162039 – Radvd daemon doesnt starts due uid problem

Bug 162039 - Radvd daemon doesnt starts due uid problem

Summary: Radvd daemon doesnt starts due uid problem

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	4
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-06-29 12:58 UTC by Petr Krištof
Modified:	2007-11-30 22:11 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-07-15 17:47:41 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Petr Krištof 2005-06-29 12:58:38 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.7.8-1.3.1

Description of problem:
On freshly installed Fedora core 4 with default options.
Custom Minimal instalation done with the minimum of installed
packages + radvd, the daemon radvd fails to start:

# service radvd start
Starting radvd:                                            [FAILED]
#

With error in messages log file:
Jun 29 14:51:29 server radvd[24250]: version 0.7.3 started
Jun 29 14:51:29 server radvd[24250]: Couldn't change to 'radvd' uid=75 gid=75


Version-Release number of selected component (if applicable):
radvd-0.7.3-1_FC4

How reproducible:
Always

Steps to Reproduce:
1. Install radvd package
2. Run command 'service radvd start'
  

Actual Results:  Daemon fails to start.

Expected Results:  Daemon should be started.

Additional info:

Comment 1 Sitsofe Wheeler 2005-07-03 20:10:55 UTC

I was just talking to someone and this is an selinux policy bug (I believe it
prevents radvd changing user using setuid).

Petr, could you post the output of dmesg after trying to start radvd?

Comment 2 Petr Krištof 2005-07-04 07:37:32 UTC

Yes, it seems to be SElinux relative.

Change on file /etc/sysconfig/selinux
from
SELINUX=enforcing
to
SELINUX=permissive

allow radvd to start succefully.

Comment 3 Jason Vas Dias 2005-07-05 17:35:32 UTC

It seems there are some problems with the radvd SELinux policy , that
do prevent radvd from starting:

# service radvd start
Starting radvd:                                            [FAILED]

# audit2allow < /var/log/audit/audit.log
allow radvd_t self:capability setgid;
allow radvd_t self:tcp_socket connect;
allow radvd_t reserved_port_t:tcp_socket name_bind;
allow radvd_t var_yp_t:dir search;

# grep radvd_t /var/log/audit/audit.log
type=AVC msg=audit(1120584547.204:11832): avc:  denied  { search } for
 pid=6020 comm="radvd" name=yp dev=hda7 ino=20481
scontext=root:system_r:radvd_t tcontext=system_u:object_r:var_yp_t
tclass=dir
type=AVC msg=audit(1120584547.204:11835): avc:  denied  { connect }
for  pid=6020 comm="radvd" lport=32935 scontext=root:system_r:radvd_t
tcontext=root:system_r:radvd_t tclass=tcp_socket
type=AVC msg=audit(1120584547.205:11838): avc:  denied  { name_bind }
for  pid=6020 comm="radvd" src=684 scontext=root:system_r:radvd_t
tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
type=AVC msg=audit(1120584547.206:11839): avc:  denied  { connect }
for  pid=6020 comm="radvd" scontext=root:system_r:radvd_t
tcontext=root:system_r:radvd_t tclass=tcp_socket
type=AVC msg=audit(1120584547.206:11843): avc:  denied  { connect }
for  pid=6020 comm="radvd" lport=32936 scontext=root:system_r:radvd_t
tcontext=root:system_r:radvd_t tclass=tcp_socket
type=AVC msg=audit(1120584547.207:11846): avc:  denied  { name_bind }
for  pid=6020 comm="radvd" src=685 scontext=root:system_r:radvd_t
tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
type=AVC msg=audit(1120584547.207:11847): avc:  denied  { connect }
for  pid=6020 comm="radvd" scontext=root:system_r:radvd_t
tcontext=root:system_r:radvd_t tclass=tcp_socket
type=AVC msg=audit(1120584547.209:11877): avc:  denied  { search } for
 pid=6020 comm="radvd" name=yp dev=hda7 ino=20481
scontext=root:system_r:radvd_t tcontext=system_u:object_r:var_yp_t
tclass=dir
type=AVC msg=audit(1120584547.209:11880): avc:  denied  { connect }
for  pid=6020 comm="radvd" lport=32937 scontext=root:system_r:radvd_t
tcontext=root:system_r:radvd_t tclass=tcp_socket
type=AVC msg=audit(1120584547.210:11883): avc:  denied  { name_bind }
for  pid=6020 comm="radvd" src=686 scontext=root:system_r:radvd_t
tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
type=AVC msg=audit(1120584547.210:11884): avc:  denied  { connect }
for  pid=6020 comm="radvd" scontext=root:system_r:radvd_t
tcontext=root:system_r:radvd_t tclass=tcp_socket
type=AVC msg=audit(1120584547.211:11896): avc:  denied  { setgid } for
 pid=6020 comm="radvd" capability=6 scontext=root:system_r:radvd_t
tcontext=root:system_r:radvd_t tclass=capability

The selinux-policy-targeted policy for radvd needs to be updated.

Comment 4 Daniel Walsh 2005-07-11 17:30:25 UTC

Fixed in  selinux-policy-targeted-1.25.1-7

Comment 5 Petr Krištof 2005-07-12 10:08:27 UTC

No, it isnt.

#audit2allow < /var/log/audit/audit.log
allow radvd_t proc_net_t:dir search;
allow radvd_t proc_net_t:file { getattr read };
allow radvd_t self:capability { setgid setuid };

grep radvd_t /var/log/audit/audit.log 
type=AVC msg=audit(1121162441.932:163462): avc:  denied  { setuid } for 
pid=1885 comm="radvd" capability=7 scontext=root:system_r:radvd_t
tcontext=root:system_r:radvd_t tclass=capability

Comment 6 Daniel Walsh 2005-07-14 15:29:58 UTC

How about

selinux-policy-targeted-1.25.2-4

Comment 7 Petr Krištof 2005-07-15 08:26:57 UTC

Yes. Package selinux-policy-targeted-1.25.2-4 is OK.
It is working fine. radvd starts without problem.
Thanks for rapid work.

Note You need to log in before you can comment on or make changes to this bug.