Hi, I'm testing dhcpd in Fedora20 and got this error.
type=AVC msg=audit(1419777402.148:425): avc: denied { name_bind } for pid=2751 comm="dhcpd" src=520 scontext=system_u:system_r:dhcpd_t:s0 tcontext=system_u:object_r:efs_port_t:s0 tclass=tcp_socket permissive=0
On 12/28/2014 03:47 PM, Shintaro Fujiwara wrote:
Hi, I'm testing dhcpd in Fedora20 and got this error.
type=AVC msg=audit(1419777402.148:425): avc: denied { name_bind } for pid=2751 comm="dhcpd" src=520 scontext=system_u:system_r:dhcpd_t:s0 tcontext=system_u:object_r:efs_port_t:s0 tclass=tcp_socket permissive=0
Did it happen by default or did you setup anything (dhcp failover for example) ?
-- 日本にヘヴィメタル・ハードロックを根付かせるページ http://heavymetalhardrock.no-ip.info/
世界中でセキュアOSのSELinuxを使いやすくするフリーソフト http://sourceforge.net/projects/segatex/
CMS(PHPとPostgreSQLを使ったフリーソフト) http://sourceforge.net/projects/webon/ https://github.com/intrajp/irforum_jp
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Thanks for reply, Miroslav.
Yes, I'm testing DHCP failover.
I got more errors on primary and secondary.
it goes like this I show you as audit2allow -M results,
on the primary DHCP server,
allow dhcpd_t hi_reserved_port_t:tcp_socket name_bind;
on the secondary DHCP server,
allow dhcpd_t efs_port_t:tcp_socket name_bind; allow dhcpd_t hi_reserved_port_t:tcp_socket name_bind;
Can we set a boolean to allow these when using DHCP failover? It's really needed when you have two DHCP servers in same network, I guess. At least I do. I found no boolean this time, you know.
2014-12-29 19:40 GMT+09:00 Miroslav Grepl mgrepl@redhat.com:
On 12/28/2014 03:47 PM, Shintaro Fujiwara wrote:
Hi, I'm testing dhcpd in Fedora20 and got this error.
type=AVC msg=audit(1419777402.148:425): avc: denied { name_bind } for pid=2751 comm="dhcpd" src=520 scontext=system_u:system_r:dhcpd_t:s0 tcontext=system_u:object_r:efs_port_t:s0 tclass=tcp_socket permissive=0
Did it happen by default or did you setup anything (dhcp failover for example) ?
-- 日本にヘヴィメタル・ハードロックを根付かせるページ http://heavymetalhardrock.no-ip.info/
世界中でセキュアOSのSELinuxを使いやすくするフリーソフト http://sourceforge.net/projects/segatex/
CMS(PHPとPostgreSQLを使ったフリーソフト) http://sourceforge.net/projects/webon/ https://github.com/intrajp/irforum_jp
-- selinux mailing listselinux@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/selinux
On 12/28/2014 09:47 AM, Shintaro Fujiwara wrote:
type=AVC msg=audit(1419777402.148:425): avc: denied { name_bind } for pid=2751 comm="dhcpd" src=520 scontext=system_u:system_r:dhcpd_t:s0 tcontext=system_u:object_r:efs_port_t:s0 tclass=tcp_socket permissive=0
This looks like you have changed the port that dhcpd listens on. Port 520.
You could change the definition of these ports.
semanage port -m -t dhcpd_port_t -p tcp 520
Then it will be allowed.
Yes, I changed it arbitarily in dhcpd.conf.
Thanks for your lecture and helps me a lot. Then if I set port 67,68 no SELinux error? I will check. Thanks!
2015-01-03 21:51 GMT+09:00 Daniel J Walsh dwalsh@redhat.com:
On 12/28/2014 09:47 AM, Shintaro Fujiwara wrote:
type=AVC msg=audit(1419777402.148:425): avc: denied { name_bind } for pid=2751 comm="dhcpd" src=520 scontext=system_u:system_r:dhcpd_t:s0 tcontext=system_u:object_r:efs_port_t:s0 tclass=tcp_socket permissive=0
This looks like you have changed the port that dhcpd listens on. Port 520.
You could change the definition of these ports.
semanage port -m -t dhcpd_port_t -p tcp 520
Then it will be allowed.
selinux@lists.fedoraproject.org