Bug 167292
Summary: | DHCP failover is denied by SELinux | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Joachim Selke <mail> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4 | CC: | jparsons, jvdias, notting, skian2007 |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 1.27.1-2.6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-10-17 23:42:05 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Joachim Selke
2005-09-01 12:19:41 UTC
I'd greatly prefer to wait for an official IANA port before putting it in /etc/services. Note that the presence or lack of an entry there will only affect getservbyname()/getservbyport() - it very likely won't affect general functionality. There seem to be official IANA ports now. http://www.iana.org/assignments/port-numbers says: dhcp-failover 647/tcp DHCP Failover dhcp-failover 647/udp DHCP Failover # Bernard Volz <volz> dhcp-failover2 847/tcp dhcp-failover 2 dhcp-failover2 847/udp dhcp-failover 2 # Bernard Volz <volz> Fixed in selinux-policy-*-1.27.1-2.1 dhcpd is now updated to use the 'failover...{... port 647; peer port 847; ...}' configuration by default; users no longer MUST specify 'port' and 'peer port' values. This is reflected in the dhcpd.conf.5 man-page. All that remains is to update /etc/services with these values: dhcp-failover 647/tcp DHCP Failover dhcp-failover 647/udp DHCP Failover dhcp-failover2 847/tcp dhcp-failover 2 dhcp-failover2 847/udp dhcp-failover 2 Now that they have been formally assigned by IANA . Is the services addition actually required for it to work? If not, it will get caught at some point in the future when we refresh the services file. It seems to work without the addition in /etc/services. After I have updated to selinux-policy-targeted-1.25.4-10 I can use DHCP failover. Thank you for your quick response. :-) Sorry, I have to correct my statement above. At the first glance it seemed to work but I still get the following error in /var/log/audit/audit.log when starting dhcpd (with addition to /etc/services, selinux-policy-targeted.noarch-1.27.1-2.1 is installed): type=AVC msg=audit(1127586538.365:33): avc: denied { name_bind } for pid=2517 comm="dhcpd" src=647 scontext=root:system_r:dhcpd_t tcontext=system_u:object_r:dhcpd_port_t tclass=tcp_socket type=SYSCALL msg=audit(1127586538.365:33): arch=c000003e syscall=49 success=no exit=-13 a0=9 a1=5555557f0e88 a2=10 a3=7fffffa0205c items=0 pid=2517 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="dhcpd" exe="/usr/sbin/dhcpd" type=SOCKADDR msg=audit(1127586538.365:33): saddr=02000287824B39E20000000000000000 I tested it with the new selinux-policy-targeted-1.27.1-2.6 and it works! Even without the addition to /etc/services. This bug can be closed now. Hi, according to https://kb.isc.org/docs/aa-00502 now recommended ports are 519,520 could you add it also? |