RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1830625 - SELinux is preventing unbound-anchor from name_bind access on the udp_socket port 61000
Summary: SELinux is preventing unbound-anchor from name_bind access on the udp_socket ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: unbound
Version: 8.2
Hardware: noarch
OS: Linux
medium
medium
Target Milestone: rc
: 8.0
Assignee: aegorenk
QA Contact: František Hrdina
URL:
Whiteboard:
: 1837071 1895029 (view as bug list)
Depends On:
Blocks: 1952814
TreeView+ depends on / blocked
 
Reported: 2020-05-03 05:06 UTC by Joachim Frieben
Modified: 2024-12-20 19:04 UTC (History)
11 users (show)

Fixed In Version: unbound-1.7.3-17.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1952814 (view as bug list)
Environment:
Last Closed: 2021-11-09 18:05:30 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github NLnetLabs unbound issues 257 0 None open unbound-anchor default configuration file 2021-02-20 02:10:08 UTC
Github NLnetLabs unbound pull 409 0 None closed Use /proc/sys/net/ipv4/ip_local_port_range to determine available outgoing ports 2021-02-20 02:10:08 UTC
Red Hat Bugzilla 1667742 0 medium CLOSED SELinux is preventing unbound from 'name_bind' accesses on the udp_socket port 61000. 2024-12-10 21:23:30 UTC
Red Hat Bugzilla 1837071 0 medium CLOSED SELinux is preventing unbound from 'name_bind' accesses on the udp_socket port 61000. 2024-12-10 21:27:17 UTC
Red Hat Product Errata RHBA-2021:4194 0 None None None 2021-11-09 18:05:37 UTC

Internal Links: 1837071

Description Joachim Frieben 2020-05-03 05:06:00 UTC 
SELinux is preventing unbound-anchor from name_bind access on the udp_socket port 61000.

*****  Plugin bind_ports (92.2 confidence) suggests   ************************

If you want to allow unbound-anchor to bind to network port 61000
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p udp 61000
    where PORT_TYPE is one of the following: afs3_callback_port_t, afs_bos_port_t, afs_fs_port_t, afs_ka_port_t, afs_pt_port_t, afs_vl_port_t, amanda_port_t, amavisd_recv_port_t, amavisd_send_port_t, amqp_port_t, aol_port_t, apc_port_t, apcupsd_port_t, appswitch_emp_port_t, asterisk_port_t, babel_port_t, bacula_port_t, bctp_port_t, bfd_control_port_t, bgp_port_t, boinc_client_port_t, boinc_port_t, brlp_port_t, certmaster_port_t, clamd_port_t, clockspeed_port_t, cluster_port_t, cma_port_t, cobbler_port_t, collectd_port_t, commplex_link_port_t, commplex_main_port_t, condor_port_t, conman_port_t, connlcli_port_t, conntrackd_port_t, couchdb_port_t, ctdb_port_t, cvs_port_t, cyphesis_port_t, cyrus_imapd_port_t, daap_port_t, dbskkd_port_t, dcc_port_t, dccm_port_t, dey_keyneg_port_t, dey_sapi_port_t, dhcpc_port_t, dict_port_t, distccd_port_t, dns_port_t, dnssec_port_t, dogtag_port_t, embrace_dp_c_port_t, ephemeral_port_t, epmd_port_t, fac_restore_port_t, firepower_port_t, flash_port_t, fmpro_internal_port_t, freeipmi_port_t, gatekeeper_port_t, gds_db_port_t, gear_port_t, geneve_port_t, giftd_port_t, git_port_t, glance_port_t, glance_registry_port_t, gluster_port_t, gpsd_port_t, hadoop_datanode_port_t, hadoop_namenode_port_t, hddtemp_port_t, howl_port_t, hplip_port_t, http_cache_port_t, i18n_input_port_t, ibm_dt_2_port_t, imaze_port_t, intermapper_port_t, interwise_port_t, ionixnetmon_port_t, ipp_port_t, ipsecnat_port_t, ircd_port_t, iscsi_port_t, isns_port_t, jabber_client_port_t, jabber_interserver_port_t, jabber_router_port_t, jacorb_port_t, jboss_debug_port_t, jboss_management_port_t, jboss_messaging_port_t, kerberos_port_t, keystone_port_t, kubernetes_port_t, l2tp_port_t, lirc_port_t, llmnr_port_t, lltng_port_t, lsm_plugin_port_t, luci_port_t, mail_port_t, mailbox_port_t, matahari_port_t, memcache_port_t, milter_port_t, mmcc_port_t, mongod_port_t, monopd_port_t, mountd_port_t, movaz_ssc_port_t, mpd_port_t, ms_streaming_port_t, msnp_port_t, mssql_port_t, munin_port_t, mxi_port_t, mysqld_port_t, mysqlmanagerd_port_t, mythtv_port_t, nessus_port_t, netport_port_t, netsupport_port_t, neutron_port_t, nfs_port_t, nmea_port_t, nodejs_debug_port_t, nsca_port_t, nsd_control_port_t, ntop_port_t, oa_system_port_t, ocsp_port_t, openflow_port_t, openhpid_port_t, openqa_port_t, openqa_websockets_port_t, openvpn_port_t, openvswitch_port_t, oracle_port_t, osapi_compute_port_t, ovsdb_port_t, pdps_port_t, pegasus_http_port_t, pegasus_https_port_t, pgpkeyserver_port_t, pingd_port_t, pki_kra_port_t, pki_ocsp_port_t, pki_ra_port_t, pki_tks_port_t, pki_tps_port_t, pktcable_cops_port_t, postfix_policyd_port_t, postgresql_port_t, postgrey_port_t, pptp_port_t, prelude_port_t, presence_port_t, preupgrade_port_t, priority_e_com_port_t, prosody_port_t, ptal_port_t, pulseaudio_port_t, puppet_port_t, pxe_port_t, pyzor_port_t, qpasa_agent_port_t, rabbitmq_port_t, radacct_port_t, radius_port_t, radsec_port_t, razor_port_t, redis_port_t, repository_port_t, ricci_modcluster_port_t, ricci_port_t, rkt_port_t, rtp_media_port_t, rtsclient_port_t, rtsp_port_t, salt_port_t, sap_port_t, saphostctrl_port_t, servistaitsm_port_t, sge_port_t, shellinaboxd_port_t, sieve_port_t, sip_port_t, sixxsconfig_port_t, smntubootstrap_port_t, soundd_port_t, speech_port_t, squid_port_t, ssdp_port_t, statsd_port_t, svn_port_t, swift_port_t, sype_transport_port_t, syslog_tls_port_t, tangd_port_t, tcs_port_t, tor_port_t, traceroute_port_t, tram_port_t, transproxy_port_t, trisoap_port_t, trivnet1_port_t, unreserved_port_t, ups_port_t, us_cli_port_t, varnishd_port_t, versa_tek_port_t, virt_migration_port_t, virt_port_t, virtual_places_port_t, vnc_port_t, wap_wsp_port_t, wccp_port_t, websm_port_t, whois_port_t, winshadow_port_t, wsdapi_port_t, wsicopy_port_t, xen_port_t, xfs_port_t, xinuexpansion3_port_t, xinuexpansion4_port_t, xodbc_connect_port_t, xserver_port_t, zabbix_agent_port_t, zabbix_port_t, zebra_port_t, zented_port_t, zookeeper_client_port_t, zookeeper_election_port_t, zookeeper_leader_port_t, zope_port_t.

