Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1259766
Summary: | SELinux is preventing unbound from 'name_bind' accesses on the udp_socket port 61000. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Stephen Gallagher <sgallagh> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 23 | CC: | benny+bugzilla, dominick.grift, dwalsh, esm, lslebodn, lvrabec, mgrepl, plautrba, sgallagh, vmojzis |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:12e98f771af3b7bcd3037c55005bf817d8c6336def26bcdca7efe3e6b9c08a91 | ||
Fixed In Version: | selinux-policy-3.13.1-155.fc23 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-11-26 20:57:46 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Stephen Gallagher
2015-09-03 13:45:38 UTC
Is it a custom configuration? Or is it going to happen by default? There shouldn't be anything custom in this configuration. I just installed and unbound and dnssec-trigger and enabled them. (In reply to Stephen Gallagher from comment #2) > There shouldn't be anything custom in this configuration. I just installed > and unbound and dnssec-trigger and enabled them. Yes, we have another bug where it is looking for ephemeral ports. We should allow it. selinux-policy-3.13.1-150.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-f4305656a5 selinux-policy-3.13.1-150.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update selinux-policy' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-f4305656a5 selinux-policy-3.13.1-150.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. Reopening; I am still receiving this AVC on selinux-policy-3.13.1-152.fc23.noarch +1 seeing the same thing here, on a fresh upgrade from F22 to F23. selinux-policy-3.13.1-155.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-0d84d6c75f selinux-policy-3.13.1-155.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update selinux-policy' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-0d84d6c75f selinux-policy-3.13.1-155.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. This problem exists in Fedora 30 with: selinux-policy-targeted-3.14.3-39.fc30.noarch selinux-policy-3.14.3-39.fc30.noarch SELinux forhindrer unbound fra name_bind-adgang til udp_socket port 61000. ***** Plugin catchall_boolean (89.3 fortrolighed) foreslår **************** If you want to allow nis to enabled Derefter you must tell SELinux about this by enabling the 'nis_enabled' boolean. Gør setsebool -P nis_enabled 1 ***** Plugin catchall (11.6 fortrolighed) foreslår ************************ If you believe that unbound should be allowed name_bind access on the port 61000 udp_socket by default. Derefter you should report this as a bug. You can generate a local policy module to allow this access. Gør allow this access for now by executing: # ausearch -c 'unbound' --raw | audit2allow -M my-unbound # semodule -X 300 -i my-unbound.pp Yderligere information: Kildekontekst system_u:system_r:named_t:s0 Målkontekst system_u:object_r:port_t:s0 Målobjekt port 61000 [ udp_socket ] Kilde unbound Kildesti unbound Port 61000 Vært sisyphos.amorsen.dk Kilde-RPM-pakker Berørte RPM-pakker RPM-regelsæt selinux-policy-3.14.3-39.fc30.noarch SELinux aktiveret True Regelsætstype targeted Gennemtvingende tilstand Enforcing Værtsnavn sisyphos.amorsen.dk Platform Linux sisyphos.amorsen.dk 5.1.11-300.fc30.x86_64 #1 SMP Mon Jun 17 19:33:15 UTC 2019 x86_64 x86_64 Advarselstæller 105 Først set 2019-04-29 10:45:38 BST Sidst set 2019-07-01 16:28:57 BST Lokal ID 0212e570-c2c9-49a0-b3f4-9f88402b6b6d Rå overvågningsbeskeder type=AVC msg=audit(1561994937.47:3140): avc: denied { name_bind } for pid=1003 comm="unbound" src=61000 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket permissive=0 Hash: unbound,named_t,port_t,udp_socket,name_bind (If there is a handy way to un-localize such messages, please let me know) |