Bug 851289 - unbound not able to bind to port 80, despite dns_port_t set correctly
Summary: unbound not able to bind to port 80, despite dns_port_t set correctly
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.3
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Michal Trunecka
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-08-23 17:18 UTC by Kevin Fenzi
Modified: 2014-09-30 23:33 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.7.19-160.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-02-21 08:28:12 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:0314 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-02-20 20:35:01 UTC

Description Kevin Fenzi 2012-08-23 17:18:37 UTC
We have a unbound server that needs to listen on port 80/tcp. 

# semanage port -l  | grep dns
dns_port_t                     tcp      80, 443, 8953, 53
dns_port_t                     udp      53
# semanage port -l  | grep http_port_t
http_port_t                    tcp      80, 443, 488, 8008, 8009, 8443
# setenforce 1
# service unbound restart
Stopping unbound:                                          [  OK  ]
Starting unbound: Aug 23 17:05:13 unbound[17141:0] warning: increased limit(open files) from 1024 to 8314
Aug 23 17:05:13 unbound[17141:0] error: can't bind socket: Permission denied
Aug 23 17:05:13 unbound[17141:0] debug: failed address 0.0.0.0 port 80
Aug 23 17:05:13 unbound[17141:0] fatal error: could not open ports
                                                           [FAILED]
# setenforce 0
# service unbound restart
Stopping unbound:                                          [FAILED]
Starting unbound: Aug 23 17:05:26 unbound[17157:0] warning: increased limit(open files) from 1024 to 8314
                                                           [  OK  ]

This was working before, so might be a regression in selinux-policy-3.7.19-155.el6_3

Comment 2 Miroslav Grepl 2012-08-24 07:16:52 UTC
How did you define tcp/80 as dns_port_t?

You did not get

/sbin/semanage: Port tcp/80 already defined

?

We have the

named_bind_http_port

boolean in Fedora which I should backport.

Comment 3 Milos Malik 2012-08-24 09:23:08 UTC
# semanage port -l | grep dns_port_t
dns_port_t                     tcp      8953, 53
dns_port_t                     udp      53
# semanage port -m -p tcp -t dns_port_t 80
# semanage port -l | grep dns_port_t
dns_port_t                     tcp      80, 8953, 53
dns_port_t                     udp      53
#

It is possible to add 80 to dns_port_t even if 80 is already used in http_port_t, but you have to use "semanage port -m ...".

# semanage port -l | grep http_port_t
http_port_t                    tcp      80, 443, 488, 8008, 8009, 8443
pegasus_http_port_t            tcp      5988
#

Comment 4 Milos Malik 2012-08-24 11:25:40 UTC
# setenforce 0
# semodule -DB
# service unbound start
Starting unbound: Aug 24 13:15:04 unbound[12228:0] warning: increased limit(open files) from 1024 to 8266
                                                           [  OK  ]
# ausearch -m avc -ts recent -i
----
type=SOCKADDR msg=audit(08/24/2012 13:13:26.070:36795) : saddr=inet host:0.0.0.0 serv:80 
type=SOCKETCALL msg=audit(08/24/2012 13:13:26.070:36795) : nargs=3 a0=3 a1=970f308 a2=10 
type=SYSCALL msg=audit(08/24/2012 13:13:26.070:36795) : arch=i386 syscall=socketcall(bind) success=yes exit=0 a0=2 a1=bff751c0 a2=810c36c a3=3 items=0 ppid=12169 pid=12170 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=unbound exe=/usr/sbin/unbound subj=unconfined_u:system_r:named_t:s0 key=(null) 
type=AVC msg=audit(08/24/2012 13:13:26.070:36795) : avc:  denied  { name_bind } for  pid=12170 comm=unbound src=80 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=udp_socket 
----

Comment 5 Milos Malik 2012-08-24 11:45:50 UTC
Default configuration of unbound service wants to bind to port 8953. Maybe dns_port_t definition should include that port number.

Comment 6 Miroslav Grepl 2012-08-24 11:56:09 UTC
We have 

semanage port -l |grep 8953
rndc_port_t                    tcp      953, 8953

in Fedora.

Need to backport it.

Comment 7 Miroslav Grepl 2012-08-26 17:13:53 UTC
Fixed in selinux-policy-3.7.19-160.el6

Comment 10 errata-xmlrpc 2013-02-21 08:28:12 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html


Note You need to log in before you can comment on or make changes to this bug.