SEGV after: # /usr/sbin/radvd Reproducible: Always Steps to Reproduce: # /usr/sbin/radvd Actual Results: [May 11 12:37:40] radvd: Segmentation fault Expected Results: N/A # emerge --info Portage 2.1.4.4 (selinux/2007.0/amd64/hardened, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23-hardened-r11-circular-prod.1 x86_64) ================================================================= System uname: 2.6.23-hardened-r11-circular-prod.1 x86_64 Intel(R) Core(TM)2 Duo CPU E4500 @ 2.20GHz Timestamp of tree: Sat, 10 May 2008 22:45:02 +0000 ccache version 2.4 [disabled] app-shells/bash: 3.2_p33 dev-java/java-config: 1.3.7, 2.1.6 dev-lang/python: 2.4.4-r9 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.61-r1 sys-devel/automake: 1.4_p6, 1.7.9-r1, 1.9.6-r2, 1.10.1 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=nocona -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /var/bind" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O2 -march=nocona -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="collision-protect distlocks fixpackages loadpolicy metadata-transfer parallel-fetch sandbox selinux sesandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://gentoo.ynet.sk/pub http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ ftp://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ http://mirror.gentoo.no/" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="7zip acl alsa amd64 apache2 berkdb bzip2 cli cracklib crypt cups distcc dri fortran ftp gd gdbm gpm gs hardened iconv ipv6 isdnlog jpeg midi mmx mp3 mpeg mudflap mysql ncurses nls nptl nptlonly openmp pam pcre perl php pic pie png pppd python readline reflection samba sasl selinux session sharedmem slang snmp spl sse sse2 ssl ssp suexec symlink tcpd threads tiff truetype unicode userlocales utf8 wmf xattr xml xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias asis auth_basic auth_digest authn_alias authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cern_meta charset_lite dav dav_fs dav_lock dbd deflate dir disk_cache dumpio env expires ext_filter file_cache filter headers ident imagemap include info log_config log_forensic logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_http rewrite setenvif speling status unique_id userdir usertrack version vhost_alias" APACHE2_MPMS="worker" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i810 mach64 mga neomagic nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY --- # id radvd uid=102(radvd) gid=1020(radvd) groups=1020(radvd),1001(ident) # id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),16(cron),20(dialout),26(tape),27(video),250(portage),1001(ident),1005(trusted) context=vdm:sysadm_r:sysadm_t --- PaX patches, GrSec patches, SELinux patches from hardened-sources (to date, latest stable "2.6.23-hardened-r11" from portage for x86_64 SMP). group "ident" (gid 1001) is GID that has access to /proc Too bad that I am unable to gdb the radvd, stack backtrace is always "??", even when I append "-ggdb3" to CFLAGS and "nostrip" to FEATURES and "# emerge radvd", because of PaX and GrSec patches. --- # zcat /proc/config.gz | grep GRKERNSEC CONFIG_GRKERNSEC=y # CONFIG_GRKERNSEC_LOW is not set # CONFIG_GRKERNSEC_MEDIUM is not set # CONFIG_GRKERNSEC_HIGH is not set # CONFIG_GRKERNSEC_HARDENED is not set CONFIG_GRKERNSEC_CUSTOM=y CONFIG_GRKERNSEC_KMEM=y CONFIG_GRKERNSEC_IO=y CONFIG_GRKERNSEC_PROC_MEMMAP=y CONFIG_GRKERNSEC_BRUTE=y CONFIG_GRKERNSEC_HIDESYM=y CONFIG_GRKERNSEC_ACL_HIDEKERN=y CONFIG_GRKERNSEC_ACL_MAXTRIES=3 CONFIG_GRKERNSEC_ACL_TIMEOUT=60 CONFIG_GRKERNSEC_PROC=y # CONFIG_GRKERNSEC_PROC_USER is not set CONFIG_GRKERNSEC_PROC_USERGROUP=y CONFIG_GRKERNSEC_PROC_GID=1001 CONFIG_GRKERNSEC_PROC_ADD=y CONFIG_GRKERNSEC_LINK=y CONFIG_GRKERNSEC_FIFO=y # CONFIG_GRKERNSEC_CHROOT is not set CONFIG_GRKERNSEC_AUDIT_GROUP=y CONFIG_GRKERNSEC_AUDIT_GID=1006 CONFIG_GRKERNSEC_EXECLOG=y CONFIG_GRKERNSEC_RESLOG=y CONFIG_GRKERNSEC_CHROOT_EXECLOG=y CONFIG_GRKERNSEC_AUDIT_CHDIR=y CONFIG_GRKERNSEC_AUDIT_MOUNT=y CONFIG_GRKERNSEC_AUDIT_IPC=y CONFIG_GRKERNSEC_SIGNAL=y CONFIG_GRKERNSEC_FORKFAIL=y CONFIG_GRKERNSEC_TIME=y CONFIG_GRKERNSEC_PROC_IPADDR=y # CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set CONFIG_GRKERNSEC_EXECVE=y CONFIG_GRKERNSEC_SHM=y CONFIG_GRKERNSEC_DMESG=y CONFIG_GRKERNSEC_TPE=y CONFIG_GRKERNSEC_TPE_ALL=y CONFIG_GRKERNSEC_TPE_INVERT=y CONFIG_GRKERNSEC_TPE_GID=1005 CONFIG_GRKERNSEC_RANDNET=y CONFIG_GRKERNSEC_SOCKET=y CONFIG_GRKERNSEC_SOCKET_ALL=y