Bug 186582
Summary: | DHCP failover is denied by SELinux | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | Suzuki Takashi <suzuki-t> | ||||
Component: | selinux-policy-targeted | Assignee: | Russell Coker <rcoker> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 4.0 | CC: | jparadis, jparsons, jvdias, notting | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | i386 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | RHBA-2006-0373 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2006-08-10 21:20:28 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 181409 | ||||||
Attachments: |
|
Description
Suzuki Takashi
2006-03-24 15:50:15 UTC
Did you enable the allow_ypbind boolean? This will allow such access without fixing the root cause of the problem. It has been used as a work-around for this problem and similar problems in the past. The real problem here is not fixed in RHEL4U3 and will have to be fixed in an errata. I know allow_ypbind boolean allows accesses to reserved_port_t ports, including the DHCP failover port. I'm waiting for a new policy that explicitly allows the dhcpd to access through TCP port 647 for DHCP failover connections. Just for remembrance: According to the newest draft, only TCP port 647 is used for the both primary and secondary peers. http://tools.ietf.org/wg/dhc/draft-ietf-dhc-failover/draft-ietf-dhc-failover-12.txt Takashi-san, my question in regard to the allow_ypbind boolean was in regard to selke's comment. I now realise that for a cloned bug such unclear comments are a mistake. I am working on an update that will explicitly permit those ports, I will permit all the ports (old and new) for RHEL4, but RHEL5 will only support the latest RFC specified port. The permitted ports for RHEL4 have to match the documentation in man pages, RHEL5 should have man pages that reflect the latest RFCs. Created attachment 128489 [details]
Patch explicitly allowing dhcpd to bind to TCP port 647
I couldn't wait and made a custom RPM with this patch.
It works fine with allow_ypbind=false.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2006-0373.html |