Bug 167292

Summary: DHCP failover is denied by SELinux
Product: [Fedora] Fedora Reporter: Joachim Selke <mail>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4CC: jparsons, jvdias, notting, skian2007
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: 1.27.1-2.6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-10-17 23:42:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joachim Selke 2005-09-01 12:19:41 UTC 
Description of problem:
When using DHCP failover with dhcpd you have to specify ports over which the
primary and secondary DHCP server will communicate (see man dhcpd.conf for
details). The example configuration given in the dhcpd.conf manpage uses ports
519 and 520, but says that there are no reserved port numbers for this at the
moment. So it seems to be a good idea to use ports 519 and 520 for DHCP failover
communication until there are reserved ports.

Now the problem is that SELinux does not allow dhcpd to use these ports, trying
this ends up with the following error in /var/log/audit/audit.log (for the
primary server):

type=AVC msg=audit(1125576964.188:783): avc:  denied  { name_bind } for 
pid=11681 comm="dhcpd" src=519 scontext=root:system_r:dhcpd_t
tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
type=SYSCALL msg=audit(1125576964.188:783): arch=c000003e syscall=49 success=no
exit=-13 a0=9 a1=5555557f0e48 a2=10 a3=7fffff9976bc items=0 pid=11681 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="dhcpd"
exe="/usr/sbin/dhcpd"
type=SOCKADDR msg=audit(1125576964.188:783): saddr=02000207824B39E20000000000000000

This means that you can't use DHCP failover with SELinux enabled.


Version-Release number of selected component (if applicable):
dhcp.x86_64-10:3.0.2-14.FC4
selinux-policy-targeted.noarch-1.25.4-10


How reproducible:
Every time.


Steps to Reproduce:
1. Use dhcpd with DHCP failover
2. service dhcpd start

  
Actual results:
DHCP failover does not work


Expected results:
DHCP failover should work, dhcpd should be allowed to use port 519/520
Comment 2 Bill Nottingham 2005-09-01 16:23:28 UTC 
I'd greatly prefer to wait for an official IANA port before putting it in
/etc/services. Note that the presence or lack of an entry there will only affect
getservbyname()/getservbyport() - it very likely won't affect general functionality.
Comment 3 Joachim Selke 2005-09-02 22:02:13 UTC 
There seem to be official IANA ports now.
http://www.iana.org/assignments/port-numbers says:

dhcp-failover   647/tcp    DHCP Failover
dhcp-failover   647/udp    DHCP Failover
#                          Bernard Volz <volz>

dhcp-failover2  847/tcp    dhcp-failover 2
dhcp-failover2  847/udp    dhcp-failover 2
#                          Bernard Volz <volz>
Comment 4 Daniel Walsh 2005-09-19 20:20:48 UTC 
Fixed in selinux-policy-*-1.27.1-2.1
Comment 5 Jason Vas Dias 2005-09-23 21:32:21 UTC 
dhcpd is now updated to use the 'failover...{... port 647; peer port 847; ...}'
configuration by default; users no longer MUST specify 'port' and 'peer port'
values. This is reflected in the dhcpd.conf.5 man-page.

All that remains is to update /etc/services with these values:

dhcp-failover   647/tcp    DHCP Failover
dhcp-failover   647/udp    DHCP Failover
dhcp-failover2  847/tcp    dhcp-failover 2
dhcp-failover2  847/udp    dhcp-failover 2

Now that they have been formally assigned by IANA .
Comment 6 Bill Nottingham 2005-09-24 02:08:27 UTC 
Is the services addition actually required for it to work? If not, it will get
caught at some point in the future when we refresh the services file.
Comment 7 Joachim Selke 2005-09-24 18:17:33 UTC 
It seems to work without the addition in /etc/services. After I have updated to
selinux-policy-targeted-1.25.4-10 I can use DHCP failover.

Thank you for your quick response. :-)
Comment 8 Joachim Selke 2005-09-24 18:35:29 UTC 
Sorry, I have to correct my statement above. At the first glance it seemed to
work but I still get the following error in /var/log/audit/audit.log when
starting dhcpd (with addition to /etc/services,
selinux-policy-targeted.noarch-1.27.1-2.1 is installed):

type=AVC msg=audit(1127586538.365:33): avc:  denied  { name_bind } for  pid=2517
comm="dhcpd" src=647 scontext=root:system_r:dhcpd_t
tcontext=system_u:object_r:dhcpd_port_t tclass=tcp_socket
type=SYSCALL msg=audit(1127586538.365:33): arch=c000003e syscall=49 success=no
exit=-13 a0=9 a1=5555557f0e88 a2=10 a3=7fffffa0205c items=0 pid=2517 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="dhcpd"
exe="/usr/sbin/dhcpd"
type=SOCKADDR msg=audit(1127586538.365:33): saddr=02000287824B39E20000000000000000
Comment 9 Joachim Selke 2005-10-17 22:50:40 UTC 
I tested it with the new selinux-policy-targeted-1.27.1-2.6 and it works! Even
without the addition to /etc/services. This bug can be closed now.
Comment 10 Andrey S 2020-09-07 08:07:33 UTC 
Hi, according to https://kb.isc.org/docs/aa-00502 now recommended ports are 519,520

could you add it also?