When will this fix be released for RHEL4? selinux-policy-targeted-1.17.30-2.126 in Update 3 did not contain lines for DHCP failover ports. +++ This bug was initially created as a clone of Bug #167292 +++ Description of problem: When using DHCP failover with dhcpd you have to specify ports over which the primary and secondary DHCP server will communicate (see man dhcpd.conf for details). The example configuration given in the dhcpd.conf manpage uses ports 519 and 520, but says that there are no reserved port numbers for this at the moment. So it seems to be a good idea to use ports 519 and 520 for DHCP failover communication until there are reserved ports. Now the problem is that SELinux does not allow dhcpd to use these ports, trying this ends up with the following error in /var/log/audit/audit.log (for the primary server): type=AVC msg=audit(1125576964.188:783): avc: denied { name_bind } for pid=11681 comm="dhcpd" src=519 scontext=root:system_r:dhcpd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket type=SYSCALL msg=audit(1125576964.188:783): arch=c000003e syscall=49 success=no exit=-13 a0=9 a1=5555557f0e48 a2=10 a3=7fffff9976bc items=0 pid=11681 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="dhcpd" exe="/usr/sbin/dhcpd" type=SOCKADDR msg=audit(1125576964.188:783): saddr=02000207824B39E20000000000000000 This means that you can't use DHCP failover with SELinux enabled. Version-Release number of selected component (if applicable): dhcp.x86_64-10:3.0.2-14.FC4 selinux-policy-targeted.noarch-1.25.4-10 How reproducible: Every time. Steps to Reproduce: 1. Use dhcpd with DHCP failover 2. service dhcpd start Actual results: DHCP failover does not work Expected results: DHCP failover should work, dhcpd should be allowed to use port 519/520 -- Additional comment from notting on 2005-09-01 12:23 EST -- I'd greatly prefer to wait for an official IANA port before putting it in /etc/services. Note that the presence or lack of an entry there will only affect getservbyname()/getservbyport() - it very likely won't affect general functionality. -- Additional comment from selke.de on 2005-09-02 18:02 EST -- There seem to be official IANA ports now. http://www.iana.org/assignments/port-numbers says: dhcp-failover 647/tcp DHCP Failover dhcp-failover 647/udp DHCP Failover # Bernard Volz <volz> dhcp-failover2 847/tcp dhcp-failover 2 dhcp-failover2 847/udp dhcp-failover 2 # Bernard Volz <volz> -- Additional comment from dwalsh on 2005-09-19 16:20 EST -- Fixed in selinux-policy-*-1.27.1-2.1 -- Additional comment from jvdias on 2005-09-23 17:32 EST -- dhcpd is now updated to use the 'failover...{... port 647; peer port 847; ...}' configuration by default; users no longer MUST specify 'port' and 'peer port' values. This is reflected in the dhcpd.conf.5 man-page. All that remains is to update /etc/services with these values: dhcp-failover 647/tcp DHCP Failover dhcp-failover 647/udp DHCP Failover dhcp-failover2 847/tcp dhcp-failover 2 dhcp-failover2 847/udp dhcp-failover 2 Now that they have been formally assigned by IANA . -- Additional comment from notting on 2005-09-23 22:08 EST -- Is the services addition actually required for it to work? If not, it will get caught at some point in the future when we refresh the services file. -- Additional comment from selke.de on 2005-09-24 14:17 EST -- It seems to work without the addition in /etc/services. After I have updated to selinux-policy-targeted-1.25.4-10 I can use DHCP failover. Thank you for your quick response. :-) -- Additional comment from selke.de on 2005-09-24 14:35 EST -- Sorry, I have to correct my statement above. At the first glance it seemed to work but I still get the following error in /var/log/audit/audit.log when starting dhcpd (with addition to /etc/services, selinux-policy-targeted.noarch-1.27.1-2.1 is installed): type=AVC msg=audit(1127586538.365:33): avc: denied { name_bind } for pid=2517 comm="dhcpd" src=647 scontext=root:system_r:dhcpd_t tcontext=system_u:object_r:dhcpd_port_t tclass=tcp_socket type=SYSCALL msg=audit(1127586538.365:33): arch=c000003e syscall=49 success=no exit=-13 a0=9 a1=5555557f0e88 a2=10 a3=7fffffa0205c items=0 pid=2517 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="dhcpd" exe="/usr/sbin/dhcpd" type=SOCKADDR msg=audit(1127586538.365:33): saddr=02000287824B39E20000000000000000 -- Additional comment from selke.de on 2005-10-17 18:50 EST -- I tested it with the new selinux-policy-targeted-1.27.1-2.6 and it works! Even without the addition to /etc/services. This bug can be closed now.
Did you enable the allow_ypbind boolean? This will allow such access without fixing the root cause of the problem. It has been used as a work-around for this problem and similar problems in the past. The real problem here is not fixed in RHEL4U3 and will have to be fixed in an errata.
I know allow_ypbind boolean allows accesses to reserved_port_t ports, including the DHCP failover port. I'm waiting for a new policy that explicitly allows the dhcpd to access through TCP port 647 for DHCP failover connections. Just for remembrance: According to the newest draft, only TCP port 647 is used for the both primary and secondary peers. http://tools.ietf.org/wg/dhc/draft-ietf-dhc-failover/draft-ietf-dhc-failover-12.txt
Takashi-san, my question in regard to the allow_ypbind boolean was in regard to selke's comment. I now realise that for a cloned bug such unclear comments are a mistake. I am working on an update that will explicitly permit those ports, I will permit all the ports (old and new) for RHEL4, but RHEL5 will only support the latest RFC specified port. The permitted ports for RHEL4 have to match the documentation in man pages, RHEL5 should have man pages that reflect the latest RFCs.
Created attachment 128489 [details] Patch explicitly allowing dhcpd to bind to TCP port 647 I couldn't wait and made a custom RPM with this patch. It works fine with allow_ypbind=false.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2006-0373.html