[DSE-Dev] Bug#707658: selinux-policy-default: dhclient fails to bind generic udp ports

Mika Pflueger debian at mikapflueger.de
Fri May 10 00:33:55 UTC 2013

Package: selinux-policy-default
Version: 2:2.20110726-12
Severity: important
Tags: patch


with a standard 
> allow-hotplug eth0
> iface eth0 inet dhcp
directive in /etc/network/interfaces, a system with selinux enabled in enforcing mode
fails to configure eth0 via dhcp because the dhclient is denied to bind to a generic
udp port (from dmesg, auditd is not yet running at this point):
type=1400 audit(1368139483.940:3): avc:  denied  { name_bind } for  pid=1646 
comm="dhclient" src=15087 scontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:port_t:s0 tclass=udp_socket

Looking in the fedora policy, I found that they simply allow dhcpc_t to bind to all
udp ports since 2010, so I figured we should, too. However, this change is not
found in upstream refpolicy and might actually grant excessive permissions. So if
someone knows which ports are needed exactly, we could maybe do better.
For now I pushed a change with the full permissions to alioth git.



More information about the SELinux-devel mailing list