From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Tue, 1 May 2012 09:04:07 +0200
Subject: [refpolicy] [PATCH 1/1] Mark dhcp_use_ldap default off and enable
 binding to unreserved ports
Message-ID: <20120501070407.GA32060@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Do not include the privileges for using LDAP by default (boolean defaults to off).

Also includes support for binding to unreserved ports, used by DHCP to detect the open interfaces (as seen in
common/discover.c, function "begin_iface_scan" in the DHCP sources). Include a comment in the sources to inform us about
this in the future.

See also http://oss.tresys.com/pipermail/refpolicy/2012-March/004981.html

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 dhcp.te |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/dhcp.te b/dhcp.te
index 064604a..32937ad 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -10,7 +10,7 @@ policy_module(dhcp, 1.9.1)
 ## Allow DHCP daemon to use LDAP backends
 ## </p>
 ## </desc>
-gen_tunable(dhcpd_use_ldap, true)
+gen_tunable(dhcpd_use_ldap, false)
 
 type dhcpd_t;
 type dhcpd_exec_t;
@@ -71,6 +71,8 @@ corenet_udp_sendrecv_generic_node(dhcpd_t)
 corenet_raw_sendrecv_generic_node(dhcpd_t)
 corenet_tcp_sendrecv_all_ports(dhcpd_t)
 corenet_udp_sendrecv_all_ports(dhcpd_t)
+# Needed to detect open number of interfaces (common/discover.c::begin_iface_scan)
+corenet_udp_bind_all_unreserved_ports(dhcpd_t)
 corenet_tcp_bind_generic_node(dhcpd_t)
 corenet_udp_bind_generic_node(dhcpd_t)
 corenet_tcp_bind_dhcpd_port(dhcpd_t)
-- 
1.7.3.4