It appears that named tried to open source port 2605 (earmarked to quagga) more or less by accident, which would have caused a Selinux failure. Named has a lot of ports open, probably in order to make query IDs and ports less prone to DNS response spoofing attacks. Below is a list on my home server. tcp 0 0 192.168.1.2:53 0.0.0.0:* LISTEN 26027/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 26027/named tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 26027/named tcp 0 0 ::1:53 :::* LISTEN 26027/named tcp 0 0 ::1:953 :::* LISTEN 26027/named udp 0 0 0.0.0.0:42758 0.0.0.0:* 26027/named udp 0 0 0.0.0.0:26133 0.0.0.0:* 26027/named udp 0 0 0.0.0.0:7588 0.0.0.0:* 26027/named udp 0 0 0.0.0.0:50474 0.0.0.0:* 26027/named udp 0 0 0.0.0.0:60587 0.0.0.0:* 26027/named udp 0 0 0.0.0.0:1581 0.0.0.0:* 26027/named udp 0 0 192.168.1.2:53 0.0.0.0:* 26027/named udp 0 0 127.0.0.1:53 0.0.0.0:* 26027/named udp 0 0 0.0.0.0:36282 0.0.0.0:* 26027/named udp 0 0 0.0.0.0:5438 0.0.0.0:* 26027/named udp 0 0 0.0.0.0:30784 0.0.0.0:* 26027/named udp 0 0 0.0.0.0:33472 0.0.0.0:* 26027/named udp 0 0 0.0.0.0:38086 0.0.0.0:* 26027/named udp 0 0 0.0.0.0:33099 0.0.0.0:* 26027/named udp 0 0 0.0.0.0:37074 0.0.0.0:* 26027/named udp 0 0 0.0.0.0:45911 0.0.0.0:* 26027/named udp 0 0 0.0.0.0:51550 0.0.0.0:* 26027/named udp 0 0 0.0.0.0:30705 0.0.0.0:* 26027/named udp 0 0 0.0.0.0:1656 0.0.0.0:* 26027/named udp 0 0 :::5763 :::* 26027/named udp 0 0 :::34310 :::* 26027/named udp 0 0 :::6537 :::* 26027/named udp 0 0 :::11667 :::* 26027/named udp 0 0 :::1701 :::* 26027/named udp 0 0 :::30246 :::* 26027/named udp 0 0 :::35754 :::* 26027/named udp 0 0 :::26029 :::* 26027/named udp 0 0 :::19503 :::* 26027/named udp 0 0 ::1:53 :::* 26027/named udp 0 0 :::40763 :::* 26027/named udp 0 0 :::33100 :::* 26027/named udp 0 0 :::52441 :::* 26027/named udp 0 0 :::41580 :::* 26027/named udp 0 0 :::11248 :::* 26027/named udp 0 0 :::46321 :::* 26027/named udp 0 0 :::53241 :::* 26027/named udp 0 0 :::58107 :::* 26027/named ============= Summary: SELinux is preventing named(/usr/sbin/named) (named_t) "name_bind" to <Unknown> (bgp_port_t). Detailed Description: [SELinux in permissive mode, the operation would have been denied but was permitted due to enforcing mode.] SELinux denied access requested by named(/usr/sbin/named). It is not expected that this access is required by named(/usr/sbin/named) and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:named_t Target Context system_u:object_r:bgp_port_t Target Objects None [ udp_socket ] Source named(/usr/sbin/named) Port 2605 Host gap.netcore.fi Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.0.8-83.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall Host Name gap.netcore.fi Platform Linux gap.netcore.fi 2.6.23.14-107.fc8 #1 SMP Mon Jan 14 21:37:30 EST 2008 i686 athlon Alert Count 1 First Seen Mon 11 Feb 2008 07:47:01 AM EET Last Seen Mon 11 Feb 2008 07:47:01 AM EET Local ID cc35bb73-032c-411c-a92e-c9582ade92f3 Line Numbers Raw Audit Messages host=gap.netcore.fi type=AVC msg=audit(1202708821.728:3693): avc: denied { name_bind } for pid=26028 comm="named" src=2605 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:bgp_port_t:s0 tclass=udp_socket host=gap.netcore.fi type=SYSCALL msg=audit(1202708821.728:3693): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=b7ed8f00 a2=46c214 a3=b7f14588 items=0 ppid=1 pid=26028 auid=500 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) comm="named" exe="/usr/sbin/named" subj=unconfined_u:system_r:named_t:s0 key=(null)
Yes this is one of the few ports that this could happen too. Fixed in selinux-policy-3.0.8-84.fc8 SELinux labels ports < 1024 as reserved_port_type, but a few ports > 1024 ended up with this label, if they had ports also defined < 1024. network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0) So bgp_port_t has some ports < 1024 and some greater, which causes the problem.
Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed.