Do not include the privileges for using LDAP by default (boolean defaults to off).
Also includes support for binding to unreserved ports, used by DHCP to detect the open interfaces (as seen in
common/discover.c, function "begin_iface_scan" in the DHCP sources). Include a comment in the sources to inform us about
this in the future.
See also http://oss.tresys.com/pipermail/refpolicy/2012-March/004981.html
Signed-off-by: Sven Vermeulen <[email protected]>
---
dhcp.te | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/dhcp.te b/dhcp.te
index 064604a..32937ad 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -10,7 +10,7 @@ policy_module(dhcp, 1.9.1)
## Allow DHCP daemon to use LDAP backends
## </p>
## </desc>
-gen_tunable(dhcpd_use_ldap, true)
+gen_tunable(dhcpd_use_ldap, false)
type dhcpd_t;
type dhcpd_exec_t;
@@ -71,6 +71,8 @@ corenet_udp_sendrecv_generic_node(dhcpd_t)
corenet_raw_sendrecv_generic_node(dhcpd_t)
corenet_tcp_sendrecv_all_ports(dhcpd_t)
corenet_udp_sendrecv_all_ports(dhcpd_t)
+# Needed to detect open number of interfaces (common/discover.c::begin_iface_scan)
+corenet_udp_bind_all_unreserved_ports(dhcpd_t)
corenet_tcp_bind_generic_node(dhcpd_t)
corenet_udp_bind_generic_node(dhcpd_t)
corenet_tcp_bind_dhcpd_port(dhcpd_t)
--
1.7.3.4
On 05/01/12 03:04, Sven Vermeulen wrote:
> Do not include the privileges for using LDAP by default (boolean defaults to off).
>
> Also includes support for binding to unreserved ports, used by DHCP to detect the open interfaces (as seen in
> common/discover.c, function "begin_iface_scan" in the DHCP sources). Include a comment in the sources to inform us about
> this in the future.
Merged.
> See also http://oss.tresys.com/pipermail/refpolicy/2012-March/004981.html
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> dhcp.te | 4 +++-
> 1 files changed, 3 insertions(+), 1 deletions(-)
>
> diff --git a/dhcp.te b/dhcp.te
> index 064604a..32937ad 100644
> --- a/dhcp.te
> +++ b/dhcp.te
> @@ -10,7 +10,7 @@ policy_module(dhcp, 1.9.1)
> ## Allow DHCP daemon to use LDAP backends
> ## </p>
> ## </desc>
> -gen_tunable(dhcpd_use_ldap, true)
> +gen_tunable(dhcpd_use_ldap, false)
>
> type dhcpd_t;
> type dhcpd_exec_t;
> @@ -71,6 +71,8 @@ corenet_udp_sendrecv_generic_node(dhcpd_t)
> corenet_raw_sendrecv_generic_node(dhcpd_t)
> corenet_tcp_sendrecv_all_ports(dhcpd_t)
> corenet_udp_sendrecv_all_ports(dhcpd_t)
> +# Needed to detect open number of interfaces (common/discover.c::begin_iface_scan)
> +corenet_udp_bind_all_unreserved_ports(dhcpd_t)
> corenet_tcp_bind_generic_node(dhcpd_t)
> corenet_udp_bind_generic_node(dhcpd_t)
> corenet_tcp_bind_dhcpd_port(dhcpd_t)
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com