radvd in enforcing mode can produce quite some message >75K messages in a few seconds. all of the type: type=AVC msg=audit(1325004244.152:174306): avc: denied { read } for pid=20724 comm="radvd" lport=58 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rawip_socket Reproducible: Always Steps to Reproduce: 1. setenforce 1 while radvd is running. 2. 3. Expected Results: not those messages ;-) This was found during fail2ban debugging. bug: 389577
Check if you have selinux-radvd installed: If not, stop radvd, install selinux-radvd, rlpkg radvd and start radvd Does that help?
# eix radvd [I] net-misc/radvd Available versions: 1.8.2 ~1.8.3 {kernel_FreeBSD} Installed versions: 1.8.2(23:27:20 12/16/11)(-kernel_FreeBSD) Homepage: http://v6web.litech.org/radvd/ Description: Linux IPv6 Router Advertisement Daemon [I] sec-policy/selinux-radvd Available versions: 2.20110726 Installed versions: 2.20110726(07:51:48 10/25/11) Homepage: http://www.gentoo.org/proj/en/hardened/selinux/ Description: SELinux policy for radvd I did relabel the package anyway, and a run of 5 minutes enforcing didn't show any message... restarting fail2ban while in enforcing fails with unable to authenticate user xxxxx.
Can you check if it now indeed runs in the radvd_t domain? The denial you gave initially had it running in sysadm_t...
if you mean ls -lZ from /proc then this is visible: dr-xr-xr-x. 8 root root system_u:system_r:radvd_t 0 Dec 29 01:23 22755 dr-xr-xr-x. 8 radvd radvd system_u:system_r:radvd_t 0 Dec 29 01:20 22757 I cannot restore the conditions from before the rlpkg i am afraid.
That's okay. It confirms my belief that radvd wasn't labeled properly (the binary) and after relabeling, things now work as planned. I'll add sec-policy/selinux-radvd as a dependency on radvd so that users don't need to install sec-policy/selinux-radvd manually and relabel.
Dependency added in the tree on radvd-1.8.3.