Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1224403
Summary: | AVC starting radvd from systemd | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Tom Hughes <tom> |
Component: | selinux-policy-targeted | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED NEXTRELEASE | QA Contact: | Ben Levenson <benl> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 22 | CC: | dustymabe, dwalsh, jch, jorti, lvrabec, marek.gresko, mgrepl, psimerda |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.13.1-128.5.fc22 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-06-27 22:34:01 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1224471 |
Description
Tom Hughes
2015-05-22 20:25:49 UTC
*** Bug 1228594 has been marked as a duplicate of this bug. *** *** Bug 1224507 has been marked as a duplicate of this bug. *** The issue seems to be related to systemd. Running 'radvd -u radvd' directly works, pidfile is created, daemon is running. So the non-systemd way only works because the processes are unconfined. [root@f22 ~]# radvd [root@f22 ~]# ps -eZ | grep radvd unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 4710 ? 00:00:00 radvd unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 4711 ? 00:00:00 radvd But the executable file is apparently confined. # ls -Z `which radvd` system_u:object_r:radvd_exec_t:s0 /usr/sbin/radvd I thought the selinux policy would ensure that the server executable is always started as confined, did I miss something? Important files... [root@f22 ~]# cat /usr/lib/systemd/system/radvd.service [Unit] Description=Router advertisement daemon for IPv6 After=network.target [Service] EnvironmentFile=/etc/sysconfig/radvd ExecStart=/usr/sbin/radvd $OPTIONS Type=forking PIDFile=/var/run/radvd/radvd.pid ExecReload=/bin/kill -HUP $MAINPID [Install] WantedBy=multi-user.target [root@f22 ~]# cat /etc/sysconfig/radvd # No chroot; /var/run/radvd must be owned by -u. OPTIONS="-u radvd" # Chroot; directory structure under /var/chroot/radvd has to be populated. #OPTIONS="-u radvd -t /var/chroot/radvd" Working radvd.conf example... [root@f22 ~]# cat /etc/radvd.conf # NOTE: there is no such thing as a working "by-default" configuration file. # At least the prefix needs to be specified. Please consult the radvd.conf(5) # man page and/or /usr/share/doc/radvd-*/radvd.conf.example for help. # # interface enp0s25 { AdvSendAdvert on; # MinRtrAdvInterval 30; # MaxRtrAdvInterval 100; # prefix 2001:db8:1:0::/64 # { # AdvOnLink on; # AdvAutonomous on; # AdvRouterAddr off; # }; # }; commit 1a649250ae6fe19f1d4ce098e53a3b6a99d6c7f1 Author: Miroslav Grepl <mgrepl> Date: Wed Jun 17 12:29:18 2015 +0200 Allow radvd has setuid and it requires dac_override. BZ(1224403) selinux-policy-3.13.1-128.2.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-128.2.fc22 Package selinux-policy-3.13.1-128.2.fc22: * should fix your issue, * was pushed to the Fedora 22 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-128.2.fc22' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-10299/selinux-policy-3.13.1-128.2.fc22 then log in and leave karma (feedback). I'm calling radvd from gogoc (debugging #1224471), which does a domain transition from gogoc_t to radvd_t. I've updated to selinux-policy-3.13.1-128.2.fc22.noarch, but it still fails with this AVC: SELinux is preventing radvd from using the dac_override capability. ***** Plugin dac_override (91.4 confidence) suggests ********************** If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system Then turn on full auditing to get path information about the offending file and generate the error again. Do Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent If you see PATH record check ownership/permissions on file, and fix it, otherwise report as a bugzilla. ***** Plugin catchall (9.59 confidence) suggests ************************** If you believe that radvd should have the dac_override capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep radvd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:radvd_t:s0 Target Context system_u:system_r:radvd_t:s0 Target Objects Unknown [ capability ] Source radvd Source Path radvd Port <Unknown> Host fedora22s Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-128.2.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora22s Platform Linux fedora22s 4.0.5-300.fc22.x86_64 #1 SMP Mon Jun 8 16:15:26 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-06-23 09:12:20 CEST Last Seen 2015-06-23 09:12:20 CEST Local ID c4df43c4-29f4-46ce-ac1f-dc6d3f0a288a Raw Audit Messages type=AVC msg=audit(1435043540.212:496): avc: denied { dac_override } for pid=1323 comm="radvd" capability=1 scontext=system_u:system_r:radvd_t:s0 tcontext=system_u:system_r:radvd_t:s0 tclass=capability permissive=0 Hash: radvd,radvd_t,radvd_t,capability,dac_override This is strange. Lukas, could you re-check it. I see the change in the git. Thank you, (In reply to Juan Orti from comment #10) > I'm calling radvd from gogoc (debugging #1224471), which does a domain > transition from gogoc_t to radvd_t. > > I've updated to selinux-policy-3.13.1-128.2.fc22.noarch, but it still fails > with this AVC: > > SELinux is preventing radvd from using the dac_override capability. Here is what I see from the journal when trying to start radvd on the same system I used to test BZ#1227484: Starting Router advertisement daemon for IPv6... version 2.8 started IPv6 forwarding setting is: 0, should be 1 or 2 IPv6 forwarding seems to be disabled, but continuing anyway <audit-1400> avc: denied { dac_override } for pid=8597 comm="radvd" capability=1 scontext=system_u:system_r:radvd_t:s0 tcontext=system_u:system_r:radvd_t:s0 tclass=capability permissive=0 unable to open pid file, /var/run/radvd/radvd.pid: Permission denied [Jun 23 13:12:21] radvd (8597): unable to open pid file, /var/run/radvd/radvd.pid: Permission denied radvd.service: control process exited, code=exited status=255 Failed to start Router advertisement daemon for IPv6. Unit radvd.service entered failed state. radvd.service failed. Fix will be in selinux-policy-3.13.1-128.3.fc22.noarch selinux-policy-3.13.1-128.2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. After updating selinux-policy-* and rebooting for the new kernel as well, radvd still does not start from systemd: type=SERVICE_START msg=audit(1435565240.515:116): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=radvd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' type=AVC msg=audit(1435565633.328:209): avc: denied { dac_override } for pid=1245 comm="radvd" capability=1 scontext=system_u:system_r:radvd_t:s0 tcontext=system_u:system_r:radvd_t:s0 tclass=capability permissive=0 type=SYSCALL msg=audit(1435565633.328:209): arch=c000003e syscall=2 success=no exit=-13 a0=7f970b602820 a1=101042 a2=1a4 a3=7f970c86a660 items=0 ppid=1 pid=1245 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="radvd" exe="/usr/sbin/radvd" subj=system_u:system_r:radvd_t:s0 key=(null) I confirm the bug is not fixed in selinux-policy-3.13.1-128.2.fc22. Could you, please, reopen the bug? lvrabec:~ $ audit2allow -i avc #============= radvd_t ============== #!!!! This avc is allowed in the current policy allow radvd_t self:capability dac_override; lvrabec:~ $ rpm -q selinux-policy selinux-policy-3.13.1-128.5.fc22.noarch |