Bug 851289 - unbound not able to bind to port 80, despite dns_port_t set correctly
unbound not able to bind to port 80, despite dns_port_t set correctly
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.3
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Michal Trunecka
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-23 13:18 EDT by Kevin Fenzi
Modified: 2014-09-30 19:33 EDT (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-160.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 03:28:12 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kevin Fenzi 2012-08-23 13:18:37 EDT
We have a unbound server that needs to listen on port 80/tcp. 

# semanage port -l  | grep dns
dns_port_t                     tcp      80, 443, 8953, 53
dns_port_t                     udp      53
# semanage port -l  | grep http_port_t
http_port_t                    tcp      80, 443, 488, 8008, 8009, 8443
# setenforce 1
# service unbound restart
Stopping unbound:                                          [  OK  ]
Starting unbound: Aug 23 17:05:13 unbound[17141:0] warning: increased limit(open files) from 1024 to 8314
Aug 23 17:05:13 unbound[17141:0] error: can't bind socket: Permission denied
Aug 23 17:05:13 unbound[17141:0] debug: failed address 0.0.0.0 port 80
Aug 23 17:05:13 unbound[17141:0] fatal error: could not open ports
                                                           [FAILED]
# setenforce 0
# service unbound restart
Stopping unbound:                                          [FAILED]
Starting unbound: Aug 23 17:05:26 unbound[17157:0] warning: increased limit(open files) from 1024 to 8314
                                                           [  OK  ]

This was working before, so might be a regression in selinux-policy-3.7.19-155.el6_3
Comment 2 Miroslav Grepl 2012-08-24 03:16:52 EDT
How did you define tcp/80 as dns_port_t?

You did not get

/sbin/semanage: Port tcp/80 already defined

?

We have the

named_bind_http_port

boolean in Fedora which I should backport.
Comment 3 Milos Malik 2012-08-24 05:23:08 EDT
# semanage port -l | grep dns_port_t
dns_port_t                     tcp      8953, 53
dns_port_t                     udp      53
# semanage port -m -p tcp -t dns_port_t 80
# semanage port -l | grep dns_port_t
dns_port_t                     tcp      80, 8953, 53
dns_port_t                     udp      53
#

It is possible to add 80 to dns_port_t even if 80 is already used in http_port_t, but you have to use "semanage port -m ...".

# semanage port -l | grep http_port_t
http_port_t                    tcp      80, 443, 488, 8008, 8009, 8443
pegasus_http_port_t            tcp      5988
#
Comment 4 Milos Malik 2012-08-24 07:25:40 EDT
# setenforce 0
# semodule -DB
# service unbound start
Starting unbound: Aug 24 13:15:04 unbound[12228:0] warning: increased limit(open files) from 1024 to 8266
                                                           [  OK  ]
# ausearch -m avc -ts recent -i
----
type=SOCKADDR msg=audit(08/24/2012 13:13:26.070:36795) : saddr=inet host:0.0.0.0 serv:80 
type=SOCKETCALL msg=audit(08/24/2012 13:13:26.070:36795) : nargs=3 a0=3 a1=970f308 a2=10 
type=SYSCALL msg=audit(08/24/2012 13:13:26.070:36795) : arch=i386 syscall=socketcall(bind) success=yes exit=0 a0=2 a1=bff751c0 a2=810c36c a3=3 items=0 ppid=12169 pid=12170 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=unbound exe=/usr/sbin/unbound subj=unconfined_u:system_r:named_t:s0 key=(null) 
type=AVC msg=audit(08/24/2012 13:13:26.070:36795) : avc:  denied  { name_bind } for  pid=12170 comm=unbound src=80 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=udp_socket 
----
Comment 5 Milos Malik 2012-08-24 07:45:50 EDT
Default configuration of unbound service wants to bind to port 8953. Maybe dns_port_t definition should include that port number.
Comment 6 Miroslav Grepl 2012-08-24 07:56:09 EDT
We have 

semanage port -l |grep 8953
rndc_port_t                    tcp      953, 8953

in Fedora.

Need to backport it.
Comment 7 Miroslav Grepl 2012-08-26 13:13:53 EDT
Fixed in selinux-policy-3.7.19-160.el6
Comment 10 errata-xmlrpc 2013-02-21 03:28:12 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html

Note You need to log in before you can comment on or make changes to this bug.