On 02/12/2017 01:40 PM, Gordon Messmer wrote:
On 02/11/2017 08:56 PM, Robert Moskowitz wrote:
This seems to be bug 1103439 which was 'fixed' for Centos6.
What should I do about this? Is there a SELinux policy to apply or should I the avoid upd-ports option in Bind?
It looks like that bug was assigned to the selinux-policy component, where it was CLOSED NOTABUG, and then mistakenly marked CLOSED ERRATA.
The solution is probably to specify the allowed ports. However, I must be reading something wrong, because on my system, it looks like named_t is allowed to use those ports.
# sesearch -A -s named_t | grep port | grep bind
...indicates that named_t is allowed to bind to both unreserved
ports and ephemeral ports.
# semanage port -l | grep unreserved_port_t unreserved_port_t tcp 61001-65535, 1024-32767 unreserved_port_t udp 61001-65535, 1024-32767 # semanage port -l | grep ephemeral_port_t ephemeral_port_t tcp 32768-61000 ephemeral_port_t udp 32768-61000
I'm not seeing those errors logged, either, so maybe your system differs from mine. If I'm misreading, hopefully someone will chime in to clarify.
I get:
# semanage port -l | grep unreserved_port_t unreserved_port_t tcp 61001-65535, 1024-32767 unreserved_port_t udp 61001-65535, 1024-32767
# semanage port -l | grep ephemeral_port_t ephemeral_port_t tcp 32768-61000 ephemeral_port_t udp 32768-61000
so same semanage results, but different logwatch events. BTW, my internal DNS is not getting these, so some external 'hit' is triggering it.
It's probably safe to specify some range of higher numbered ports:
use-v4-udp-ports { range 10240 65535; }; use-v6-udp-ports { range 10240 65535; };
But that is not the ports that I am seeing in logwatch:
**Unmatched Entries** dispatch 0xb4463008: open_socket(::#8554) -> permission denied: continuing: 1 Time(s) dispatch 0xb4463008: open_socket(::#8614) -> permission denied: continuing: 1 Time(s) dispatch 0xb4464008: open_socket(::#8613) -> permission denied: continuing: 1 Time(s) dispatch 0xb4465008: open_socket(::#4444) -> permission denied: continuing: 1 Time(s) dispatch 0xb4465440: open_socket(0.0.0.0#5546) -> permission denied: continuing: 2 Time(s) dispatch 0xb4465440: open_socket(0.0.0.0#8554) -> permission denied: continuing: 1 Time(s) dispatch 0xb4465878: open_socket(0.0.0.0#2605) -> permission denied: continuing: 1 Time(s) dispatch 0xb4465878: open_socket(0.0.0.0#4444) -> permission denied: continuing: 2 Time(s) dispatch 0xb4465878: open_socket(0.0.0.0#8610) -> permission denied: continuing: 1 Time(s) dispatch 0xb4465878: open_socket(0.0.0.0#8613) -> permission denied: continuing: 1 Time(s) dispatch 0xb4466008: open_socket(0.0.0.0#4444) -> permission denied: continuing: 1 Time(s) dispatch 0xb4466008: open_socket(0.0.0.0#8554) -> permission denied: continuing: 1 Time(s) dispatch 0xb4466008: open_socket(0.0.0.0#8613) -> permission denied: continuing: 1 Time(s) dispatch 0xb4466440: open_socket(0.0.0.0#1935) -> permission denied: continuing: 1 Time(s) dispatch 0xb4466440: open_socket(0.0.0.0#8610) -> permission denied: continuing: 1 Time(s) dispatch 0xb4466878: open_socket(0.0.0.0#8610) -> permission denied: continuing: 1 Time(s) dispatch 0xb4467008: open_socket(0.0.0.0#8611) -> permission denied: continuing: 1 Time(s) dispatch 0xb4467440: open_socket(0.0.0.0#1935) -> permission denied: continuing: 2 Time(s) dispatch 0xb4467440: open_socket(0.0.0.0#4444) -> permission denied: continuing: 1 Time(s) dispatch 0xb4467440: open_socket(0.0.0.0#8613) -> permission denied: continuing: 1 Time(s) dispatch 0xb4467440: open_socket(0.0.0.0#8614) -> permission denied: continuing: 1 Time(s) dispatch 0xb4468008: open_socket(0.0.0.0#4444) -> permission denied: continuing: 1 Time(s)