Description of problem: Hi. Say one has this: launch=gmysql gmysql-host=localhost gmysql-dbname=powerdns gmysql-user=powerdns_user gmysql-password=twooczek9897#dns gmysql-dnssec=yes Such 'pdns' will start & run a ok, but if I add this: master=yes than: ... Primary/secondary communicator launching Creating backend connection for TCP Exiting because communicator thread died with error: Resolver binding to local UDP socket on '0.0.0.0': Permission denied About to create 3 backend threads for UDP 'pdns' start is slightly delayed, eventually starts but that denial floods journal log nis_enabled=1 seems to help, seems to silence "..Permisson denied" - but I wonder if there is or could be a better "fix" for this issue. many thanks, L. Version-Release number of selected component (if applicable): pdns-4.8.1-1.el9.x86_64 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Hi, please reproduce the issue in permissive mode with full auditing enabled and attach SELinux denials: Permissive mode: # setenforce 0 Full audit: 1) Open the /etc/audit/rules.d/audit.rules file in an editor. 2) Remove the following line if it exists: -a task,never 3) Add the following line to the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Re-run your scenario. 6) Collect AVC denials: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
A lot of SELinux denials appear in enforcing mode: ---- type=PROCTITLE msg=audit(08/10/2023 04:29:12.542:5938) : proctitle=/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no type=SOCKADDR msg=audit(08/10/2023 04:29:12.542:5938) : saddr={ saddr_fam=inet laddr=0.0.0.0 lport=17055 } type=SYSCALL msg=audit(08/10/2023 04:29:12.542:5938) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0x12 a1=0x7f24affa04d0 a2=0x10 a3=0x7f24aff9fa60 items=0 ppid=1 pid=10202 auid=unset uid=pdns gid=pdns euid=pdns suid=pdns fsuid=pdns egid=pdns sgid=pdns fsgid=pdns tty=(none) ses=unset comm=pdns/comm-main exe=/usr/sbin/pdns_server subj=system_u:system_r:pdns_t:s0 key=(null) type=AVC msg=audit(08/10/2023 04:29:12.542:5938) : avc: denied { name_bind } for pid=10202 comm=pdns/comm-main src=17055 scontext=system_u:system_r:pdns_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0 ---- Each of them has a different source port (src=...) # ausearch -m avc -m user_avc -i | audit2allow #!!!! This avc can be allowed using the boolean 'nis_enabled' allow pdns_t unreserved_port_t:udp_socket name_bind; After enabling the nis_enabled boolean, the pdns service starts and runs successfully. The following error message does not appear anymore: pdns_server[...]: Exiting because communicator thread died with error: Resolver binding to local UDP socket on '0.0.0.0': Permission denied
PR: https://github.com/fedora-selinux/selinux-policy/pull/1819
*** This bug has been marked as a duplicate of bug 2047945 ***