Bug 617196 - SELinux is preventing dhclient from binding to port <random port number from 4000 to 23000>
Summary: SELinux is preventing dhclient from binding to port <random port number from ...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-07-22 13:16 UTC by Jiri Popelka
Modified: 2010-07-22 14:47 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-07-22 14:41:13 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
sealert a0a6b3e4 (2.61 KB, text/plain)
2010-07-22 13:16 UTC, Jiri Popelka 		no flags Details
sealert d7612b57 (2.56 KB, text/plain)
2010-07-22 13:16 UTC, Jiri Popelka 		no flags Details
sealert e056798e (2.14 KB, text/plain)
2010-07-22 13:17 UTC, Jiri Popelka 		no flags Details
View All

Description Jiri Popelka 2010-07-22 13:16:04 UTC 
Created attachment 433689 [details]
sealert a0a6b3e4

Description of problem:

I'm doing an update of dhcp to new dhcp-4.2.0.
I've built the package locally and testing it now on F-12 and F-13.
Almost everytime the dhclient starts I get SELinux Security Alert
that SELinux is preventing /sbin/dhclient from binding to port xxxxx.
Strange is that the xxxxx is different every time.

Can you help me investigate where the problem can be ?
Is it something with SELinux or do I have something wrong ?
If you thing it's purely dhclient's problem, reassign this report
to dhcp and I'll try to ask upstream.

Version-Release number of selected component (if applicable):
dhclient-4.2.0-1
selinux-policy-targeted-3.6.32-118.fc12.noarch

How reproducible:
everytime

Steps to Reproduce:
1. start dhclient
  
Actual results:
SELinux warning, but dhclient seems to work as expected

Expected results:
No SELinux warning

Additional info:
In /var/log/messages I see the setroubleshoot line after dhclient successfully binds to ip address.

Jul 22 14:39:14 dhcp-lab-229 dhclient[1571]: DHCPACK from 10.34.25.254
Jul 22 14:39:14 dhcp-lab-229 dhclient[1571]: bound to 10.34.24.236 -- renewal in 40952 seconds.
Jul 22 14:39:15 dhcp-lab-229 NetworkManager[1366]: <info> Activation (eth0) successful, device activated.
Jul 22 14:39:15 dhcp-lab-229 NetworkManager[1366]: <info> Activation (eth0) Stage 5 of 5 (IP Configure Commit) complete.
Jul 22 14:39:15 dhcp-lab-229 setroubleshoot: SELinux is preventing /sbin/dhclient from binding to port 10884. For complete SELinux messages. run sealert -l d7612b57-e1db-4b9c-9a64-243c995cb6fe
Comment 1 Jiri Popelka 2010-07-22 13:16:56 UTC 
Created attachment 433691 [details]
sealert d7612b57
Comment 2 Jiri Popelka 2010-07-22 13:17:30 UTC 
Created attachment 433692 [details]
sealert e056798e
Comment 3 Daniel Walsh 2010-07-22 14:01:11 UTC 
Any idea why dhclient is trying to bind to to these ports?
Comment 4 Daniel Walsh 2010-07-22 14:02:40 UTC 
I know there was a change that caused us to have to add this call to named?
Comment 5 Jiri Popelka 2010-07-22 14:35:42 UTC 
(In reply to comment #4)
> I know there was a change that caused us to have to add this call to named?    

This can be somehow related.

From README:

			 DYNAMIC DNS UPDATES
A fully-featured implementation of dynamic DNS updates is included in
this release.  It uses libraries from BIND and, to avoid issues with
different versions, includes the necessary BIND version.  The appropriate
BIND libraries will be compiled and installed in the bind subdirectory
as part of the make step.


I don't have any other idea except this.
Comment 6 Daniel Walsh 2010-07-22 14:41:13 UTC 
That is the problem.

I will fix this in tonights rawhide.  Not sure if this is really breaking anything.  

Is this going to be shipped into  F13? F12?
Comment 7 Jiri Popelka 2010-07-22 14:47:49 UTC 
Great.

Rawhide is sufficient (no F13 or F12).

Thank you !
Note You need to log in before you can comment on or make changes to this bug.