Package: selinux-policy-default
Version: 2:2.20110726-12
Severity: important
Tags: patch
Hi,
with a standard
> allow-hotplug eth0
> iface eth0 inet dhcp
directive in /etc/network/interfaces, a system with selinux enabled in
enforcing mode
fails to configure eth0 via dhcp because the dhclient is denied to bind to a
generic
udp port (from dmesg, auditd is not yet running at this point):
type=1400 audit(1368139483.940:3): avc: denied { name_bind } for pid=1646
comm="dhclient" src=15087 scontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023
tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
Looking in the fedora policy, I found that they simply allow dhcpc_t to bind to
all
udp ports since 2010, so I figured we should, too. However, this change is not
found in upstream refpolicy and might actually grant excessive permissions. So
if
someone knows which ports are needed exactly, we could maybe do better.
For now I pushed a change with the full permissions to alioth git.
Cheers,
Mika
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
