Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1224403 - AVC starting radvd from systemd
Summary: AVC starting radvd from systemd
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 22
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard:
: 1224507 1228594 (view as bug list)
Depends On:
Blocks: 1224471
TreeView+ depends on / blocked
 
Reported: 2015-05-22 20:25 UTC by Tom Hughes
Modified: 2015-07-06 11:57 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.13.1-128.5.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-06-27 22:34:01 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Tom Hughes 2015-05-22 20:25:49 UTC
Description of problem:

radvd in F22 is failing to start when selinux is in enforcing mode with the following AVC:

time->Fri May 22 21:07:13 2015
type=PROCTITLE msg=audit(1432325233.724:111): proctitle=2F7573722F7362696E2F7261647664002D75007261647664
type=SYSCALL msg=audit(1432325233.724:111): arch=40000003 syscall=5 success=no exit=-13 a0=b7739754 a1=101042 a2=1a4 a3=b7739754 items=0 ppid=1 pid=766 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="radvd" exe="/usr/sbin/radvd" subj=system_u:system_r:radvd_t:s0 key=(null)
type=AVC msg=audit(1432325233.724:111): avc:  denied  { dac_override } for  pid=766 comm="radvd" capability=1  scontext=system_u:system_r:radvd_t:s0 tcontext=system_u:system_r:radvd_t:s0 tclass=capability permissive=0

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.13.1-126.fc22.noarch
radvd-2.8-1.fc22.i686

Comment 1 Pavel Šimerda (pavlix) 2015-06-05 09:55:11 UTC
*** Bug 1228594 has been marked as a duplicate of this bug. ***

Comment 2 Pavel Šimerda (pavlix) 2015-06-05 10:02:05 UTC
*** Bug 1224507 has been marked as a duplicate of this bug. ***

Comment 3 Pavel Šimerda (pavlix) 2015-06-05 10:03:37 UTC
The issue seems to be related to systemd. Running 'radvd -u radvd' directly works, pidfile is created, daemon is running.

Comment 4 Pavel Šimerda (pavlix) 2015-06-05 10:26:45 UTC
So the non-systemd way only works because the processes are unconfined.

[root@f22 ~]# radvd
[root@f22 ~]# ps -eZ  | grep radvd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 4710 ? 00:00:00 radvd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 4711 ? 00:00:00 radvd

But the executable file is apparently confined.

# ls -Z `which radvd`
system_u:object_r:radvd_exec_t:s0 /usr/sbin/radvd

I thought the selinux policy would ensure that the server executable is always started as confined, did I miss something?

Comment 5 Pavel Šimerda (pavlix) 2015-06-05 10:28:55 UTC
Important files...

[root@f22 ~]# cat /usr/lib/systemd/system/radvd.service                                                                                                        
[Unit]
Description=Router advertisement daemon for IPv6
After=network.target

[Service]
EnvironmentFile=/etc/sysconfig/radvd
ExecStart=/usr/sbin/radvd $OPTIONS
Type=forking
PIDFile=/var/run/radvd/radvd.pid
ExecReload=/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target

[root@f22 ~]# cat /etc/sysconfig/radvd 

# No chroot; /var/run/radvd must be owned by -u.
OPTIONS="-u radvd"

# Chroot; directory structure under /var/chroot/radvd has to be populated.
#OPTIONS="-u radvd -t /var/chroot/radvd"

Comment 6 Pavel Šimerda (pavlix) 2015-06-05 10:29:42 UTC
Working radvd.conf example...

[root@f22 ~]# cat /etc/radvd.conf
# NOTE: there is no such thing as a working "by-default" configuration file. 
#       At least the prefix needs to be specified.  Please consult the radvd.conf(5)
#       man page and/or /usr/share/doc/radvd-*/radvd.conf.example for help.
#
#
interface enp0s25
{
        AdvSendAdvert on;
#       MinRtrAdvInterval 30;
#       MaxRtrAdvInterval 100;
#       prefix 2001:db8:1:0::/64
#       {
#               AdvOnLink on;
#               AdvAutonomous on;
#               AdvRouterAddr off;
#       };
#
};

Comment 7 Miroslav Grepl 2015-06-17 10:29:37 UTC
commit 1a649250ae6fe19f1d4ce098e53a3b6a99d6c7f1
Author: Miroslav Grepl <mgrepl>
Date:   Wed Jun 17 12:29:18 2015 +0200

    Allow radvd has setuid and it requires dac_override. BZ(1224403)

Comment 8 Fedora Update System 2015-06-19 07:51:34 UTC
selinux-policy-3.13.1-128.2.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-128.2.fc22

Comment 9 Fedora Update System 2015-06-21 00:34:20 UTC
Package selinux-policy-3.13.1-128.2.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-128.2.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-10299/selinux-policy-3.13.1-128.2.fc22
then log in and leave karma (feedback).

