[DSE-Dev] Bug#707658: selinux-policy-default: dhclient fails to bind generic udp ports
Mika Pflueger
debian at mikapflueger.de
Fri May 10 00:33:55 UTC 2013
Package: selinux-policy-default
Version: 2:2.20110726-12
Severity: important
Tags: patch
Hi,
with a standard
> allow-hotplug eth0
> iface eth0 inet dhcp
directive in /etc/network/interfaces, a system with selinux enabled in enforcing mode
fails to configure eth0 via dhcp because the dhclient is denied to bind to a generic
udp port (from dmesg, auditd is not yet running at this point):
type=1400 audit(1368139483.940:3): avc: denied { name_bind } for pid=1646
comm="dhclient" src=15087 scontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023
tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
Looking in the fedora policy, I found that they simply allow dhcpc_t to bind to all
udp ports since 2010, so I figured we should, too. However, this change is not
found in upstream refpolicy and might actually grant excessive permissions. So if
someone knows which ports are needed exactly, we could maybe do better.
For now I pushed a change with the full permissions to alioth git.
Cheers,
Mika
More information about the SELinux-devel
mailing list