On Thursday 21 February 2013 11:25:44 Robert Moskowitz wrote: > On 02/21/2013 04:30 AM, James Hogarth wrote: > > On 21 February 2013 01:28, Robert Moskowitz <rgm at htt-consult.com> wrote: > >> It looks like no system, internal or external could access the > >> DNS on my new server. IPTABLES was set for 53 both UDP and TCP. > >> Firewall was OK. In fact a local system on the same subnet, thus > >> NOT going through my firewall was denied access to the internal > >> domain. Localhost of course works. > >> > >> So it is either the Linux firewall and bind port randomization, > >> or it is SELINUX. How do I test to find out which? > >> > >> Since the new server is on the same IP address as the old, it is > >> unplugged from the switch. I can switch back and forth between > >> to two boxes, only taking the time for ARP table updates. > >> > >> So I hope someone can point me to what I have missed. > > > > audit2allow -a will tell you if it's selinux ... and specifically > > what is wrong... > > Great. I have to make notes on how to test about selinux > reporting. > > > A quick test would be getenforce Permissive and restarting bind > > ... > Hi, setenforce 0 sets SELinux to permissive setenforce 1 sets it to enmforcing sestatus to check the current status You can use the following to build a custom SElinux module # Generate local policy grep http /var/log/audit/audit.log | audit2allow -m myhttp > myhttp.te # could also use grep http to just get the http AVC # Compile the module checkmodule -M -m -o local.mod myhttp.te # Create the package semodule_package -o myhttp.pp -m local.mod # Load the module into the kernel semodule -i myhttp.pp Tony