(Centos 8) SELinux preventing pdns_server from name_bind access on the udp_socket port (random high port) #93
Description
- Program: Authoritative, pdns-ansible
- Issue type: Bug report
Short description
SELinux (permissive) complains that if enforcing it would not allow pdns_server to bind to the random high v4/v6 UDP query/notify sockets.
Environment
- Operating system: Centos 8 Stream
- Software version: pdns: pdns-4.3.1-1.el8, pdns-ansible: f0ac78c
- Software source: EPEL (pdns), github (pdns-ansible)
Steps to reproduce
- use pdns-ansible to install pdns on CentOS 8
- Selinux targeted/permissive or enforcing
- Start pdns service
Expected behaviour
No SELinux complaints in journal
Actual behaviour
message in systemd journal:
SELinux is preventing /usr/sbin/pdns_server from name_bind access on the udp_socket port 12023
Other information
UPDATE: tracing the ansible run, .../tasks/selinux.yml is called and the 'allow pdns to bind to udp high ports' seport task is run but it seems not to have the desired effect.
From freenode/#selinux, a working solution seems to be something to the effect of:
echo '(allow pdns_t unreserved_port_type (udp_socket (name_bind)))' > mypdnsfix.cil && sudo semodule -i mypdnsfix.cil
I'm not sure how to refine that to limit the range to 10000-20000 as listed in selinux.yml
My Ansible-fu is not sufficiently strong to submit a PR at this time.