Hide Forgot
Looks similar to Fedora bug 990974, bug 1259766 and bug 1272835. Occurs after installation and enabling of unbound and dnssec-trigger. ============================================================================== SELinux is preventing /usr/sbin/unbound from name_bind access on the udp_socket port 61000. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow nis to enabled Then you must tell SELinux about this by enabling the 'nis_enabled' boolean. You can read 'None' man page for more details. Do setsebool -P nis_enabled 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that unbound should be allowed name_bind access on the port 61000 udp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep unbound /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:named_t:s0 Target Context system_u:object_r:ephemeral_port_t:s0 Target Objects port 61000 [ udp_socket ] Source unbound Source Path /usr/sbin/unbound Port 61000 Host (removed) Source RPM Packages unbound-1.4.20-26.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.3.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.10.0-363.el7.x86_64 #1 SMP Thu Mar 10 08:58:35 EST 2016 x86_64 x86_64 Alert Count 2 First Seen 2016-03-16 01:04:48 CET Last Seen 2016-03-16 01:04:48 CET Local ID 358f8283-e008-4a2b-bc36-0a56ff7edf32 Raw Audit Messages type=AVC msg=audit(1458086688.481:1296): avc: denied { name_bind } for pid=1237 comm="unbound" src=61000 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=udp_socket type=SYSCALL msg=audit(1458086688.481:1296): arch=x86_64 syscall=bind success=no exit=EACCES a0=16 a1=7fdf6dd81b90 a2=1c a3=7ffeab3b2c3c items=0 ppid=1 pid=1237 auid=4294967295 uid=998 gid=996 euid=998 suid=998 fsuid=998 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm=unbound exe=/usr/sbin/unbound subj=system_u:system_r:named_t:s0 key=(null) Hash: unbound,named_t,ephemeral_port_t,udp_socket,name_bind
commit 70c83cdcf23728ef416f46b8d19d07aa78ad7950 Author: Miroslav Grepl <mgrepl> Date: Tue Nov 10 09:26:24 2015 +0100 unbound wants to use ephemeral ports as a default configuration. Allow to use also udp sockets. Resolves: rhbz#1318224
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2283.html