*** Bug 1228594 has been marked as a duplicate of this bug. ***

*** Bug 1224507 has been marked as a duplicate of this bug. ***

The issue seems to be related to systemd. Running 'radvd -u radvd' directly works, pidfile is created, daemon is running.

So the non-systemd way only works because the processes are unconfined.

[root@f22 ~]# radvd
[root@f22 ~]# ps -eZ  | grep radvd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 4710 ? 00:00:00 radvd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 4711 ? 00:00:00 radvd

But the executable file is apparently confined.

# ls -Z `which radvd`
system_u:object_r:radvd_exec_t:s0 /usr/sbin/radvd

I thought the selinux policy would ensure that the server executable is always started as confined, did I miss something?

Important files...

[root@f22 ~]# cat /usr/lib/systemd/system/radvd.service                                                                                                        
[Unit]
Description=Router advertisement daemon for IPv6
After=network.target

[Service]
EnvironmentFile=/etc/sysconfig/radvd
ExecStart=/usr/sbin/radvd $OPTIONS
Type=forking
PIDFile=/var/run/radvd/radvd.pid
ExecReload=/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target

[root@f22 ~]# cat /etc/sysconfig/radvd 

# No chroot; /var/run/radvd must be owned by -u.
OPTIONS="-u radvd"

# Chroot; directory structure under /var/chroot/radvd has to be populated.
#OPTIONS="-u radvd -t /var/chroot/radvd"

Working radvd.conf example...

[root@f22 ~]# cat /etc/radvd.conf
# NOTE: there is no such thing as a working "by-default" configuration file. 
#       At least the prefix needs to be specified.  Please consult the radvd.conf(5)
#       man page and/or /usr/share/doc/radvd-*/radvd.conf.example for help.
#
#
interface enp0s25
{
        AdvSendAdvert on;
#       MinRtrAdvInterval 30;
#       MaxRtrAdvInterval 100;
#       prefix 2001:db8:1:0::/64
#       {
#               AdvOnLink on;
#               AdvAutonomous on;
#               AdvRouterAddr off;
#       };
#
};

commit 1a649250ae6fe19f1d4ce098e53a3b6a99d6c7f1
Author: Miroslav Grepl <mgrepl>
Date:   Wed Jun 17 12:29:18 2015 +0200

    Allow radvd has setuid and it requires dac_override. BZ(1224403)

selinux-policy-3.13.1-128.2.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-128.2.fc22

Package selinux-policy-3.13.1-128.2.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-128.2.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-10299/selinux-policy-3.13.1-128.2.fc22
then log in and leave karma (feedback).

I'm calling radvd from gogoc (debugging #1224471), which does a domain transition from gogoc_t to radvd_t.

I've updated to selinux-policy-3.13.1-128.2.fc22.noarch, but it still fails with this AVC:

SELinux is preventing radvd from using the dac_override capability.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If you believe that radvd should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep radvd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:radvd_t:s0
Target Context                system_u:system_r:radvd_t:s0
Target Objects                Unknown [ capability ]
Source                        radvd
Source Path                   radvd
Port                          <Unknown>
Host                          fedora22s
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-128.2.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora22s
Platform                      Linux fedora22s 4.0.5-300.fc22.x86_64 #1 SMP Mon
                              Jun 8 16:15:26 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-06-23 09:12:20 CEST
Last Seen                     2015-06-23 09:12:20 CEST
Local ID                      c4df43c4-29f4-46ce-ac1f-dc6d3f0a288a

Raw Audit Messages
type=AVC msg=audit(1435043540.212:496): avc:  denied  { dac_override } for  pid=1323 comm="radvd" capability=1  scontext=system_u:system_r:radvd_t:s0 tcontext=system_u:system_r:radvd_t:s0 tclass=capability permissive=0


Hash: radvd,radvd_t,radvd_t,capability,dac_override

This is strange.

Lukas,
could you re-check it. I see the change in the git. 

Thank you,

(In reply to Juan Orti from comment #10)
> I'm calling radvd from gogoc (debugging #1224471), which does a domain
> transition from gogoc_t to radvd_t.
> 
> I've updated to selinux-policy-3.13.1-128.2.fc22.noarch, but it still fails
> with this AVC:
> 
> SELinux is preventing radvd from using the dac_override capability.



Here is what I see from the journal when trying to start radvd on the same system I used to test BZ#1227484:


Starting Router advertisement daemon for IPv6...
version 2.8 started
IPv6 forwarding setting is: 0, should be 1 or 2
IPv6 forwarding seems to be disabled, but continuing anyway
<audit-1400> avc:  denied  { dac_override } for  pid=8597 comm="radvd" capability=1  scontext=system_u:system_r:radvd_t:s0 tcontext=system_u:system_r:radvd_t:s0 tclass=capability permissive=0
unable to open pid file, /var/run/radvd/radvd.pid: Permission denied
[Jun 23 13:12:21] radvd (8597): unable to open pid file, /var/run/radvd/radvd.pid: Permission denied
radvd.service: control process exited, code=exited status=255
Failed to start Router advertisement daemon for IPv6.
Unit radvd.service entered failed state.
radvd.service failed.

Fix will be in selinux-policy-3.13.1-128.3.fc22.noarch

selinux-policy-3.13.1-128.2.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

After updating selinux-policy-* and rebooting for the new kernel as well, radvd still does not start from systemd:

type=SERVICE_START msg=audit(1435565240.515:116):
 pid=1 uid=0 auid=4294967295 ses=4294967295
 subj=system_u:system_r:init_t:s0 msg='unit=radvd comm="systemd"
 exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'

type=AVC msg=audit(1435565633.328:209):
 avc:  denied  { dac_override } for  pid=1245 comm="radvd" capability=1 
 scontext=system_u:system_r:radvd_t:s0
 tcontext=system_u:system_r:radvd_t:s0
 tclass=capability permissive=0

type=SYSCALL msg=audit(1435565633.328:209):
 arch=c000003e syscall=2 success=no exit=-13
 a0=7f970b602820 a1=101042 a2=1a4 a3=7f970c86a660
 items=0 ppid=1 pid=1245
 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
 ses=4294967295 comm="radvd" exe="/usr/sbin/radvd"
 subj=system_u:system_r:radvd_t:s0 key=(null)

I confirm the bug is not fixed in selinux-policy-3.13.1-128.2.fc22. Could you, please, reopen the bug?

lvrabec:~
$ audit2allow -i avc 


#============= radvd_t ==============

#!!!! This avc is allowed in the current policy
allow radvd_t self:capability dac_override;


lvrabec:~
$ rpm -q selinux-policy
selinux-policy-3.13.1-128.5.fc22.noarch