Bug 186582

Summary: DHCP failover is denied by SELinux
Product: Red Hat Enterprise Linux 4 Reporter: Suzuki Takashi <suzuki-t>
Component: selinux-policy-targetedAssignee: Russell Coker <rcoker>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: jparadis, jparsons, jvdias, notting
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2006-0373 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-08-10 21:20:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 181409    
Attachments:
Description Flags
Patch explicitly allowing dhcpd to bind to TCP port 647 none

Description Suzuki Takashi 2006-03-24 15:50:15 UTC 
When will this fix be released for RHEL4?
selinux-policy-targeted-1.17.30-2.126 in Update 3 did not contain lines
for DHCP failover ports.


+++ This bug was initially created as a clone of Bug #167292 +++

Description of problem:
When using DHCP failover with dhcpd you have to specify ports over which the
primary and secondary DHCP server will communicate (see man dhcpd.conf for
details). The example configuration given in the dhcpd.conf manpage uses ports
519 and 520, but says that there are no reserved port numbers for this at the
moment. So it seems to be a good idea to use ports 519 and 520 for DHCP failover
communication until there are reserved ports.

Now the problem is that SELinux does not allow dhcpd to use these ports, trying
this ends up with the following error in /var/log/audit/audit.log (for the
primary server):

type=AVC msg=audit(1125576964.188:783): avc:  denied  { name_bind } for 
pid=11681 comm="dhcpd" src=519 scontext=root:system_r:dhcpd_t
tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
type=SYSCALL msg=audit(1125576964.188:783): arch=c000003e syscall=49 success=no
exit=-13 a0=9 a1=5555557f0e48 a2=10 a3=7fffff9976bc items=0 pid=11681 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="dhcpd"
exe="/usr/sbin/dhcpd"
type=SOCKADDR msg=audit(1125576964.188:783): saddr=02000207824B39E20000000000000000

This means that you can't use DHCP failover with SELinux enabled.


Version-Release number of selected component (if applicable):
dhcp.x86_64-10:3.0.2-14.FC4
selinux-policy-targeted.noarch-1.25.4-10


How reproducible:
Every time.


Steps to Reproduce:
1. Use dhcpd with DHCP failover
2. service dhcpd start

  
Actual results:
DHCP failover does not work


Expected results:
DHCP failover should work, dhcpd should be allowed to use port 519/520

-- Additional comment from notting on 2005-09-01 12:23 EST --
I'd greatly prefer to wait for an official IANA port before putting it in
/etc/services. Note that the presence or lack of an entry there will only affect
getservbyname()/getservbyport() - it very likely won't affect general functionality.

-- Additional comment from selke.de on 2005-09-02 18:02 EST --
There seem to be official IANA ports now.
http://www.iana.org/assignments/port-numbers says:

dhcp-failover   647/tcp    DHCP Failover
dhcp-failover   647/udp    DHCP Failover
#                          Bernard Volz <volz>

dhcp-failover2  847/tcp    dhcp-failover 2
dhcp-failover2  847/udp    dhcp-failover 2
#                          Bernard Volz <volz>

-- Additional comment from dwalsh on 2005-09-19 16:20 EST --
Fixed in selinux-policy-*-1.27.1-2.1

-- Additional comment from jvdias on 2005-09-23 17:32 EST --
dhcpd is now updated to use the 'failover...{... port 647; peer port 847; ...}'
configuration by default; users no longer MUST specify 'port' and 'peer port'
values. This is reflected in the dhcpd.conf.5 man-page.

All that remains is to update /etc/services with these values:

dhcp-failover   647/tcp    DHCP Failover
dhcp-failover   647/udp    DHCP Failover
dhcp-failover2  847/tcp    dhcp-failover 2
dhcp-failover2  847/udp    dhcp-failover 2

Now that they have been formally assigned by IANA .


-- Additional comment from notting on 2005-09-23 22:08 EST --
Is the services addition actually required for it to work? If not, it will get
caught at some point in the future when we refresh the services file.

-- Additional comment from selke.de on 2005-09-24 14:17 EST --
It seems to work without the addition in /etc/services. After I have updated to
selinux-policy-targeted-1.25.4-10 I can use DHCP failover.

Thank you for your quick response. :-)

-- Additional comment from selke.de on 2005-09-24 14:35 EST --
Sorry, I have to correct my statement above. At the first glance it seemed to
work but I still get the following error in /var/log/audit/audit.log when
starting dhcpd (with addition to /etc/services,
selinux-policy-targeted.noarch-1.27.1-2.1 is installed):

type=AVC msg=audit(1127586538.365:33): avc:  denied  { name_bind } for  pid=2517
comm="dhcpd" src=647 scontext=root:system_r:dhcpd_t
tcontext=system_u:object_r:dhcpd_port_t tclass=tcp_socket
type=SYSCALL msg=audit(1127586538.365:33): arch=c000003e syscall=49 success=no
exit=-13 a0=9 a1=5555557f0e88 a2=10 a3=7fffffa0205c items=0 pid=2517 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="dhcpd"
exe="/usr/sbin/dhcpd"
type=SOCKADDR msg=audit(1127586538.365:33): saddr=02000287824B39E20000000000000000

-- Additional comment from selke.de on 2005-10-17 18:50 EST --
I tested it with the new selinux-policy-targeted-1.27.1-2.6 and it works! Even
without the addition to /etc/services. This bug can be closed now.
Comment 1 Russell Coker 2006-04-16 09:37:36 UTC 
Did you enable the allow_ypbind boolean?  This will allow such access without 
fixing the root cause of the problem.  It has been used as a work-around for 
this problem and similar problems in the past.

The real problem here is not fixed in RHEL4U3 and will have to be fixed in an 
errata.
Comment 2 Suzuki Takashi 2006-04-16 10:44:36 UTC 
I know allow_ypbind boolean allows accesses to reserved_port_t ports,
including the DHCP failover port.
I'm waiting for a new policy that explicitly allows
the dhcpd to access through TCP port 647 for DHCP failover connections.

Just for remembrance:
According to the newest draft, only TCP port 647 is used
for the both primary and secondary peers.
http://tools.ietf.org/wg/dhc/draft-ietf-dhc-failover/draft-ietf-dhc-failover-12.txt
Comment 3 Russell Coker 2006-04-16 10:54:24 UTC 
Takashi-san, my question in regard to the allow_ypbind boolean was in regard 
to selke's comment.  I now realise that for a cloned bug such unclear comments 
are a mistake.

I am working on an update that will explicitly permit those ports, I will 
permit all the ports (old and new) for RHEL4, but RHEL5 will only support the 
latest RFC specified port.  The permitted ports for RHEL4 have to match the 
documentation in man pages, RHEL5 should have man pages that reflect the 
latest RFCs.
Comment 9 Suzuki Takashi 2006-05-02 14:12:49 UTC 
Created attachment 128489 [details]
Patch explicitly allowing dhcpd to bind to TCP port 647

I couldn't wait and made a custom RPM with this patch.
It works fine with allow_ypbind=false.
Comment 11 Red Hat Bugzilla 2006-08-10 21:20:36 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2006-0373.html