Bug 175086 - DHCPD policy does not allow failover communication UDP port 519
DHCPD policy does not allow failover communication UDP port 519
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Russell Coker
Depends On:
  Show dependency treegraph
Reported: 2005-12-06 10:25 EST by Karyl Stein
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: FC5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-04-03 15:59:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Karyl Stein 2005-12-06 10:25:05 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5

Description of problem:
If you configure DHCPD in a failover configuration, it needs to be able to communicate on UDP port 519 with the other DHCPD server.  The targeted policy does not allow this and gives the following error:

type=AVC msg=audit(1133809349.927:3119): avc:  denied  { name_bind } for  pid=21651 comm="dhcpd" src=519 scontext=root:system_r:dhcpd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Configure two DHCPD servers to work in a failover configuration by using the failover peer directive in /etc/dhcpd.conf.
2. Enable the default SELinux targeted policy for FC4.
3. Start the DHCPD servers and watch the audit log.

Actual Results:  The DHCPD servers started, but were not able to complete a connection between them because they could not bind to UDP port 519.

Expected Results:  The servers should both bind to UDP port 519 and listen for communications from the other server.

Additional info:
Comment 1 Jason Vas Dias 2005-12-06 11:36:56 EST
Since the ISC dhcp-3.0.2 based server in FC-4 was released, ports 
647 and 847 have been allocated by IANA for use by DHCP failover .

SELinux policy should allow dhcpd to bind to these ports : 647 and 847 .

The dhcp-3.0.3 server in Rawhide has been modified to use 647 and 847 as
the default failover ports, and updates the documentation accordingly.
Comment 2 Russell Coker 2006-04-03 06:06:13 EDT
This one looks like it's been fixed in FC5.  The ports 647 and 847 are labeled 
as dhcpd_port_t and dhcpd_t is allowed to connect to them.

I don't think this is worth back-porting to FC4.  Please test it in FC5.
Comment 3 Karyl Stein 2006-04-03 15:59:37 EDT
This works fine, thanks.

Note You need to log in before you can comment on or make changes to this bug.