Red Hat Bugzilla – Bug 167292
DHCP failover is denied by SELinux
Last modified: 2007-11-30 17:11:12 EST
Description of problem: When using DHCP failover with dhcpd you have to specify ports over which the primary and secondary DHCP server will communicate (see man dhcpd.conf for details). The example configuration given in the dhcpd.conf manpage uses ports 519 and 520, but says that there are no reserved port numbers for this at the moment. So it seems to be a good idea to use ports 519 and 520 for DHCP failover communication until there are reserved ports. Now the problem is that SELinux does not allow dhcpd to use these ports, trying this ends up with the following error in /var/log/audit/audit.log (for the primary server): type=AVC msg=audit(1125576964.188:783): avc: denied { name_bind } for pid=11681 comm="dhcpd" src=519 scontext=root:system_r:dhcpd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket type=SYSCALL msg=audit(1125576964.188:783): arch=c000003e syscall=49 success=no exit=-13 a0=9 a1=5555557f0e48 a2=10 a3=7fffff9976bc items=0 pid=11681 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="dhcpd" exe="/usr/sbin/dhcpd" type=SOCKADDR msg=audit(1125576964.188:783): saddr=02000207824B39E20000000000000000 This means that you can't use DHCP failover with SELinux enabled. Version-Release number of selected component (if applicable): dhcp.x86_64-10:3.0.2-14.FC4 selinux-policy-targeted.noarch-1.25.4-10 How reproducible: Every time. Steps to Reproduce: 1. Use dhcpd with DHCP failover 2. service dhcpd start Actual results: DHCP failover does not work Expected results: DHCP failover should work, dhcpd should be allowed to use port 519/520
I'd greatly prefer to wait for an official IANA port before putting it in /etc/services. Note that the presence or lack of an entry there will only affect getservbyname()/getservbyport() - it very likely won't affect general functionality.
There seem to be official IANA ports now. http://www.iana.org/assignments/port-numbers says: dhcp-failover 647/tcp DHCP Failover dhcp-failover 647/udp DHCP Failover # Bernard Volz <volz@cisco.com> dhcp-failover2 847/tcp dhcp-failover 2 dhcp-failover2 847/udp dhcp-failover 2 # Bernard Volz <volz@cisco.com>
Fixed in selinux-policy-*-1.27.1-2.1
dhcpd is now updated to use the 'failover...{... port 647; peer port 847; ...}' configuration by default; users no longer MUST specify 'port' and 'peer port' values. This is reflected in the dhcpd.conf.5 man-page. All that remains is to update /etc/services with these values: dhcp-failover 647/tcp DHCP Failover dhcp-failover 647/udp DHCP Failover dhcp-failover2 847/tcp dhcp-failover 2 dhcp-failover2 847/udp dhcp-failover 2 Now that they have been formally assigned by IANA .
Is the services addition actually required for it to work? If not, it will get caught at some point in the future when we refresh the services file.
It seems to work without the addition in /etc/services. After I have updated to selinux-policy-targeted-1.25.4-10 I can use DHCP failover. Thank you for your quick response. :-)
Sorry, I have to correct my statement above. At the first glance it seemed to work but I still get the following error in /var/log/audit/audit.log when starting dhcpd (with addition to /etc/services, selinux-policy-targeted.noarch-1.27.1-2.1 is installed): type=AVC msg=audit(1127586538.365:33): avc: denied { name_bind } for pid=2517 comm="dhcpd" src=647 scontext=root:system_r:dhcpd_t tcontext=system_u:object_r:dhcpd_port_t tclass=tcp_socket type=SYSCALL msg=audit(1127586538.365:33): arch=c000003e syscall=49 success=no exit=-13 a0=9 a1=5555557f0e88 a2=10 a3=7fffffa0205c items=0 pid=2517 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="dhcpd" exe="/usr/sbin/dhcpd" type=SOCKADDR msg=audit(1127586538.365:33): saddr=02000287824B39E20000000000000000
I tested it with the new selinux-policy-targeted-1.27.1-2.6 and it works! Even without the addition to /etc/services. This bug can be closed now.