Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 396221 - net-misc/radvd causes a LOT of messages in selinux
Summary: net-misc/radvd causes a LOT of messages in selinux
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-12-27 17:28 UTC by Nico Baggus
Modified: 2011-12-30 17:56 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Nico Baggus 2011-12-27 17:28:21 UTC
radvd in enforcing mode can produce quite some message >75K messages in a few seconds.
all of the type:
type=AVC msg=audit(1325004244.152:174306): avc:  denied  { read } for  pid=20724 comm="radvd" lport=58 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rawip_socket



Reproducible: Always

Steps to Reproduce:
1. setenforce 1 while radvd is running.
2.
3.


Expected Results:  
not those messages ;-)

This was found during fail2ban debugging.
bug: 389577
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2011-12-28 19:48:00 UTC
Check if you have selinux-radvd installed:
  If not, stop radvd, install selinux-radvd, rlpkg radvd and start radvd

Does that help?
Comment 2 Nico Baggus 2011-12-29 01:01:47 UTC
# eix radvd
[I] net-misc/radvd
     Available versions:  1.8.2 ~1.8.3 {kernel_FreeBSD}
     Installed versions:  1.8.2(23:27:20 12/16/11)(-kernel_FreeBSD)
     Homepage:            http://v6web.litech.org/radvd/
     Description:         Linux IPv6 Router Advertisement Daemon

[I] sec-policy/selinux-radvd
     Available versions:  2.20110726
     Installed versions:  2.20110726(07:51:48 10/25/11)
     Homepage:            http://www.gentoo.org/proj/en/hardened/selinux/
     Description:         SELinux policy for radvd


I did relabel the package anyway, and a run of 5 minutes enforcing didn't show any message...

restarting fail2ban while in enforcing fails with unable to authenticate user xxxxx.
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2011-12-29 18:20:17 UTC
Can you check if it now indeed runs in the radvd_t domain? The denial you gave initially had it running in sysadm_t...
Comment 4 Nico Baggus 2011-12-29 22:51:14 UTC
if you mean ls -lZ from /proc then this is visible:

dr-xr-xr-x.  8 root       root       system_u:system_r:radvd_t                  0 Dec 29 01:23 22755
dr-xr-xr-x.  8 radvd      radvd      system_u:system_r:radvd_t                  0 Dec 29 01:20 22757

I cannot restore the conditions from before the rlpkg i am afraid.
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2011-12-30 17:21:02 UTC
That's okay. It confirms my belief that radvd wasn't labeled properly (the binary) and after relabeling, things now work as planned. I'll add sec-policy/selinux-radvd as a dependency on radvd so that users don't need to install sec-policy/selinux-radvd manually and relabel.
Comment 6 Sven Vermeulen (RETIRED) gentoo-dev 2011-12-30 17:56:23 UTC
Dependency added in the tree on radvd-1.8.3.