From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 Description of problem: If you configure DHCPD in a failover configuration, it needs to be able to communicate on UDP port 519 with the other DHCPD server. The targeted policy does not allow this and gives the following error: type=AVC msg=audit(1133809349.927:3119): avc: denied { name_bind } for pid=21651 comm="dhcpd" src=519 scontext=root:system_r:dhcpd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Configure two DHCPD servers to work in a failover configuration by using the failover peer directive in /etc/dhcpd.conf. 2. Enable the default SELinux targeted policy for FC4. 3. Start the DHCPD servers and watch the audit log. Actual Results: The DHCPD servers started, but were not able to complete a connection between them because they could not bind to UDP port 519. Expected Results: The servers should both bind to UDP port 519 and listen for communications from the other server. Additional info:
Since the ISC dhcp-3.0.2 based server in FC-4 was released, ports 647 and 847 have been allocated by IANA for use by DHCP failover . SELinux policy should allow dhcpd to bind to these ports : 647 and 847 . The dhcp-3.0.3 server in Rawhide has been modified to use 647 and 847 as the default failover ports, and updates the documentation accordingly.
This one looks like it's been fixed in FC5. The ports 647 and 847 are labeled as dhcpd_port_t and dhcpd_t is allowed to connect to them. I don't think this is worth back-porting to FC4. Please test it in FC5.
This works fine, thanks.