Hide Forgot
Description of problem: SELinux is preventing unbound from 'name_bind' accesses on the udp_socket port 61000. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow nis to enabled Then you must tell SELinux about this by enabling the 'nis_enabled' boolean. You can read 'None' man page for more details. Do setsebool -P nis_enabled 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that unbound should be allowed name_bind access on the port 61000 udp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep unbound /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:named_t:s0 Target Context system_u:object_r:ephemeral_port_t:s0 Target Objects port 61000 [ udp_socket ] Source unbound Source Path unbound Port 61000 Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-144.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.2.0-1.fc23.x86_64 #1 SMP Mon Aug 31 15:57:27 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-09-03 09:42:33 EDT Last Seen 2015-09-03 09:42:33 EDT Local ID e49e5c7d-1b5f-4b33-80fc-a338412105e8 Raw Audit Messages type=AVC msg=audit(1441287753.39:1414): avc: denied { name_bind } for pid=1581 comm="unbound" src=61000 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=udp_socket permissive=0 Hash: unbound,named_t,ephemeral_port_t,udp_socket,name_bind Version-Release number of selected component: selinux-policy-3.13.1-144.fc23.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.2.0-1.fc23.x86_64 type: libreport
Is it a custom configuration? Or is it going to happen by default?
There shouldn't be anything custom in this configuration. I just installed and unbound and dnssec-trigger and enabled them.
(In reply to Stephen Gallagher from comment #2) > There shouldn't be anything custom in this configuration. I just installed > and unbound and dnssec-trigger and enabled them. Yes, we have another bug where it is looking for ephemeral ports. We should allow it.
https://github.com/fedora-selinux/selinux-policy/commit/a2acd84b32a5132d256689ab50cd99127994f0f8
selinux-policy-3.13.1-150.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-f4305656a5
selinux-policy-3.13.1-150.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update selinux-policy' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-f4305656a5
selinux-policy-3.13.1-150.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Reopening; I am still receiving this AVC on selinux-policy-3.13.1-152.fc23.noarch
+1 seeing the same thing here, on a fresh upgrade from F22 to F23.
https://github.com/fedora-selinux/selinux-policy/commit/e21f9814eb3544c1549b39194a8c7e9074ba4104
selinux-policy-3.13.1-155.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-0d84d6c75f
selinux-policy-3.13.1-155.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update selinux-policy' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-0d84d6c75f
selinux-policy-3.13.1-155.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
This problem exists in Fedora 30 with: selinux-policy-targeted-3.14.3-39.fc30.noarch selinux-policy-3.14.3-39.fc30.noarch SELinux forhindrer unbound fra name_bind-adgang til udp_socket port 61000. ***** Plugin catchall_boolean (89.3 fortrolighed) foreslår **************** If you want to allow nis to enabled Derefter you must tell SELinux about this by enabling the 'nis_enabled' boolean. Gør setsebool -P nis_enabled 1 ***** Plugin catchall (11.6 fortrolighed) foreslår ************************ If you believe that unbound should be allowed name_bind access on the port 61000 udp_socket by default. Derefter you should report this as a bug. You can generate a local policy module to allow this access. Gør allow this access for now by executing: # ausearch -c 'unbound' --raw | audit2allow -M my-unbound # semodule -X 300 -i my-unbound.pp Yderligere information: Kildekontekst system_u:system_r:named_t:s0 Målkontekst system_u:object_r:port_t:s0 Målobjekt port 61000 [ udp_socket ] Kilde unbound Kildesti unbound Port 61000 Vært sisyphos.amorsen.dk Kilde-RPM-pakker Berørte RPM-pakker RPM-regelsæt selinux-policy-3.14.3-39.fc30.noarch SELinux aktiveret True Regelsætstype targeted Gennemtvingende tilstand Enforcing Værtsnavn sisyphos.amorsen.dk Platform Linux sisyphos.amorsen.dk 5.1.11-300.fc30.x86_64 #1 SMP Mon Jun 17 19:33:15 UTC 2019 x86_64 x86_64 Advarselstæller 105 Først set 2019-04-29 10:45:38 BST Sidst set 2019-07-01 16:28:57 BST Lokal ID 0212e570-c2c9-49a0-b3f4-9f88402b6b6d Rå overvågningsbeskeder type=AVC msg=audit(1561994937.47:3140): avc: denied { name_bind } for pid=1003 comm="unbound" src=61000 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket permissive=0 Hash: unbound,named_t,port_t,udp_socket,name_bind (If there is a handy way to un-localize such messages, please let me know)