesnt starts due uid problem
Product: [Fedora] Fedora Reporter: Petr Krištof <petr>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 4CC: 2, jvdias
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-07-15 17:47:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Krištof 2005-06-29 12:58:38 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.7.8-1.3.1

Description of problem:
On freshly installed Fedora core 4 with default options.
Custom Minimal instalation done with the minimum of installed
packages + radvd, the daemon radvd fails to start:

# service radvd start
Starting radvd:                                            [FAILED]
#

With error in messages log file:
Jun 29 14:51:29 server radvd[24250]: version 0.7.3 started
Jun 29 14:51:29 server radvd[24250]: Couldn't change to 'radvd' uid=75 gid=75


Version-Release number of selected component (if applicable):
radvd-0.7.3-1_FC4

How reproducible:
Always

Steps to Reproduce:
1. Install radvd package
2. Run command 'service radvd start'
  

Actual Results:  Daemon fails to start.

Expected Results:  Daemon should be started.

Additional info:
Comment 1 Sitsofe Wheeler 2005-07-03 20:10:55 UTC 
I was just talking to someone and this is an selinux policy bug (I believe it
prevents radvd changing user using setuid).

Petr, could you post the output of dmesg after trying to start radvd?
Comment 2 Petr Krištof 2005-07-04 07:37:32 UTC 
Yes, it seems to be SElinux relative.

Change on file /etc/sysconfig/selinux
from
SELINUX=enforcing
to
SELINUX=permissive

allow radvd to start succefully.
Comment 3 Jason Vas Dias 2005-07-05 17:35:32 UTC 
It seems there are some problems with the radvd SELinux policy , that
do prevent radvd from starting:

# service radvd start
Starting radvd:                                            [FAILED]

# audit2allow < /var/log/audit/audit.log
allow radvd_t self:capability setgid;
allow radvd_t self:tcp_socket connect;
allow radvd_t reserved_port_t:tcp_socket name_bind;
allow radvd_t var_yp_t:dir search;

# grep radvd_t /var/log/audit/audit.log
type=AVC msg=audit(1120584547.204:11832): avc:  denied  { search } for
 pid=6020 comm="radvd" name=yp dev=hda7 ino=20481
scontext=root:system_r:radvd_t tcontext=system_u:object_r:var_yp_t
tclass=dir
type=AVC msg=audit(1120584547.204:11835): avc:  denied  { connect }
for  pid=6020 comm="radvd" lport=32935 scontext=root:system_r:radvd_t
tcontext=root:system_r:radvd_t tclass=tcp_socket
type=AVC msg=audit(1120584547.205:11838): avc:  denied  { name_bind }
for  pid=6020 comm="radvd" src=684 scontext=root:system_r:radvd_t
tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
type=AVC msg=audit(1120584547.206:11839): avc:  denied  { connect }
for  pid=6020 comm="radvd" scontext=root:system_r:radvd_t
tcontext=root:system_r:radvd_t tclass=tcp_socket
type=AVC msg=audit(1120584547.206:11843): avc:  denied  { connect }
for  pid=6020 comm="radvd" lport=32936 scontext=root:system_r:radvd_t
tcontext=root:system_r:radvd_t tclass=tcp_socket
type=AVC msg=audit(1120584547.207:11846): avc:  denied  { name_bind }
for  pid=6020 comm="radvd" src=685 scontext=root:system_r:radvd_t
tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
type=AVC msg=audit(1120584547.207:11847): avc:  denied  { connect }
for  pid=6020 comm="radvd" scontext=root:system_r:radvd_t
tcontext=root:system_r:radvd_t tclass=tcp_socket
type=AVC msg=audit(1120584547.209:11877): avc:  denied  { search } for
 pid=6020 comm="radvd" name=yp dev=hda7 ino=20481
scontext=root:system_r:radvd_t tcontext=system_u:object_r:var_yp_t
tclass=dir
type=AVC msg=audit(1120584547.209:11880): avc:  denied  { connect }
for  pid=6020 comm="radvd" lport=32937 scontext=root:system_r:radvd_t
tcontext=root:system_r:radvd_t tclass=tcp_socket
type=AVC msg=audit(1120584547.210:11883): avc:  denied  { name_bind }
for  pid=6020 comm="radvd" src=686 scontext=root:system_r:radvd_t
tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
type=AVC msg=audit(1120584547.210:11884): avc:  denied  { connect }
for  pid=6020 comm="radvd" scontext=root:system_r:radvd_t
tcontext=root:system_r:radvd_t tclass=tcp_socket
type=AVC msg=audit(1120584547.211:11896): avc:  denied  { setgid } for
 pid=6020 comm="radvd" capability=6 scontext=root:system_r:radvd_t
tcontext=root:system_r:radvd_t tclass=capability

The selinux-policy-targeted policy for radvd needs to be updated.
Comment 4 Daniel Walsh 2005-07-11 17:30:25 UTC 
Fixed in  selinux-policy-targeted-1.25.1-7
Comment 5 Petr Krištof 2005-07-12 10:08:27 UTC 
No, it isnt.

#audit2allow < /var/log/audit/audit.log
allow radvd_t proc_net_t:dir search;
allow radvd_t proc_net_t:file { getattr read };
allow radvd_t self:capability { setgid setuid };

grep radvd_t /var/log/audit/audit.log 
type=AVC msg=audit(1121162441.932:163462): avc:  denied  { setuid } for 
pid=1885 comm="radvd" capability=7 scontext=root:system_r:radvd_t
tcontext=root:system_r:radvd_t tclass=capability
Comment 6 Daniel Walsh 2005-07-14 15:29:58 UTC 
How about

selinux-policy-targeted-1.25.2-4
Comment 7 Petr Krištof 2005-07-15 08:26:57 UTC 
Yes. Package selinux-policy-targeted-1.25.2-4 is OK.
It is working fine. radvd starts without problem.
Thanks for rapid work.