Description of problem: Trying to run unbound causes SELinux alerts which can be worked around by the following commands: # semanage port -a -t dns_port_t -p tcp 8953 # grep unbound /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Version-Release number of selected component (if applicable): unbound-1.4.12-1.fc15 How reproducible: Install unbound and try to run it using: # systemctl start unbound.service
I'm seeing this too, in Fedora 14.
unbound has no selinux policies yet. I hope to add these soon
*** Bug 747972 has been marked as a duplicate of this bug. ***
Added port 8953 to dns_port_t by default in F16 selinux-policy-3.10.0-47.fc17
I've solve it by disable the remote control. unbound.conf ... # Remote control config section. remote-control: # Enable remote control with unbound-control(8) here. # set up the keys and certificates with unbound-control-setup. # Note: required for unbound-munin package control-enable: no ... I propose to change the default config of the package to solve this issue. What do you think about it ?
Bad idea to "solve" the problem by changing the default config. That just means it will break when the remote-control option is enabled. Fixing the policy is the correct route. Shame it's only in Fedora, not RHEL6.2 !! :) R.
This was fixed in the last few weeks with updates to the selinux-policy package. Please try with the latest (or perhaps the latest from updates-testing at this point) and let me know if you still see any problems. Thanks to Dan Walsh for fixing this with me!