Bug 732833 - unbound triggers SELinux alerts
Summary: unbound triggers SELinux alerts
Alias: None
Product: Fedora
Classification: Fedora
Component: unbound
Version: 15
Hardware: Unspecified
OS: Linux
Target Milestone: ---
Assignee: Paul Wouters
QA Contact: Fedora Extras Quality Assurance
: 747972 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2011-08-23 19:52 UTC by Debarshi Ray
Modified: 2012-04-16 21:32 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-04-16 21:32:21 UTC

Attachments (Terms of Use)

Description Debarshi Ray 2011-08-23 19:52:10 UTC
Description of problem:
Trying to run unbound causes SELinux alerts which can be worked around by the following commands:

# semanage port -a -t dns_port_t -p tcp 8953

# grep unbound /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Version-Release number of selected component (if applicable):

How reproducible:
Install unbound and try to run it using:
# systemctl start unbound.service

Comment 1 Scott Schmit 2011-09-03 02:53:36 UTC
I'm seeing this too, in Fedora 14.

Comment 2 Paul Wouters 2011-09-22 02:29:07 UTC
unbound has no selinux policies yet. I hope to add these soon

Comment 3 François Kooman 2011-10-21 15:13:11 UTC
*** Bug 747972 has been marked as a duplicate of this bug. ***

Comment 4 Daniel Walsh 2011-10-21 15:20:38 UTC
Added port 8953 to dns_port_t by default in F16


Comment 5 Greg 2011-11-24 08:31:07 UTC
I've solve it by disable the remote control.

# Remote control config section. 
        # Enable remote control with unbound-control(8) here.
        # set up the keys and certificates with unbound-control-setup.
        # Note: required for unbound-munin package
        control-enable: no

I propose to change the default config of the package to solve this issue. What do you think about it ?

Comment 6 Robin Bowes 2011-12-07 15:37:15 UTC
Bad idea to "solve" the problem by changing the default config.

That just means it will break when the remote-control option is enabled.

Fixing the policy is the correct route. Shame it's only in Fedora, not RHEL6.2 !! :)


Comment 7 Paul Wouters 2012-02-28 02:25:38 UTC
This was fixed in the last few weeks with updates to the selinux-policy package. Please try with the latest (or perhaps the latest from updates-testing at this point) and let me know if you still see any problems.

Thanks to Dan Walsh for fixing this with me!

Note You need to log in before you can comment on or make changes to this bug.