Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 391913

Summary: sec-policy/selinux-dhcp needs to have option for LDAP
Product: Gentoo Linux Reporter: Stan Sander <stsander>
Component: HardenedAssignee: Sven Vermeulen (RETIRED) <swift>
Status: VERIFIED FIXED    
Severity: normal CC: selinux
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: Patch to allow LDAP access

Description Stan Sander 2011-11-25 23:46:37 UTC
The dhcp policy needs to allow dhcpd to access LDAP in the cases where the configuration may have been migrated into LDAP instead of being in /etc/dhcp

Nov 25 12:34:15 siren kernel: type=1400 audit(1322249655.744:188): avc:  denied  { name_bind } for  pid=2768 comm="dhcpd" src=10110 scontext=system_u:system_r:dhcpd_t tcontext=system_u:object_r:port_t tclass=udp_socket
Nov 25 12:34:15 siren kernel: type=1400 audit(1322249655.744:189): avc:  denied  { name_bind } for  pid=2768 comm="dhcpd" src=20183 scontext=system_u:system_r:dhcpd_t tcontext=system_u:object_r:port_t tclass=udp_socket
Nov 25 12:34:15 siren kernel: type=1400 audit(1322249655.781:190): avc:  denied  { name_bind } for  pid=2770 comm="dhcpd" src=10110 scontext=system_u:system_r:dhcpd_t tcontext=system_u:object_r:port_t tclass=udp_socket                      
Nov 25 12:34:15 siren kernel: type=1400 audit(1322249655.784:191): avc:  denied  { name_bind } for  pid=2770 comm="dhcpd" src=20183 scontext=system_u:system_r:dhcpd_t tcontext=system_u:object_r:port_t tclass=udp_socket                      
Nov 25 12:34:15 siren kernel: type=1400 audit(1322249655.944:192): avc:  denied  { name_bind } for  pid=2778 comm="dhcpd" src=10110 scontext=system_u:system_r:dhcpd_t tcontext=system_u:object_r:port_t tclass=udp_socket
Nov 25 12:34:15 siren kernel: type=1400 audit(1322249655.944:193): avc:  denied  { name_bind } for  pid=2778 comm="dhcpd" src=20183 scontext=system_u:system_r:dhcpd_t tcontext=system_u:object_r:port_t tclass=udp_socket
Nov 25 12:34:15 siren kernel: type=1400 audit(1322249655.967:194): avc:  denied  { name_bind } for  pid=2780 comm="dhcpd" src=10110 scontext=system_u:system_r:dhcpd_t tcontext=system_u:object_r:port_t tclass=udp_socket
Nov 25 12:34:15 siren kernel: type=1400 audit(1322249655.967:195): avc:  denied  { name_bind } for  pid=2780 comm="dhcpd" src=20183 scontext=system_u:system_r:dhcpd_t tcontext=system_u:object_r:port_t tclass=udp_socket

* dhcpd has detected a syntax error in your configuration files:
 Can't initialize context: permission denied

 This version of ISC DHCP is based on the release available
 on ftp.isc.org.  Features have been added and other changes
 have been made to the base software release in order to make
 it work better with this distribution.

 Please report for this software via the Gentoo Bugzilla site:
     http://bugs.gentoo.org/

     exiting.
      * ERROR: dhcpd failed to start
Comment 1 Stan Sander 2011-11-25 23:47:15 UTC
Created attachment 293779 [details, diff]
Patch to allow LDAP access
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2011-11-27 18:00:45 UTC
Hi Stan,

Thank you. I'll add it in. BTW, this doesn't need to be an "optional_policy" since the sysnetwork module is part of base. In a fairly granular policy, it might be used with a "dhcp_use_ldap" tunable, but I don't think that'll be necessary. We'll see when the patch is pushed upstream as well.
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2011-11-27 18:54:29 UTC
Should be in hardened-dev overlay.
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2011-12-05 21:16:50 UTC
In portage tree, ~arch
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-01-29 11:25:09 UTC
Stabilized