From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Tue, 6 Mar 2012 21:54:23 +0100
Subject: [refpolicy] [PATCH v2 1/1] Support LDAP backend infrastructure
In-Reply-To: <20120306201022.GA6788@siphos.be>
References: <20120301200255.GA17815@siphos.be> <4F5619E3.8040106@tresys.com>
	<20120306201022.GA6788@siphos.be>
Message-ID: <20120306205423.GA7987@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, Mar 06, 2012 at 09:10:22PM +0100, Sven Vermeulen wrote:
> > > @@ -68,6 +74,7 @@ corenet_tcp_bind_generic_node(dhcpd_t)
> > >  corenet_udp_bind_generic_node(dhcpd_t)
> > >  corenet_tcp_bind_dhcpd_port(dhcpd_t)
> > >  corenet_udp_bind_dhcpd_port(dhcpd_t)
> > > +corenet_udp_bind_generic_port(dhcpd_t)
> > 
> > Looks like a port needs to be defined.
> 
> Not really, but the call should be corenet_udp_bind_all_unreserved_ports,
> not corenet_udp_bind_generic_port. Guess I'll have to go for personal
> testing more than to accept an "it works" on a bugreport :p

And *poof* there it goes.

Apparently, pre-20120215 policy, the ports were labeled port_t, in 20120215
they are labeled unreserved_port_t, which is why
corenet_udp_bind_generic_port was correct previously.

It doesn't bind to a particular port though. The bind is used by DHCP to
detect the open number of interfaces (see
common/discover.c::begin_iface_scan in the DHCP sources):

        ifaces->sock = socket(local_family, SOCK_DGRAM, IPPROTO_UDP);
        if (ioctl(ifaces->sock, SIOCGLIFNUM, &lifnum) < 0) {
                log_error("Error finding total number of interfaces; %m");
                close(ifaces->sock);
                ifaces->sock = -1;
                return 0;
        }

Wkr,
	Sven Vermeulen

> Mar  6 20:26:16 testsys kernel: [  933.044666] type=1400
> audit(1331061976.847:95): avc:  denied  { name_bind } for  pid=15054
> comm="dhcpd" src=10607 scontext=system_u:system_r:dhcpd_t
> tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket
> 
> Mar  6 20:26:17 testsys kernel: [  933.484279] type=1400
> audit(1331061977.287:100): avc:  denied  { name_bind } for  pid=15065
> comm="dhcpd" src=31290 scontext=system_u:system_r:dhcpd_t
> tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket
> 
> Mar  6 20:26:17 testsys kernel: [  933.484498] type=1400
> audit(1331061977.287:101): avc:  denied  { name_bind } for  pid=15065
> comm="dhcpd" src=14386 scontext=system_u:system_r:dhcpd_t
> tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket
> 
> Etcetera. But I'm going to revoke this from the patch for now, because it
> isn't fully reproduceable here: if I restart the DHCP daemon 10 times, it
> fails 7 times and succeeds 3 times, without any changes to the policy, and
> denials are not showing much useful info.
> 
> Wkr,
> 	Sven Vermeulen