The DHCP daemon supports LDAP backends (next to its file-based backend).
This patch adds support for this through the dhcp_use_ldap boolean. We also
allow the DHCP daemon to bind to generic UDP ports (needed by ISC BIND proper
startup).
Signed-off-by: Sven Vermeulen <[email protected]>
---
dhcp.te | 11 +++++++++++
1 files changed, 11 insertions(+), 0 deletions(-)
diff --git a/dhcp.te b/dhcp.te
index d4424ad..ab04a3d 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -4,6 +4,12 @@ policy_module(dhcp, 1.9.0)
#
# Declarations
#
+## <desc>
+## <p>
+## Enable LDAP backend support for DHCP daemon.
+## </p>
+## </desc>
+gen_tunable(dhcp_use_ldap, false)
type dhcpd_t;
type dhcpd_exec_t;
@@ -68,6 +74,7 @@ corenet_tcp_bind_generic_node(dhcpd_t)
corenet_udp_bind_generic_node(dhcpd_t)
corenet_tcp_bind_dhcpd_port(dhcpd_t)
corenet_udp_bind_dhcpd_port(dhcpd_t)
+corenet_udp_bind_generic_port(dhcpd_t)
corenet_udp_bind_pxe_port(dhcpd_t)
corenet_tcp_connect_all_ports(dhcpd_t)
corenet_sendrecv_dhcpd_server_packets(dhcpd_t)
@@ -105,6 +112,10 @@ ifdef(`distro_gentoo',`
allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
')
+tunable_policy(`dhcp_use_ldap',`
+ sysnet_use_ldap(dhcpd_t)
+')
+
optional_policy(`
# used for dynamic DNS
bind_read_dnssec_keys(dhcpd_t)
--
1.7.3.4
On 03/01/12 15:02, Sven Vermeulen wrote:
> The DHCP daemon supports LDAP backends (next to its file-based backend).
> This patch adds support for this through the dhcp_use_ldap boolean. We also
> allow the DHCP daemon to bind to generic UDP ports (needed by ISC BIND proper
> startup).
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> dhcp.te | 11 +++++++++++
> 1 files changed, 11 insertions(+), 0 deletions(-)
>
> diff --git a/dhcp.te b/dhcp.te
> index d4424ad..ab04a3d 100644
> --- a/dhcp.te
> +++ b/dhcp.te
> @@ -4,6 +4,12 @@ policy_module(dhcp, 1.9.0)
> #
> # Declarations
> #
> +## <desc>
> +## <p>
> +## Enable LDAP backend support for DHCP daemon.
> +## </p>
> +## </desc>
> +gen_tunable(dhcp_use_ldap, false)
>
> type dhcpd_t;
> type dhcpd_exec_t;
> @@ -68,6 +74,7 @@ corenet_tcp_bind_generic_node(dhcpd_t)
> corenet_udp_bind_generic_node(dhcpd_t)
> corenet_tcp_bind_dhcpd_port(dhcpd_t)
> corenet_udp_bind_dhcpd_port(dhcpd_t)
> +corenet_udp_bind_generic_port(dhcpd_t)
Looks like a port needs to be defined.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Tue, Mar 06, 2012 at 09:06:27AM -0500, Christopher J. PeBenito wrote:
> On 03/01/12 15:02, Sven Vermeulen wrote:
> > The DHCP daemon supports LDAP backends (next to its file-based backend).
> > This patch adds support for this through the dhcp_use_ldap boolean. We also
> > allow the DHCP daemon to bind to generic UDP ports (needed by ISC BIND proper
> > startup).
[...]
> > @@ -68,6 +74,7 @@ corenet_tcp_bind_generic_node(dhcpd_t)
> > corenet_udp_bind_generic_node(dhcpd_t)
> > corenet_tcp_bind_dhcpd_port(dhcpd_t)
> > corenet_udp_bind_dhcpd_port(dhcpd_t)
> > +corenet_udp_bind_generic_port(dhcpd_t)
>
> Looks like a port needs to be defined.
