dhcpd_t needs efs_port_t:socket name_bind

[Shintaro Fujiwara]

Thanks for reply, Miroslav.

Yes, I'm testing DHCP failover.

I got more errors on primary and secondary.

it goes like this I show you as audit2allow -M results,

on the primary DHCP server,

allow dhcpd_t hi_reserved_port_t:tcp_socket name_bind;

on the secondary DHCP server,

allow dhcpd_t efs_port_t:tcp_socket name_bind;
allow dhcpd_t hi_reserved_port_t:tcp_socket name_bind;

Can we set a boolean to allow these when using DHCP failover?
It's really needed when you have two DHCP servers in same network, I guess.
At least I do.
I found no boolean this time, you know.






2014-12-29 19:40 GMT+09:00 Miroslav Grepl <mgrepl at redhat.com>:

>  On 12/28/2014 03:47 PM, Shintaro Fujiwara wrote:
>
> Hi, I'm testing dhcpd in Fedora20 and got this error.
>
> type=AVC msg=audit(1419777402.148:425): avc:  denied  { name_bind } for
> pid=2751 comm="dhcpd" src=520 scontext=system_u:system_r:dhcpd_t:s0
> tcontext=system_u:object_r:efs_port_t:s0 tclass=tcp_socket permissive=0
>
>  Did it happen by default or did you setup anything (dhcp failover for
> example) ?
>
>
>
>
> --
>  日本にヘヴィメタル・ハードロックを根付かせるページ
>  http://heavymetalhardrock.no-ip.info/
>
> 世界中でセキュアＯＳのSELinuxを使いやすくするフリーソフト
> http://sourceforge.net/projects/segatex/
>
> CMS（PHPとPostgreSQLを使ったフリーソフト）
>  http://sourceforge.net/projects/webon/
> https://github.com/intrajp/irforum_jp
>
>
> --
> selinux mailing listselinux at lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>


-- 
日本にヘヴィメタル・ハードロックを根付かせるページ
http://heavymetalhardrock.no-ip.info/

世界中でセキュアＯＳのSELinuxを使いやすくするフリーソフト
http://sourceforge.net/projects/segatex/

CMS（PHPとPostgreSQLを使ったフリーソフト）
http://sourceforge.net/projects/webon/
https://github.com/intrajp/irforum_jp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20141229/832e67f6/attachment.html>