Bug 162039 - Radvd daemon doesnt starts due uid problem
Radvd daemon doesnt starts due uid problem
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-29 08:58 EDT by Petr Krištof
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-15 13:47:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Petr Krištof 2005-06-29 08:58:38 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.7.8-1.3.1

Description of problem:
On freshly installed Fedora core 4 with default options.
Custom Minimal instalation done with the minimum of installed
packages + radvd, the daemon radvd fails to start:

# service radvd start
Starting radvd:                                            [FAILED]
#

With error in messages log file:
Jun 29 14:51:29 server radvd[24250]: version 0.7.3 started
Jun 29 14:51:29 server radvd[24250]: Couldn't change to 'radvd' uid=75 gid=75


Version-Release number of selected component (if applicable):
radvd-0.7.3-1_FC4

How reproducible:
Always

Steps to Reproduce:
1. Install radvd package
2. Run command 'service radvd start'
  

Actual Results:  Daemon fails to start.

Expected Results:  Daemon should be started.

Additional info:
Comment 1 Sitsofe Wheeler 2005-07-03 16:10:55 EDT
I was just talking to someone and this is an selinux policy bug (I believe it
prevents radvd changing user using setuid).

Petr, could you post the output of dmesg after trying to start radvd?
Comment 2 Petr Krištof 2005-07-04 03:37:32 EDT
Yes, it seems to be SElinux relative.

Change on file /etc/sysconfig/selinux
from
SELINUX=enforcing
to
SELINUX=permissive

allow radvd to start succefully.
Comment 3 Jason Vas Dias 2005-07-05 13:35:32 EDT
It seems there are some problems with the radvd SELinux policy , that
do prevent radvd from starting:

# service radvd start
Starting radvd:                                            [FAILED]

# audit2allow < /var/log/audit/audit.log
allow radvd_t self:capability setgid;
allow radvd_t self:tcp_socket connect;
allow radvd_t reserved_port_t:tcp_socket name_bind;
allow radvd_t var_yp_t:dir search;

# grep radvd_t /var/log/audit/audit.log
type=AVC msg=audit(1120584547.204:11832): avc:  denied  { search } for
 pid=6020 comm="radvd" name=yp dev=hda7 ino=20481
scontext=root:system_r:radvd_t tcontext=system_u:object_r:var_yp_t
tclass=dir
type=AVC msg=audit(1120584547.204:11835): avc:  denied  { connect }
for  pid=6020 comm="radvd" lport=32935 scontext=root:system_r:radvd_t
tcontext=root:system_r:radvd_t tclass=tcp_socket
type=AVC msg=audit(1120584547.205:11838): avc:  denied  { name_bind }
for  pid=6020 comm="radvd" src=684 scontext=root:system_r:radvd_t
tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
type=AVC msg=audit(1120584547.206:11839): avc:  denied  { connect }
for  pid=6020 comm="radvd" scontext=root:system_r:radvd_t
tcontext=root:system_r:radvd_t tclass=tcp_socket
type=AVC msg=audit(1120584547.206:11843): avc:  denied  { connect }
for  pid=6020 comm="radvd" lport=32936 scontext=root:system_r:radvd_t
tcontext=root:system_r:radvd_t tclass=tcp_socket
type=AVC msg=audit(1120584547.207:11846): avc:  denied  { name_bind }
for  pid=6020 comm="radvd" src=685 scontext=root:system_r:radvd_t
tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
type=AVC msg=audit(1120584547.207:11847): avc:  denied  { connect }
for  pid=6020 comm="radvd" scontext=root:system_r:radvd_t
tcontext=root:system_r:radvd_t tclass=tcp_socket
type=AVC msg=audit(1120584547.209:11877): avc:  denied  { search } for
 pid=6020 comm="radvd" name=yp dev=hda7 ino=20481
scontext=root:system_r:radvd_t tcontext=system_u:object_r:var_yp_t
tclass=dir
type=AVC msg=audit(1120584547.209:11880): avc:  denied  { connect }
for  pid=6020 comm="radvd" lport=32937 scontext=root:system_r:radvd_t
tcontext=root:system_r:radvd_t tclass=tcp_socket
type=AVC msg=audit(1120584547.210:11883): avc:  denied  { name_bind }
for  pid=6020 comm="radvd" src=686 scontext=root:system_r:radvd_t
tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
type=AVC msg=audit(1120584547.210:11884): avc:  denied  { connect }
for  pid=6020 comm="radvd" scontext=root:system_r:radvd_t
tcontext=root:system_r:radvd_t tclass=tcp_socket
type=AVC msg=audit(1120584547.211:11896): avc:  denied  { setgid } for
 pid=6020 comm="radvd" capability=6 scontext=root:system_r:radvd_t
tcontext=root:system_r:radvd_t tclass=capability

The selinux-policy-targeted policy for radvd needs to be updated.
Comment 4 Daniel Walsh 2005-07-11 13:30:25 EDT
Fixed in  selinux-policy-targeted-1.25.1-7
Comment 5 Petr Krištof 2005-07-12 06:08:27 EDT
No, it isnt.

#audit2allow < /var/log/audit/audit.log
allow radvd_t proc_net_t:dir search;
allow radvd_t proc_net_t:file { getattr read };
allow radvd_t self:capability { setgid setuid };

grep radvd_t /var/log/audit/audit.log 
type=AVC msg=audit(1121162441.932:163462): avc:  denied  { setuid } for 
pid=1885 comm="radvd" capability=7 scontext=root:system_r:radvd_t
tcontext=root:system_r:radvd_t tclass=capability
Comment 6 Daniel Walsh 2005-07-14 11:29:58 EDT
How about

selinux-policy-targeted-1.25.2-4
Comment 7 Petr Krištof 2005-07-15 04:26:57 EDT
Yes. Package selinux-policy-targeted-1.25.2-4 is OK.
It is working fine. radvd starts without problem.
Thanks for rapid work.

Note You need to log in before you can comment on or make changes to this bug.