Bug 175086 - DHCPD policy does not allow failover communication UDP port 519
Summary: DHCPD policy does not allow failover communication UDP port 519
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted   
(Show other bugs)
Version: 5
Hardware: i386 Linux
Target Milestone: ---
Assignee: Russell Coker
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2005-12-06 15:25 UTC by Karyl Stein
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version: FC5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-04-03 19:59:37 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Karyl Stein 2005-12-06 15:25:05 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5

Description of problem:
If you configure DHCPD in a failover configuration, it needs to be able to communicate on UDP port 519 with the other DHCPD server.  The targeted policy does not allow this and gives the following error:

type=AVC msg=audit(1133809349.927:3119): avc:  denied  { name_bind } for  pid=21651 comm="dhcpd" src=519 scontext=root:system_r:dhcpd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Configure two DHCPD servers to work in a failover configuration by using the failover peer directive in /etc/dhcpd.conf.
2. Enable the default SELinux targeted policy for FC4.
3. Start the DHCPD servers and watch the audit log.

Actual Results:  The DHCPD servers started, but were not able to complete a connection between them because they could not bind to UDP port 519.

Expected Results:  The servers should both bind to UDP port 519 and listen for communications from the other server.

Additional info:

Comment 1 Jason Vas Dias 2005-12-06 16:36:56 UTC
Since the ISC dhcp-3.0.2 based server in FC-4 was released, ports 
647 and 847 have been allocated by IANA for use by DHCP failover .

SELinux policy should allow dhcpd to bind to these ports : 647 and 847 .

The dhcp-3.0.3 server in Rawhide has been modified to use 647 and 847 as
the default failover ports, and updates the documentation accordingly.

Comment 2 Russell Coker 2006-04-03 10:06:13 UTC
This one looks like it's been fixed in FC5.  The ports 647 and 847 are labeled 
as dhcpd_port_t and dhcpd_t is allowed to connect to them.

I don't think this is worth back-porting to FC4.  Please test it in FC5.

Comment 3 Karyl Stein 2006-04-03 19:59:37 UTC
This works fine, thanks.

Note You need to log in before you can comment on or make changes to this bug.