Summary: SELinux is preventing /usr/sbin/dhcpd from binding to port 20364. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux has denied the dhcpd from binding to a network port 20364 which does not have an SELinux type associated with it. If dhcpd should be allowed to listen on 20364, use the semanage command to assign 20364 to a port type that dhcpd_t can bind to (pxe_port_t, dhcpd_port_t). If dhcpd is not supposed to bind to 20364, this could signal an intrusion attempt. Allowing Access: If you want to allow dhcpd to bind to port 20364, you can execute # semanage port -a -t PORT_TYPE -p udp 20364 where PORT_TYPE is one of the following: pxe_port_t, dhcpd_port_t. If this system is running as an NIS Client, turning on the allow_ypbind boolean may fix the problem. setsebool -P allow_ypbind=1. Additional Information: Source Context unconfined_u:system_r:dhcpd_t:s0 Target Context system_u:object_r:port_t:s0 Target Objects None [ udp_socket ] Source dhcpd Source Path /usr/sbin/dhcpd Port 20364 Host (removed) Source RPM Packages dhcp-4.2.0-12.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-3.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name bind_ports Host Name (removed) Platform Linux (removed) 2.6.35.6-43.fc14.x86_64 #1 SMP Wed Oct 13 21:23:02 UTC 2010 x86_64 x86_64 Alert Count 4 First Seen Sat 16 Oct 2010 10:16:44 PM WST Last Seen Sat 16 Oct 2010 10:26:53 PM WST Local ID 866f4bd9-bfd4-4d6a-bfff-11d1a64ed5cf Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1287239213.448:78): avc: denied { name_bind } for pid=3641 comm="dhcpd" src=20364 scontext=unconfined_u:system_r:dhcpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket node=(removed) type=SYSCALL msg=audit(1287239213.448:78): arch=c000003e syscall=49 success=yes exit=0 a0=14 a1=7fff6d3b1240 a2=10 a3=7fff6d3b0e24 items=0 ppid=3640 pid=3641 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="dhcpd" exe="/usr/sbin/dhcpd" subj=unconfined_u:system_r:dhcpd_t:s0 key=(null) Hash String generated from bind_ports,dhcpd,dhcpd_t,port_t,udp_socket,name_bind audit2allow suggests: #============= dhcpd_t ============== #!!!! This avc can be allowed using the boolean 'allow_ypbind' allow dhcpd_t port_t:udp_socket name_bind;
Why is dhcpd trying to listen to 20364 port? Did you set up it? If so, the troubleshoot message tells you what to do. For example: semanage port -a -t dhcpd_port_t -p udp 20364 If I am wrong, please reopen the bug.
The port selected is random each time an attempt to start dhcpd is made. As such, using semanage to permit that port won't have any effect. dhcpd is configured and works. There is no reference to non-default ports anywhere in its configuration (attached).
Created attachment 454074 [details] DHCPD configuration in use
Created attachment 454083 [details] strace of dhcpd startup The bind attempts happen early in dhcpd startup, not long after loading library files and locale messages, and before connecting to syslog or reading /etc/localtime. See attached strace output of starting dhcpd with the -f flag in a root shell obtained via "su" from the console user. It's not clear what the purpose of these bind() calls are.
I think dhcpcd is implementing named functionality. We probably need to add corenet_dontaudit_udp_bind_all_reserved_ports(dhcpd_t) corenet_udp_bind_all_unreserved_ports(dhcpd_t)
Fixed in selinux-policy-3.9.7-4.fc14 Miroslav add this to F13.
selinux-policy-3.9.7-4.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-4.fc14
Thanks folks. Anything that encourages users to keep SELinux in enforcing mode is a good thing.
selinux-policy-3.9.7-4.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-4.fc14
selinux-policy-3.9.7-4.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.