Created attachment 433689 [details] sealert a0a6b3e4 Description of problem: I'm doing an update of dhcp to new dhcp-4.2.0. I've built the package locally and testing it now on F-12 and F-13. Almost everytime the dhclient starts I get SELinux Security Alert that SELinux is preventing /sbin/dhclient from binding to port xxxxx. Strange is that the xxxxx is different every time. Can you help me investigate where the problem can be ? Is it something with SELinux or do I have something wrong ? If you thing it's purely dhclient's problem, reassign this report to dhcp and I'll try to ask upstream. Version-Release number of selected component (if applicable): dhclient-4.2.0-1 selinux-policy-targeted-3.6.32-118.fc12.noarch How reproducible: everytime Steps to Reproduce: 1. start dhclient Actual results: SELinux warning, but dhclient seems to work as expected Expected results: No SELinux warning Additional info: In /var/log/messages I see the setroubleshoot line after dhclient successfully binds to ip address. Jul 22 14:39:14 dhcp-lab-229 dhclient[1571]: DHCPACK from 10.34.25.254 Jul 22 14:39:14 dhcp-lab-229 dhclient[1571]: bound to 10.34.24.236 -- renewal in 40952 seconds. Jul 22 14:39:15 dhcp-lab-229 NetworkManager[1366]: <info> Activation (eth0) successful, device activated. Jul 22 14:39:15 dhcp-lab-229 NetworkManager[1366]: <info> Activation (eth0) Stage 5 of 5 (IP Configure Commit) complete. Jul 22 14:39:15 dhcp-lab-229 setroubleshoot: SELinux is preventing /sbin/dhclient from binding to port 10884. For complete SELinux messages. run sealert -l d7612b57-e1db-4b9c-9a64-243c995cb6fe
Created attachment 433691 [details] sealert d7612b57
Created attachment 433692 [details] sealert e056798e
Any idea why dhclient is trying to bind to to these ports?
I know there was a change that caused us to have to add this call to named?
(In reply to comment #4) > I know there was a change that caused us to have to add this call to named? This can be somehow related. From README: DYNAMIC DNS UPDATES A fully-featured implementation of dynamic DNS updates is included in this release. It uses libraries from BIND and, to avoid issues with different versions, includes the necessary BIND version. The appropriate BIND libraries will be compiled and installed in the bind subdirectory as part of the make step. I don't have any other idea except this.
That is the problem. I will fix this in tonights rawhide. Not sure if this is really breaking anything. Is this going to be shipped into F13? F12?
Great. Rawhide is sufficient (no F13 or F12). Thank you !