Bug 167292 - DHCP failover is denied by SELinux
DHCP failover is denied by SELinux
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2005-09-01 08:19 EDT by Joachim Selke
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version: 1.27.1-2.6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-10-17 19:42:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Joachim Selke 2005-09-01 08:19:41 EDT
Description of problem:
When using DHCP failover with dhcpd you have to specify ports over which the
primary and secondary DHCP server will communicate (see man dhcpd.conf for
details). The example configuration given in the dhcpd.conf manpage uses ports
519 and 520, but says that there are no reserved port numbers for this at the
moment. So it seems to be a good idea to use ports 519 and 520 for DHCP failover
communication until there are reserved ports.

Now the problem is that SELinux does not allow dhcpd to use these ports, trying
this ends up with the following error in /var/log/audit/audit.log (for the
primary server):

type=AVC msg=audit(1125576964.188:783): avc:  denied  { name_bind } for 
pid=11681 comm="dhcpd" src=519 scontext=root:system_r:dhcpd_t
tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
type=SYSCALL msg=audit(1125576964.188:783): arch=c000003e syscall=49 success=no
exit=-13 a0=9 a1=5555557f0e48 a2=10 a3=7fffff9976bc items=0 pid=11681 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="dhcpd"
type=SOCKADDR msg=audit(1125576964.188:783): saddr=02000207824B39E20000000000000000

This means that you can't use DHCP failover with SELinux enabled.

Version-Release number of selected component (if applicable):

How reproducible:
Every time.

Steps to Reproduce:
1. Use dhcpd with DHCP failover
2. service dhcpd start

Actual results:
DHCP failover does not work

Expected results:
DHCP failover should work, dhcpd should be allowed to use port 519/520
Comment 2 Bill Nottingham 2005-09-01 12:23:28 EDT
I'd greatly prefer to wait for an official IANA port before putting it in
/etc/services. Note that the presence or lack of an entry there will only affect
getservbyname()/getservbyport() - it very likely won't affect general functionality.
Comment 3 Joachim Selke 2005-09-02 18:02:13 EDT
There seem to be official IANA ports now.
http://www.iana.org/assignments/port-numbers says:

dhcp-failover   647/tcp    DHCP Failover
dhcp-failover   647/udp    DHCP Failover
#                          Bernard Volz <volz@cisco.com>

dhcp-failover2  847/tcp    dhcp-failover 2
dhcp-failover2  847/udp    dhcp-failover 2
#                          Bernard Volz <volz@cisco.com>
Comment 4 Daniel Walsh 2005-09-19 16:20:48 EDT
Fixed in selinux-policy-*-1.27.1-2.1
Comment 5 Jason Vas Dias 2005-09-23 17:32:21 EDT
dhcpd is now updated to use the 'failover...{... port 647; peer port 847; ...}'
configuration by default; users no longer MUST specify 'port' and 'peer port'
values. This is reflected in the dhcpd.conf.5 man-page.

All that remains is to update /etc/services with these values:

dhcp-failover   647/tcp    DHCP Failover
dhcp-failover   647/udp    DHCP Failover
dhcp-failover2  847/tcp    dhcp-failover 2
dhcp-failover2  847/udp    dhcp-failover 2

Now that they have been formally assigned by IANA .
Comment 6 Bill Nottingham 2005-09-23 22:08:27 EDT
Is the services addition actually required for it to work? If not, it will get
caught at some point in the future when we refresh the services file.
Comment 7 Joachim Selke 2005-09-24 14:17:33 EDT
It seems to work without the addition in /etc/services. After I have updated to
selinux-policy-targeted-1.25.4-10 I can use DHCP failover.

Thank you for your quick response. :-)
Comment 8 Joachim Selke 2005-09-24 14:35:29 EDT
Sorry, I have to correct my statement above. At the first glance it seemed to
work but I still get the following error in /var/log/audit/audit.log when
starting dhcpd (with addition to /etc/services,
selinux-policy-targeted.noarch-1.27.1-2.1 is installed):

type=AVC msg=audit(1127586538.365:33): avc:  denied  { name_bind } for  pid=2517
comm="dhcpd" src=647 scontext=root:system_r:dhcpd_t
tcontext=system_u:object_r:dhcpd_port_t tclass=tcp_socket
type=SYSCALL msg=audit(1127586538.365:33): arch=c000003e syscall=49 success=no
exit=-13 a0=9 a1=5555557f0e88 a2=10 a3=7fffffa0205c items=0 pid=2517 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="dhcpd"
type=SOCKADDR msg=audit(1127586538.365:33): saddr=02000287824B39E20000000000000000
Comment 9 Joachim Selke 2005-10-17 18:50:40 EDT
I tested it with the new selinux-policy-targeted-1.27.1-2.6 and it works! Even
without the addition to /etc/services. This bug can be closed now.

Note You need to log in before you can comment on or make changes to this bug.