From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Tue, 6 Mar 2012 21:10:22 +0100 Subject: [refpolicy] [PATCH v2 1/1] Support LDAP backend infrastructure In-Reply-To: <4F5619E3.8040106@tresys.com> References: <20120301200255.GA17815@siphos.be> <4F5619E3.8040106@tresys.com> Message-ID: <20120306201022.GA6788@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, Mar 06, 2012 at 09:06:27AM -0500, Christopher J. PeBenito wrote: > On 03/01/12 15:02, Sven Vermeulen wrote: > > The DHCP daemon supports LDAP backends (next to its file-based backend). > > This patch adds support for this through the dhcp_use_ldap boolean. We also > > allow the DHCP daemon to bind to generic UDP ports (needed by ISC BIND proper > > startup). [...] > > @@ -68,6 +74,7 @@ corenet_tcp_bind_generic_node(dhcpd_t) > > corenet_udp_bind_generic_node(dhcpd_t) > > corenet_tcp_bind_dhcpd_port(dhcpd_t) > > corenet_udp_bind_dhcpd_port(dhcpd_t) > > +corenet_udp_bind_generic_port(dhcpd_t) > > Looks like a port needs to be defined. Not really, but the call should be corenet_udp_bind_all_unreserved_ports, not corenet_udp_bind_generic_port. Guess I'll have to go for personal testing more than to accept an "it works" on a bugreport :p Mar 6 20:26:16 testsys kernel: [ 933.044666] type=1400 audit(1331061976.847:95): avc: denied { name_bind } for pid=15054 comm="dhcpd" src=10607 scontext=system_u:system_r:dhcpd_t tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket Mar 6 20:26:17 testsys kernel: [ 933.484279] type=1400 audit(1331061977.287:100): avc: denied { name_bind } for pid=15065 comm="dhcpd" src=31290 scontext=system_u:system_r:dhcpd_t tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket Mar 6 20:26:17 testsys kernel: [ 933.484498] type=1400 audit(1331061977.287:101): avc: denied { name_bind } for pid=15065 comm="dhcpd" src=14386 scontext=system_u:system_r:dhcpd_t tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket Etcetera. But I'm going to revoke this from the patch for now, because it isn't fully reproduceable here: if I restart the DHCP daemon 10 times, it fails 7 times and succeeds 3 times, without any changes to the policy, and denials are not showing much useful info. Wkr, Sven Vermeulen