We have a unbound server that needs to listen on port 80/tcp. # semanage port -l | grep dns dns_port_t tcp 80, 443, 8953, 53 dns_port_t udp 53 # semanage port -l | grep http_port_t http_port_t tcp 80, 443, 488, 8008, 8009, 8443 # setenforce 1 # service unbound restart Stopping unbound: [ OK ] Starting unbound: Aug 23 17:05:13 unbound[17141:0] warning: increased limit(open files) from 1024 to 8314 Aug 23 17:05:13 unbound[17141:0] error: can't bind socket: Permission denied Aug 23 17:05:13 unbound[17141:0] debug: failed address 0.0.0.0 port 80 Aug 23 17:05:13 unbound[17141:0] fatal error: could not open ports [FAILED] # setenforce 0 # service unbound restart Stopping unbound: [FAILED] Starting unbound: Aug 23 17:05:26 unbound[17157:0] warning: increased limit(open files) from 1024 to 8314 [ OK ] This was working before, so might be a regression in selinux-policy-3.7.19-155.el6_3
How did you define tcp/80 as dns_port_t? You did not get /sbin/semanage: Port tcp/80 already defined ? We have the named_bind_http_port boolean in Fedora which I should backport.
# semanage port -l | grep dns_port_t dns_port_t tcp 8953, 53 dns_port_t udp 53 # semanage port -m -p tcp -t dns_port_t 80 # semanage port -l | grep dns_port_t dns_port_t tcp 80, 8953, 53 dns_port_t udp 53 # It is possible to add 80 to dns_port_t even if 80 is already used in http_port_t, but you have to use "semanage port -m ...". # semanage port -l | grep http_port_t http_port_t tcp 80, 443, 488, 8008, 8009, 8443 pegasus_http_port_t tcp 5988 #
# setenforce 0 # semodule -DB # service unbound start Starting unbound: Aug 24 13:15:04 unbound[12228:0] warning: increased limit(open files) from 1024 to 8266 [ OK ] # ausearch -m avc -ts recent -i ---- type=SOCKADDR msg=audit(08/24/2012 13:13:26.070:36795) : saddr=inet host:0.0.0.0 serv:80 type=SOCKETCALL msg=audit(08/24/2012 13:13:26.070:36795) : nargs=3 a0=3 a1=970f308 a2=10 type=SYSCALL msg=audit(08/24/2012 13:13:26.070:36795) : arch=i386 syscall=socketcall(bind) success=yes exit=0 a0=2 a1=bff751c0 a2=810c36c a3=3 items=0 ppid=12169 pid=12170 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=unbound exe=/usr/sbin/unbound subj=unconfined_u:system_r:named_t:s0 key=(null) type=AVC msg=audit(08/24/2012 13:13:26.070:36795) : avc: denied { name_bind } for pid=12170 comm=unbound src=80 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=udp_socket ----
Default configuration of unbound service wants to bind to port 8953. Maybe dns_port_t definition should include that port number.
We have semanage port -l |grep 8953 rndc_port_t tcp 953, 8953 in Fedora. Need to backport it.
Fixed in selinux-policy-3.7.19-160.el6
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html