*****  Plugin catchall_boolean (7.83 confidence) suggests   ******************

If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.

Do
setsebool -P nis_enabled 1

*****  Plugin catchall (1.41 confidence) suggests   **************************

If you believe that unbound-anchor should be allowed name_bind access on the port 61000 udp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'unbound-anchor' --raw | audit2allow -M my-unboundanchor
# semodule -X 300 -i my-unboundanchor.pp

Additional Information:
Source Context                system_u:system_r:named_t:s0
Target Context                system_u:object_r:port_t:s0
Target Objects                port 61000 [ udp_socket ]
Source                        unbound-anchor
Source Path                   unbound-anchor
Port                          61000
Host                          localhost
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.3-41.el8_2.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost
Platform                      Linux localhost 4.18.0-193.el8.x86_64 #1 SMP Fri Mar
                              27 14:35:58 UTC 2020 x86_64 x86_64
Alert Count                   1
First Seen                    2020-05-02 15:11:35 CEST
Last Seen                     2020-05-02 15:11:35 CEST
Local ID                      ee2a2c0e-2bb3-42ed-966a-1af4fb01a009

Raw Audit Messages
type=AVC msg=audit(1588425095.107:63): avc:  denied  { name_bind } for  pid=2018 comm="unbound-anchor" src=61000 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket permissive=0

Hash: unbound-anchor,named_t,port_t,udp_socket,name_bind
Comment 1 Zdenek Pytela 2020-05-04 10:10:06 UTC 
Switching the component to unbound.
Comment 4 aegorenk 2020-06-29 13:52:06 UTC 
Issue created in upstream:
https://github.com/NLnetLabs/unbound/issues/257

As a temporary solution -C option can be used to specify a path to configuration file.
Comment 5 Tomáš Hozza 2020-09-23 12:56:04 UTC 
*** Bug 1837071 has been marked as a duplicate of this bug. ***
Comment 6 Joachim Frieben 2020-09-27 05:43:25 UTC 
This issue does not appear on a freshly installed RHEL 8 system any longer.
Comment 8 Zdenek Pytela 2020-12-01 17:59:44 UTC 
*** Bug 1895029 has been marked as a duplicate of this bug. ***
Comment 12 Petr Menšík 2021-01-27 11:20:33 UTC 
Proposed change [1] was refused by upstream. We have to clarify better, what issues are we trying to fix and why.
I think we have to better explain why we want to use autodetection instead of manual configuration statements.

1. https://github.com/NLnetLabs/unbound/pull/409
Comment 23 errata-xmlrpc 2021-11-09 18:05:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (unbound bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4194
Note You need to log in before you can comment on or make changes to this bug.