Red Hat Bugzilla – Bug 765967
failover socket not created if in reserved port range
Last modified: 2012-01-27 22:31:54 EST
Description of problem:
When configured for failover with the default ports a "netstat -a" doesn't show a socket for the failover port and there is no error logged. When the failover port is set above 1024, selinux prevents the address binding but with selinux disabled everything is fine. I'm assuming the failover socket is being created/bound after the capabilities are being dropped but I haven't looked at the code so I can't be sure.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Configure a failover peer
2. Start dhcpd normally using systemd
No listening socket on the failover port
Netstat shows a tcp socket listening on the failover port
Thanks for the investigation. You are completely right.
In 4.2.3-2 I made a change to write lease file after changing effective user/group ID (so the lease file is owned by dhcpd:dhcpd)
because SELinux doesn't allow dhcpd to change ownership of lease file.
Unfortunately the lease file initialization is followed by the failover protocol initialization which needs root privileges.
So the only solution I can think of is to revert the 4.2.3-2 change and change the SELinux policy, i.e. the same as in bug #737571, comment #12.
Jeff, could you try this scratch-build ? Thanks
(You'll need to temporarily disable SELinux)
Yes, that seems to fix it. I get a socket on 647 now and my leases file is root:root instead of dhcpd:dhcpd.
dhcp-4.2.3-6.P2.fc16 has been submitted as an update for Fedora 16.
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing dhcp-4.2.3-6.P2.fc16'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
dhcp-4.2.3-6.P2.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.