Maintained by: NLnet Labs

[Unbound-users] Can't Bind Socket Error

Jarno Huuskonen
Thu Nov 20 18:30:24 CET 2014


On Tue, Oct 14, Paul Stewart wrote:
> Just following up on this socket error - we are still seeing it
> including a
> couple of new servers I turned up today.  It does not appear to be
> operationally impacting (at least anything obvious).
> 
> All of these servers are running CentOS7 64 bit under VmWare 5.5 - just
> wondering if anyone else running CentOS7 ?

Are you still getting "error: can't bind socket: Permission denied
for..." errors in your logs ?
(and do you have selinux enabled ?)

I just started testing unbound on RHEL7 and noticed that selinux
policy denies unbound to use port 5546:
type=AVC msg=audit(1416495730.557:3528): avc:  denied  { name_bind } for
pid=15009 comm="unbound" src=5546 scontext=system_u:system_r:named_t:s0
tcontext=system_u:object_r:dhcpc_port_t:s0 tclass=udp_socket

(I think these are in dontaudit rules so to get these in logs you
have to: semodule --disable_dontaudit --build
(and to get silent dontaudit rules back: semodule --build))
(https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html)

So maybe this in config will help: outgoing-port-avoid: 5546

(BTW what's correct way to define multiple
outgoing-port-avoid (without using ranges):
outgoing-port-avoid: 5546
outgoing-port-avoid: 8853
or outgoing-port-avoid: 5546,8853 ?)

-Jarno

-- 
Jarno Huuskonen