From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 12 Mar 2012 09:09:57 -0400 Subject: [refpolicy] [PATCH v2 1/1] Support LDAP backend infrastructure In-Reply-To: <20120306205423.GA7987@siphos.be> References: <20120301200255.GA17815@siphos.be> <4F5619E3.8040106@tresys.com> <20120306201022.GA6788@siphos.be> <20120306205423.GA7987@siphos.be> Message-ID: <4F5DF5A5.7000104@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 03/06/12 15:54, Sven Vermeulen wrote: > On Tue, Mar 06, 2012 at 09:10:22PM +0100, Sven Vermeulen wrote: >>>> @@ -68,6 +74,7 @@ corenet_tcp_bind_generic_node(dhcpd_t) >>>> corenet_udp_bind_generic_node(dhcpd_t) >>>> corenet_tcp_bind_dhcpd_port(dhcpd_t) >>>> corenet_udp_bind_dhcpd_port(dhcpd_t) >>>> +corenet_udp_bind_generic_port(dhcpd_t) >>> >>> Looks like a port needs to be defined. >> >> Not really, but the call should be corenet_udp_bind_all_unreserved_ports, >> not corenet_udp_bind_generic_port. Guess I'll have to go for personal >> testing more than to accept an "it works" on a bugreport :p Sounds like the above is the change we need. Please also add a comment that describes what you found below, so we can remember it next time this comes up. > And *poof* there it goes. > > Apparently, pre-20120215 policy, the ports were labeled port_t, in 20120215 > they are labeled unreserved_port_t, which is why > corenet_udp_bind_generic_port was correct previously. > > It doesn't bind to a particular port though. The bind is used by DHCP to > detect the open number of interfaces (see > common/discover.c::begin_iface_scan in the DHCP sources): > > ifaces->sock = socket(local_family, SOCK_DGRAM, IPPROTO_UDP); > if (ioctl(ifaces->sock, SIOCGLIFNUM, &lifnum) < 0) { > log_error("Error finding total number of interfaces; %m"); > close(ifaces->sock); > ifaces->sock = -1; > return 0; > } > > Wkr, > Sven Vermeulen > >> Mar 6 20:26:16 testsys kernel: [ 933.044666] type=1400 >> audit(1331061976.847:95): avc: denied { name_bind } for pid=15054 >> comm="dhcpd" src=10607 scontext=system_u:system_r:dhcpd_t >> tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket >> >> Mar 6 20:26:17 testsys kernel: [ 933.484279] type=1400 >> audit(1331061977.287:100): avc: denied { name_bind } for pid=15065 >> comm="dhcpd" src=31290 scontext=system_u:system_r:dhcpd_t >> tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket >> >> Mar 6 20:26:17 testsys kernel: [ 933.484498] type=1400 >> audit(1331061977.287:101): avc: denied { name_bind } for pid=15065 >> comm="dhcpd" src=14386 scontext=system_u:system_r:dhcpd_t >> tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket >> >> Etcetera. But I'm going to revoke this from the patch for now, because it >> isn't fully reproduceable here: if I restart the DHCP daemon 10 times, it >> fails 7 times and succeeds 3 times, without any changes to the policy, and >> denials are not showing much useful info. >> >> Wkr, >> Sven Vermeulen > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com