Bug 732833

Summary: unbound triggers SELinux alerts
Product: [Fedora] Fedora Reporter: Debarshi Ray <debarshir>
Component: unboundAssignee: Paul Wouters <pwouters>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: dwalsh, fkooman, greg.ruch, i.grok, jorti, pwouters, robin.bowes, tis
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-16 21:32:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Debarshi Ray 2011-08-23 19:52:10 UTC 
Description of problem:
Trying to run unbound causes SELinux alerts which can be worked around by the following commands:

# semanage port -a -t dns_port_t -p tcp 8953

# grep unbound /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Version-Release number of selected component (if applicable):
unbound-1.4.12-1.fc15

How reproducible:
Install unbound and try to run it using:
# systemctl start unbound.service
Comment 1 Scott Schmit 2011-09-03 02:53:36 UTC 
I'm seeing this too, in Fedora 14.
Comment 2 Paul Wouters 2011-09-22 02:29:07 UTC 
unbound has no selinux policies yet. I hope to add these soon
Comment 3 François Kooman 2011-10-21 15:13:11 UTC 
*** Bug 747972 has been marked as a duplicate of this bug. ***
Comment 4 Daniel Walsh 2011-10-21 15:20:38 UTC 
Added port 8953 to dns_port_t by default in F16

selinux-policy-3.10.0-47.fc17
Comment 5 Greg 2011-11-24 08:31:07 UTC 
I've solve it by disable the remote control.

unbound.conf
...
# Remote control config section. 
remote-control:
        # Enable remote control with unbound-control(8) here.
        # set up the keys and certificates with unbound-control-setup.
        # Note: required for unbound-munin package
        control-enable: no
...

I propose to change the default config of the package to solve this issue. What do you think about it ?
Comment 6 Robin Bowes 2011-12-07 15:37:15 UTC 
Bad idea to "solve" the problem by changing the default config.

That just means it will break when the remote-control option is enabled.

Fixing the policy is the correct route. Shame it's only in Fedora, not RHEL6.2 !! :)

R.
Comment 7 Paul Wouters 2012-02-28 02:25:38 UTC 
This was fixed in the last few weeks with updates to the selinux-policy package. Please try with the latest (or perhaps the latest from updates-testing at this point) and let me know if you still see any problems.

Thanks to Dan Walsh for fixing this with me!