On Thursday 21 February 2013 11:25:44 Robert Moskowitz wrote:
On 02/21/2013 04:30 AM, James Hogarth wrote:
On 21 February 2013 01:28, Robert Moskowitz rgm@htt-consult.com
wrote:
It looks like no system, internal or external could access the DNS on my new server. IPTABLES was set for 53 both UDP and TCP. Firewall was OK. In fact a local system on the same subnet, thus NOT going through my firewall was denied access to the internal domain. Localhost of course works.
So it is either the Linux firewall and bind port randomization, or it is SELINUX. How do I test to find out which?
Since the new server is on the same IP address as the old, it is unplugged from the switch. I can switch back and forth between to two boxes, only taking the time for ARP table updates.
So I hope someone can point me to what I have missed.
audit2allow -a will tell you if it's selinux ... and specifically what is wrong...
Great. I have to make notes on how to test about selinux reporting.
A quick test would be getenforce Permissive and restarting bind ...
Hi,
setenforce 0 sets SELinux to permissive setenforce 1 sets it to enmforcing sestatus to check the current status
You can use the following to build a custom SElinux module
# Generate local policy grep http /var/log/audit/audit.log | audit2allow -m myhttp > myhttp.te
# could also use grep http to just get the http AVC
# Compile the module checkmodule -M -m -o local.mod myhttp.te
# Create the package semodule_package -o myhttp.pp -m local.mod
# Load the module into the kernel semodule -i myhttp.pp
Tony