Not really, but the call should be corenet_udp_bind_all_unreserved_ports,
not corenet_udp_bind_generic_port. Guess I'll have to go for personal
testing more than to accept an "it works" on a bugreport :p
Mar 6 20:26:16 testsys kernel: [ 933.044666] type=1400
audit(1331061976.847:95): avc: denied { name_bind } for pid=15054
comm="dhcpd" src=10607 scontext=system_u:system_r:dhcpd_t
tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket
Mar 6 20:26:17 testsys kernel: [ 933.484279] type=1400
audit(1331061977.287:100): avc: denied { name_bind } for pid=15065
comm="dhcpd" src=31290 scontext=system_u:system_r:dhcpd_t
tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket
Mar 6 20:26:17 testsys kernel: [ 933.484498] type=1400
audit(1331061977.287:101): avc: denied { name_bind } for pid=15065
comm="dhcpd" src=14386 scontext=system_u:system_r:dhcpd_t
tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket
Etcetera. But I'm going to revoke this from the patch for now, because it
isn't fully reproduceable here: if I restart the DHCP daemon 10 times, it
fails 7 times and succeeds 3 times, without any changes to the policy, and
denials are not showing much useful info.
Wkr,
Sven Vermeulen
On Tue, Mar 06, 2012 at 09:10:22PM +0100, Sven Vermeulen wrote:
> > > @@ -68,6 +74,7 @@ corenet_tcp_bind_generic_node(dhcpd_t)
> > > corenet_udp_bind_generic_node(dhcpd_t)
> > > corenet_tcp_bind_dhcpd_port(dhcpd_t)
> > > corenet_udp_bind_dhcpd_port(dhcpd_t)
> > > +corenet_udp_bind_generic_port(dhcpd_t)
> >
> > Looks like a port needs to be defined.
>
> Not really, but the call should be corenet_udp_bind_all_unreserved_ports,
> not corenet_udp_bind_generic_port. Guess I'll have to go for personal
> testing more than to accept an "it works" on a bugreport :p
And *poof* there it goes.
Apparently, pre-20120215 policy, the ports were labeled port_t, in 20120215
they are labeled unreserved_port_t, which is why
corenet_udp_bind_generic_port was correct previously.
It doesn't bind to a particular port though. The bind is used by DHCP to
detect the open number of interfaces (see
common/discover.c::begin_iface_scan in the DHCP sources):
ifaces->sock = socket(local_family, SOCK_DGRAM, IPPROTO_UDP);
if (ioctl(ifaces->sock, SIOCGLIFNUM, &lifnum) < 0) {
log_error("Error finding total number of interfaces; %m");
close(ifaces->sock);
ifaces->sock = -1;
return 0;
}
Wkr,
Sven Vermeulen
> Mar 6 20:26:16 testsys kernel: [ 933.044666] type=1400
> audit(1331061976.847:95): avc: denied { name_bind } for pid=15054
> comm="dhcpd" src=10607 scontext=system_u:system_r:dhcpd_t
> tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket
>
> Mar 6 20:26:17 testsys kernel: [ 933.484279] type=1400
> audit(1331061977.287:100): avc: denied { name_bind } for pid=15065
> comm="dhcpd" src=31290 scontext=system_u:system_r:dhcpd_t
> tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket
>
> Mar 6 20:26:17 testsys kernel: [ 933.484498] type=1400
> audit(1331061977.287:101): avc: denied { name_bind } for pid=15065
> comm="dhcpd" src=14386 scontext=system_u:system_r:dhcpd_t
> tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket
>
> Etcetera. But I'm going to revoke this from the patch for now, because it
> isn't fully reproduceable here: if I restart the DHCP daemon 10 times, it
> fails 7 times and succeeds 3 times, without any changes to the policy, and
> denials are not showing much useful info.