CONFIG_GRKERNSEC_SOCKET_ALL_GID=1004 CONFIG_GRKERNSEC_SOCKET_CLIENT=y CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=1003 CONFIG_GRKERNSEC_SOCKET_SERVER=y CONFIG_GRKERNSEC_SOCKET_SERVER_GID=1002 CONFIG_GRKERNSEC_SYSCTL=y CONFIG_GRKERNSEC_SYSCTL_ON=y CONFIG_GRKERNSEC_FLOODTIME=1 CONFIG_GRKERNSEC_FLOODBURST=64 --- # zcat /proc/config.gz | grep -i pax # PaX CONFIG_PAX=y # PaX Control CONFIG_PAX_SOFTMODE=y CONFIG_PAX_EI_PAX=y CONFIG_PAX_PT_PAX_FLAGS=y # CONFIG_PAX_NO_ACL_FLAGS is not set CONFIG_PAX_HAVE_ACL_FLAGS=y # CONFIG_PAX_HOOK_ACL_FLAGS is not set CONFIG_PAX_NOEXEC=y CONFIG_PAX_PAGEEXEC=y # CONFIG_PAX_EMUTRAMP is not set CONFIG_PAX_MPROTECT=y CONFIG_PAX_NOELFRELOCS=y CONFIG_PAX_ASLR=y CONFIG_PAX_RANDUSTACK=y CONFIG_PAX_RANDMMAP=y CONFIG_PAX_MEMORY_SANITIZE=y --- # zcat /proc/config.gz | grep -i selinux CONFIG_SECURITY_SELINUX=y # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DISABLE is not set # CONFIG_SECURITY_SELINUX_DEVELOP is not set CONFIG_SECURITY_SELINUX_AVC_STATS=y CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y # CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set --- SELinux configuration: strict policy
Oh, latexer retired? =================================================================== RCS file: /var/cvsroot/gentoo-x86/net-misc/radvd/metadata.xml,v retrieving revision 1.3 diff -u -B -r1.3 metadata.xml --- metadata.xml 25 Dec 2007 16:28:41 -0000 1.3 +++ metadata.xml 12 May 2008 13:34:03 -0000 @@ -3,10 +3,6 @@ <pkgmetadata> <herd>no-herd</herd> <maintainer> - <email>latexter@gentoo.org</email> - <name>Peter Johanson</name> - </maintainer> - <maintainer> <email>wschlich@gentoo.org</email> <name>Wolfram Schlich</name> </maintainer>
I suspect that it is related to PaX/GRSec/SELinux patches (as I was notified after emerging this package when I use a special GID for access to /proc in kernel config (e.g. for identd), that I will get a SEGV if I will not put radvd user into that group. But it is in that group, and SEGV even occurs when I run it under root, with sysadm_r selinux context. Regards, Marian VooDooMan Meravy (reporter).
Ping? How are things going?
I resolved this issue. There is old buggy behavior: ==================== circular ~ # equery l radvd [ Searching for package 'radvd' in all categories among: ] * installed packages [I--] [ ] net-misc/radvd-1.0-r1 (0) circular ~ # /etc/init.d/radvd start Authenticating root. Password: * Caching service dependencies ... [ ok ] * Enabling IPv6 forwarding ... [ ok ] * Starting IPv6 Router Advertisement Daemon ... [Nov 04 02:10:01] radvd: /lib/rcscripts/sh/rc-daemon.sh: line 231: 18501 Segmentation fault /sbin/start-stop-daemon '--start' '--exec' '/usr/sbin/radvd' '--pidfile' '/var/run/radvd/radvd.pid' '--' '-C' '/etc/radvd.conf' '-p' '/var/run/radvd/radvd.pid' '-u' 'radvd' [ !! ] circular ~ # dmesg | tail ... some irrelevant messages skipped ... [928917.879199] radvd[18501] general protection ip:7463702c4ad0 sp:7da2c501bf28 error:0 in libc-2.6.1.so[746370251000+137000] [928917.879216] grsec: From 10.XXX.XXX.XXX: signal 11 sent to /usr/sbin/radvd[radvd:18501] uid/euid:102/102 gid/egid:1001/1001, parent /sbin/runscript.sh[runscript.sh:18497] uid/euid:0/0 gid/egid:0/0 ==================== "10.XXX.XXX.XXX" IP addres above was censored for sake of privacy. GID 1001 is "identd" group in kernel configuration, that allows unrestricted access to /proc filesystem. to resolve the bug is to do two things: 1. unmask radvd by keyword (on my platform) "~adm64" 2. make new SElinux module, with my_radvd.te content: --- policy_module(my_radvd,1.0.0) require { type sysadm_t; } allow sysadm_t self:rawip_socket ioctl; --- both steps are required; I was trying all four possible combinations, and found that these 2 steps are required together, in other three cases it segfaulted as show above. New behavior: ==================== circular ~ # equery l radvd [ Searching for package 'radvd' in all categories among: ] * installed packages [I--] [ ~] net-misc/radvd-1.1 (0) circular ~ # /etc/init.d/radvd start Authenticating root. Password: * Caching service dependencies ... [ ok ] * Enabling IPv6 forwarding ... [ ok ] * Starting IPv6 Router Advertisement Daemon ... [ ok ] circular ~ # ====================
Just for better clarification, of course if you want to run radvd by initrc script, you need this rule instead: allow initrc_t self:rawip_socket ioctl;
selinux: Update your policy files for this? (In reply to comment #5) > allow initrc_t self:rawip_socket ioctl;
