Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 391913 - sec-policy/selinux-dhcp needs to have option for LDAP
Summary: sec-policy/selinux-dhcp needs to have option for LDAP
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-11-25 23:46 UTC by Stan Sander
Modified: 2012-01-29 11:25 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Patch to allow LDAP access (dhcp.te.patch,279 bytes, patch)
2011-11-25 23:47 UTC, Stan Sander 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stan Sander 2011-11-25 23:46:37 UTC 
The dhcp policy needs to allow dhcpd to access LDAP in the cases where the configuration may have been migrated into LDAP instead of being in /etc/dhcp

Nov 25 12:34:15 siren kernel: type=1400 audit(1322249655.744:188): avc:  denied  { name_bind } for  pid=2768 comm="dhcpd" src=10110 scontext=system_u:system_r:dhcpd_t tcontext=system_u:object_r:port_t tclass=udp_socket
Nov 25 12:34:15 siren kernel: type=1400 audit(1322249655.744:189): avc:  denied  { name_bind } for  pid=2768 comm="dhcpd" src=20183 scontext=system_u:system_r:dhcpd_t tcontext=system_u:object_r:port_t tclass=udp_socket
Nov 25 12:34:15 siren kernel: type=1400 audit(1322249655.781:190): avc:  denied  { name_bind } for  pid=2770 comm="dhcpd" src=10110 scontext=system_u:system_r:dhcpd_t tcontext=system_u:object_r:port_t tclass=udp_socket                      
Nov 25 12:34:15 siren kernel: type=1400 audit(1322249655.784:191): avc:  denied  { name_bind } for  pid=2770 comm="dhcpd" src=20183 scontext=system_u:system_r:dhcpd_t tcontext=system_u:object_r:port_t tclass=udp_socket                      
Nov 25 12:34:15 siren kernel: type=1400 audit(1322249655.944:192): avc:  denied  { name_bind } for  pid=2778 comm="dhcpd" src=10110 scontext=system_u:system_r:dhcpd_t tcontext=system_u:object_r:port_t tclass=udp_socket
Nov 25 12:34:15 siren kernel: type=1400 audit(1322249655.944:193): avc:  denied  { name_bind } for  pid=2778 comm="dhcpd" src=20183 scontext=system_u:system_r:dhcpd_t tcontext=system_u:object_r:port_t tclass=udp_socket
Nov 25 12:34:15 siren kernel: type=1400 audit(1322249655.967:194): avc:  denied  { name_bind } for  pid=2780 comm="dhcpd" src=10110 scontext=system_u:system_r:dhcpd_t tcontext=system_u:object_r:port_t tclass=udp_socket
Nov 25 12:34:15 siren kernel: type=1400 audit(1322249655.967:195): avc:  denied  { name_bind } for  pid=2780 comm="dhcpd" src=20183 scontext=system_u:system_r:dhcpd_t tcontext=system_u:object_r:port_t tclass=udp_socket

* dhcpd has detected a syntax error in your configuration files:
 Can't initialize context: permission denied

 This version of ISC DHCP is based on the release available
 on ftp.isc.org.  Features have been added and other changes
 have been made to the base software release in order to make
 it work better with this distribution.

 Please report for this software via the Gentoo Bugzilla site:
     http://bugs.gentoo.org/

     exiting.
      * ERROR: dhcpd failed to start
Comment 1 Stan Sander 2011-11-25 23:47:15 UTC 
Created attachment 293779 [details, diff]
Patch to allow LDAP access
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2011-11-27 18:00:45 UTC 
Hi Stan,

Thank you. I'll add it in. BTW, this doesn't need to be an "optional_policy" since the sysnetwork module is part of base. In a fairly granular policy, it might be used with a "dhcp_use_ldap" tunable, but I don't think that'll be necessary. We'll see when the patch is pushed upstream as well.
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2011-11-27 18:54:29 UTC 
Should be in hardened-dev overlay.
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2011-12-05 21:16:50 UTC 
In portage tree, ~arch
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-01-29 11:25:09 UTC 
Stabilized