Comment 10 Juan Orti 2015-06-23 07:27:06 UTC
I'm calling radvd from gogoc (debugging #1224471), which does a domain transition from gogoc_t to radvd_t.

I've updated to selinux-policy-3.13.1-128.2.fc22.noarch, but it still fails with this AVC:

SELinux is preventing radvd from using the dac_override capability.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If you believe that radvd should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep radvd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:radvd_t:s0
Target Context                system_u:system_r:radvd_t:s0
Target Objects                Unknown [ capability ]
Source                        radvd
Source Path                   radvd
Port                          <Unknown>
Host                          fedora22s
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-128.2.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora22s
Platform                      Linux fedora22s 4.0.5-300.fc22.x86_64 #1 SMP Mon
                              Jun 8 16:15:26 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-06-23 09:12:20 CEST
Last Seen                     2015-06-23 09:12:20 CEST
Local ID                      c4df43c4-29f4-46ce-ac1f-dc6d3f0a288a

Raw Audit Messages
type=AVC msg=audit(1435043540.212:496): avc:  denied  { dac_override } for  pid=1323 comm="radvd" capability=1  scontext=system_u:system_r:radvd_t:s0 tcontext=system_u:system_r:radvd_t:s0 tclass=capability permissive=0


Hash: radvd,radvd_t,radvd_t,capability,dac_override

Comment 11 Miroslav Grepl 2015-06-23 12:39:09 UTC
This is strange.

Lukas,
could you re-check it. I see the change in the git. 

Thank you,

Comment 12 Dusty Mabe 2015-06-23 13:17:27 UTC
(In reply to Juan Orti from comment #10)
> I'm calling radvd from gogoc (debugging #1224471), which does a domain
> transition from gogoc_t to radvd_t.
> 
> I've updated to selinux-policy-3.13.1-128.2.fc22.noarch, but it still fails
> with this AVC:
> 
> SELinux is preventing radvd from using the dac_override capability.



Here is what I see from the journal when trying to start radvd on the same system I used to test BZ#1227484:


Starting Router advertisement daemon for IPv6...
version 2.8 started
IPv6 forwarding setting is: 0, should be 1 or 2
IPv6 forwarding seems to be disabled, but continuing anyway
<audit-1400> avc:  denied  { dac_override } for  pid=8597 comm="radvd" capability=1  scontext=system_u:system_r:radvd_t:s0 tcontext=system_u:system_r:radvd_t:s0 tclass=capability permissive=0
unable to open pid file, /var/run/radvd/radvd.pid: Permission denied
[Jun 23 13:12:21] radvd (8597): unable to open pid file, /var/run/radvd/radvd.pid: Permission denied
radvd.service: control process exited, code=exited status=255
Failed to start Router advertisement daemon for IPv6.
Unit radvd.service entered failed state.
radvd.service failed.

Comment 13 Lukas Vrabec 2015-06-23 14:41:54 UTC
Fix will be in selinux-policy-3.13.1-128.3.fc22.noarch

Comment 14 Fedora Update System 2015-06-27 22:34:01 UTC
selinux-policy-3.13.1-128.2.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 John Haxby 2015-06-29 08:40:08 UTC
After updating selinux-policy-* and rebooting for the new kernel as well, radvd still does not start from systemd:

type=SERVICE_START msg=audit(1435565240.515:116):
 pid=1 uid=0 auid=4294967295 ses=4294967295
 subj=system_u:system_r:init_t:s0 msg='unit=radvd comm="systemd"
 exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'

type=AVC msg=audit(1435565633.328:209):
 avc:  denied  { dac_override } for  pid=1245 comm="radvd" capability=1 
 scontext=system_u:system_r:radvd_t:s0
 tcontext=system_u:system_r:radvd_t:s0
 tclass=capability permissive=0

type=SYSCALL msg=audit(1435565633.328:209):
 arch=c000003e syscall=2 success=no exit=-13
 a0=7f970b602820 a1=101042 a2=1a4 a3=7f970c86a660
 items=0 ppid=1 pid=1245
 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
 ses=4294967295 comm="radvd" exe="/usr/sbin/radvd"
 subj=system_u:system_r:radvd_t:s0 key=(null)

Comment 16 Marek Greško 2015-07-02 21:56:35 UTC
I confirm the bug is not fixed in selinux-policy-3.13.1-128.2.fc22. Could you, please, reopen the bug?

Comment 17 Lukas Vrabec 2015-07-06 11:57:37 UTC
lvrabec:~
$ audit2allow -i avc 


#============= radvd_t ==============

#!!!! This avc is allowed in the current policy
allow radvd_t self:capability dac_override;


lvrabec:~
$ rpm -q selinux-policy
selinux-policy-3.13.1-128.5.fc22.noarch


Note You need to log in before you can comment on or make changes to this bug.