>
> Wkr,
> Sven Vermeulen
On 03/06/12 15:54, Sven Vermeulen wrote:
> On Tue, Mar 06, 2012 at 09:10:22PM +0100, Sven Vermeulen wrote:
>>>> @@ -68,6 +74,7 @@ corenet_tcp_bind_generic_node(dhcpd_t)
>>>> corenet_udp_bind_generic_node(dhcpd_t)
>>>> corenet_tcp_bind_dhcpd_port(dhcpd_t)
>>>> corenet_udp_bind_dhcpd_port(dhcpd_t)
>>>> +corenet_udp_bind_generic_port(dhcpd_t)
>>>
>>> Looks like a port needs to be defined.
>>
>> Not really, but the call should be corenet_udp_bind_all_unreserved_ports,
>> not corenet_udp_bind_generic_port. Guess I'll have to go for personal
>> testing more than to accept an "it works" on a bugreport :p
Sounds like the above is the change we need. Please also add a comment that describes what you found below, so we can remember it next time this comes up.
> And *poof* there it goes.
>
> Apparently, pre-20120215 policy, the ports were labeled port_t, in 20120215
> they are labeled unreserved_port_t, which is why
> corenet_udp_bind_generic_port was correct previously.
>
> It doesn't bind to a particular port though. The bind is used by DHCP to
> detect the open number of interfaces (see
> common/discover.c::begin_iface_scan in the DHCP sources):
>
> ifaces->sock = socket(local_family, SOCK_DGRAM, IPPROTO_UDP);
> if (ioctl(ifaces->sock, SIOCGLIFNUM, &lifnum) < 0) {
> log_error("Error finding total number of interfaces; %m");
> close(ifaces->sock);
> ifaces->sock = -1;
> return 0;
> }
>
> Wkr,
> Sven Vermeulen
>
>> Mar 6 20:26:16 testsys kernel: [ 933.044666] type=1400
>> audit(1331061976.847:95): avc: denied { name_bind } for pid=15054
>> comm="dhcpd" src=10607 scontext=system_u:system_r:dhcpd_t
>> tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket
>>
>> Mar 6 20:26:17 testsys kernel: [ 933.484279] type=1400
>> audit(1331061977.287:100): avc: denied { name_bind } for pid=15065
>> comm="dhcpd" src=31290 scontext=system_u:system_r:dhcpd_t
>> tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket
>>
>> Mar 6 20:26:17 testsys kernel: [ 933.484498] type=1400
>> audit(1331061977.287:101): avc: denied { name_bind } for pid=15065
>> comm="dhcpd" src=14386 scontext=system_u:system_r:dhcpd_t
>> tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket
>>
>> Etcetera. But I'm going to revoke this from the patch for now, because it
>> isn't fully reproduceable here: if I restart the DHCP daemon 10 times, it
>> fails 7 times and succeeds 3 times, without any changes to the policy, and
>> denials are not showing much useful info.
>>
>> Wkr,
>> Sven Vermeulen
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 03/12/12 09:09, Christopher J. PeBenito wrote:
> On 03/06/12 15:54, Sven Vermeulen wrote:
>> On Tue, Mar 06, 2012 at 09:10:22PM +0100, Sven Vermeulen wrote:
>>>>> @@ -68,6 +74,7 @@ corenet_tcp_bind_generic_node(dhcpd_t)
>>>>> corenet_udp_bind_generic_node(dhcpd_t)
>>>>> corenet_tcp_bind_dhcpd_port(dhcpd_t)
>>>>> corenet_udp_bind_dhcpd_port(dhcpd_t)
>>>>> +corenet_udp_bind_generic_port(dhcpd_t)
>>>>
>>>> Looks like a port needs to be defined.
>>>
>>> Not really, but the call should be corenet_udp_bind_all_unreserved_ports,
>>> not corenet_udp_bind_generic_port. Guess I'll have to go for personal
>>> testing more than to accept an "it works" on a bugreport :p
>
> Sounds like the above is the change we need. Please also add a comment that describes what you found below, so we can remember it next time this comes up.
To clarify: a comment in the policy, not just in the commit message.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com