Package: radvd Version: 1:2.15-2 Severity: normal Dear Maintainer,
Running radvd on Debian 9.2 with systemd and selinux enabled results in radvd running in wrong selinux context. This is what I get, radvd running in init_t context: # ps -auxZ | grep radvd system_u:system_r:init_t:s0 root 11139 0.5 0.6 2580 1628 ? S<s 00:27 0:00 /usr/sbin/radvd --logmethod stderr_clean This is what /var/log/audit.log says about this: # cat /var/log/audit/audit.log | grep radvd type=SELINUX_ERR msg=audit(1511047441.963:10594): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:radvd_t:s0 This is what I would expect, radvd running in radvd_t context: # ps -auxZ | grep radvd system_u:system_r:radvd_t:s0 root 11139 0.5 0.6 2580 1628 ? S<s 00:27 0:00 /usr/sbin/radvd --logmethod stderr_clean It turns out that the option NoNewPrivileges=yes in /lib/systemd/system/radvd.service causes the transition denial from init_t to radvd_t context. Turning off this option by either creating a .service file in /etc/systemd/system/ that runs radvd via /etc/init.d/radvd script, or creating a file /etc/systemd/system/radvd.service.d/extend.conf that overrides this option and sets the value to no resolves this issue. This might be either a systemd or selinux or selinux-policy bug rather than a bug in radvd. -- System Information: Debian Release: 9.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages radvd depends on: ii adduser 3.115 ii libc6 2.24-11+deb9u1 ii lsb-base 9.20161125 radvd recommends no packages. radvd suggests no packages.
