From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.7.8-1.3.1 Description of problem: On freshly installed Fedora core 4 with default options. Custom Minimal instalation done with the minimum of installed packages + radvd, the daemon radvd fails to start: # service radvd start Starting radvd: [FAILED] # With error in messages log file: Jun 29 14:51:29 server radvd[24250]: version 0.7.3 started Jun 29 14:51:29 server radvd[24250]: Couldn't change to 'radvd' uid=75 gid=75 Version-Release number of selected component (if applicable): radvd-0.7.3-1_FC4 How reproducible: Always Steps to Reproduce: 1. Install radvd package 2. Run command 'service radvd start' Actual Results: Daemon fails to start. Expected Results: Daemon should be started. Additional info:
I was just talking to someone and this is an selinux policy bug (I believe it prevents radvd changing user using setuid). Petr, could you post the output of dmesg after trying to start radvd?
Yes, it seems to be SElinux relative. Change on file /etc/sysconfig/selinux from SELINUX=enforcing to SELINUX=permissive allow radvd to start succefully.
It seems there are some problems with the radvd SELinux policy , that do prevent radvd from starting: # service radvd start Starting radvd: [FAILED] # audit2allow < /var/log/audit/audit.log allow radvd_t self:capability setgid; allow radvd_t self:tcp_socket connect; allow radvd_t reserved_port_t:tcp_socket name_bind; allow radvd_t var_yp_t:dir search; # grep radvd_t /var/log/audit/audit.log type=AVC msg=audit(1120584547.204:11832): avc: denied { search } for pid=6020 comm="radvd" name=yp dev=hda7 ino=20481 scontext=root:system_r:radvd_t tcontext=system_u:object_r:var_yp_t tclass=dir type=AVC msg=audit(1120584547.204:11835): avc: denied { connect } for pid=6020 comm="radvd" lport=32935 scontext=root:system_r:radvd_t tcontext=root:system_r:radvd_t tclass=tcp_socket type=AVC msg=audit(1120584547.205:11838): avc: denied { name_bind } for pid=6020 comm="radvd" src=684 scontext=root:system_r:radvd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket type=AVC msg=audit(1120584547.206:11839): avc: denied { connect } for pid=6020 comm="radvd" scontext=root:system_r:radvd_t tcontext=root:system_r:radvd_t tclass=tcp_socket type=AVC msg=audit(1120584547.206:11843): avc: denied { connect } for pid=6020 comm="radvd" lport=32936 scontext=root:system_r:radvd_t tcontext=root:system_r:radvd_t tclass=tcp_socket type=AVC msg=audit(1120584547.207:11846): avc: denied { name_bind } for pid=6020 comm="radvd" src=685 scontext=root:system_r:radvd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket type=AVC msg=audit(1120584547.207:11847): avc: denied { connect } for pid=6020 comm="radvd" scontext=root:system_r:radvd_t tcontext=root:system_r:radvd_t tclass=tcp_socket type=AVC msg=audit(1120584547.209:11877): avc: denied { search } for pid=6020 comm="radvd" name=yp dev=hda7 ino=20481 scontext=root:system_r:radvd_t tcontext=system_u:object_r:var_yp_t tclass=dir type=AVC msg=audit(1120584547.209:11880): avc: denied { connect } for pid=6020 comm="radvd" lport=32937 scontext=root:system_r:radvd_t tcontext=root:system_r:radvd_t tclass=tcp_socket type=AVC msg=audit(1120584547.210:11883): avc: denied { name_bind } for pid=6020 comm="radvd" src=686 scontext=root:system_r:radvd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket type=AVC msg=audit(1120584547.210:11884): avc: denied { connect } for pid=6020 comm="radvd" scontext=root:system_r:radvd_t tcontext=root:system_r:radvd_t tclass=tcp_socket type=AVC msg=audit(1120584547.211:11896): avc: denied { setgid } for pid=6020 comm="radvd" capability=6 scontext=root:system_r:radvd_t tcontext=root:system_r:radvd_t tclass=capability The selinux-policy-targeted policy for radvd needs to be updated.
Fixed in selinux-policy-targeted-1.25.1-7
No, it isnt. #audit2allow < /var/log/audit/audit.log allow radvd_t proc_net_t:dir search; allow radvd_t proc_net_t:file { getattr read }; allow radvd_t self:capability { setgid setuid }; grep radvd_t /var/log/audit/audit.log type=AVC msg=audit(1121162441.932:163462): avc: denied { setuid } for pid=1885 comm="radvd" capability=7 scontext=root:system_r:radvd_t tcontext=root:system_r:radvd_t tclass=capability
How about selinux-policy-targeted-1.25.2-4
Yes. Package selinux-policy-targeted-1.25.2-4 is OK. It is working fine. radvd starts without problem. Thanks for rapid work.