The dhcp policy needs to allow dhcpd to access LDAP in the cases where the configuration may have been migrated into LDAP instead of being in /etc/dhcp Nov 25 12:34:15 siren kernel: type=1400 audit(1322249655.744:188): avc: denied { name_bind } for pid=2768 comm="dhcpd" src=10110 scontext=system_u:system_r:dhcpd_t tcontext=system_u:object_r:port_t tclass=udp_socket Nov 25 12:34:15 siren kernel: type=1400 audit(1322249655.744:189): avc: denied { name_bind } for pid=2768 comm="dhcpd" src=20183 scontext=system_u:system_r:dhcpd_t tcontext=system_u:object_r:port_t tclass=udp_socket Nov 25 12:34:15 siren kernel: type=1400 audit(1322249655.781:190): avc: denied { name_bind } for pid=2770 comm="dhcpd" src=10110 scontext=system_u:system_r:dhcpd_t tcontext=system_u:object_r:port_t tclass=udp_socket Nov 25 12:34:15 siren kernel: type=1400 audit(1322249655.784:191): avc: denied { name_bind } for pid=2770 comm="dhcpd" src=20183 scontext=system_u:system_r:dhcpd_t tcontext=system_u:object_r:port_t tclass=udp_socket Nov 25 12:34:15 siren kernel: type=1400 audit(1322249655.944:192): avc: denied { name_bind } for pid=2778 comm="dhcpd" src=10110 scontext=system_u:system_r:dhcpd_t tcontext=system_u:object_r:port_t tclass=udp_socket Nov 25 12:34:15 siren kernel: type=1400 audit(1322249655.944:193): avc: denied { name_bind } for pid=2778 comm="dhcpd" src=20183 scontext=system_u:system_r:dhcpd_t tcontext=system_u:object_r:port_t tclass=udp_socket Nov 25 12:34:15 siren kernel: type=1400 audit(1322249655.967:194): avc: denied { name_bind } for pid=2780 comm="dhcpd" src=10110 scontext=system_u:system_r:dhcpd_t tcontext=system_u:object_r:port_t tclass=udp_socket Nov 25 12:34:15 siren kernel: type=1400 audit(1322249655.967:195): avc: denied { name_bind } for pid=2780 comm="dhcpd" src=20183 scontext=system_u:system_r:dhcpd_t tcontext=system_u:object_r:port_t tclass=udp_socket * dhcpd has detected a syntax error in your configuration files: Can't initialize context: permission denied This version of ISC DHCP is based on the release available on ftp.isc.org. Features have been added and other changes have been made to the base software release in order to make it work better with this distribution. Please report for this software via the Gentoo Bugzilla site: http://bugs.gentoo.org/ exiting. * ERROR: dhcpd failed to start
Created attachment 293779 [details, diff] Patch to allow LDAP access
Hi Stan, Thank you. I'll add it in. BTW, this doesn't need to be an "optional_policy" since the sysnetwork module is part of base. In a fairly granular policy, it might be used with a "dhcp_use_ldap" tunable, but I don't think that'll be necessary. We'll see when the patch is pushed upstream as well.
Should be in hardened-dev overlay.
In portage tree, ~arch
Stabilized