Maintained by: NLnet Labs

[Unbound-users] Can't Bind Socket Error

W.C.A. Wijngaards
Fri Nov 21 09:14:51 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Jarno,

On 20/11/14 18:30, Jarno Huuskonen wrote:
> On Tue, Oct 14, Paul Stewart wrote:
>> Just following up on this socket error - we are still seeing it 
>> including a couple of new servers I turned up today.  It does not
>> appear to be operationally impacting (at least anything
>> obvious).
>> 
>> All of these servers are running CentOS7 64 bit under VmWare 5.5
>> - just wondering if anyone else running CentOS7 ?
> 
> Are you still getting "error: can't bind socket: Permission denied 
> for..." errors in your logs ? (and do you have selinux enabled ?)
> 
> I just started testing unbound on RHEL7 and noticed that selinux 
> policy denies unbound to use port 5546: type=AVC
> msg=audit(1416495730.557:3528): avc:  denied  { name_bind } for 
> pid=15009 comm="unbound" src=5546
> scontext=system_u:system_r:named_t:s0 
> tcontext=system_u:object_r:dhcpc_port_t:s0 tclass=udp_socket
> 
> (I think these are in dontaudit rules so to get these in logs you 
> have to: semodule --disable_dontaudit --build (and to get silent
> dontaudit rules back: semodule --build)) 
> (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html)
>
>  So maybe this in config will help: outgoing-port-avoid: 5546
> 
> (BTW what's correct way to define multiple outgoing-port-avoid
> (without using ranges):

> outgoing-port-avoid: 5546 outgoing-port-avoid: 8853

This is correct.  Multiple lines.  (also for outgoing-port-permit)

The lines are processed in the order encountered, in case you mix
permit and avoid lines in a weird way.  An easy way to write them is
to first permit some ranges and then after the permit lines, write
avoid lines with some specific cases you want to avoid.

Best regards,
   Wouter


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUbvR2AAoJEJ9vHC1+BF+Nu4sQAKT2Eq//JAwpVElo/qEUE3y2
Z5LZBv43UZBq559ytQQreDYr2SoqD2qe6ssYeDIPizo54W6Heop5rSe5T7Do63G/
QKOycsXw5aMsbuo2saiTyDhTs1KhpYD43yMUIms6LXbHm9eVs2kZQpnOgjn20c8h
/epl9mwDGdyyBJEFWcpD4O+9QyPQxBlJ9eJwDqS8Ln6FDM/9O0vGVezaVKagr6zB
S0qE/lU7S7FOXv+4HEQt799L6D0xqyoSkYtw0v+iI2ayCamKUwtTyfEmkZsm6Bhv
wvq2ggmjlfzcHNsK6QTFHiApnDBsLNrQK9vfdSzklAthdVcF+nL+01nTffE4M4iF
bkp1aGSzNiMxLb0fOl3+IZ5grNOyOHX4cT44Z5O+dWY2bBD10s2c+JJEMVkhQlyW
2uXLIoqmTJD/HaZ9Qnbz/Ops/bidYnQPNe15T4aa1+ofYJymJn+Vvasfb1oT8P8j
Q+OQiA0n0w/WeZKeKQ9szBfYPqGS8lsSDGXq42SXUxfa+J8jc77rES/SNFwzHcJ5
Z/6JY4VL42T9EWRxTxpDYE6QffHTcCE81DvOwzav3Hc2FG5Jhn+P8pn1iArjzxH4
Z1eoTXLtvSr0dmTyYSB61VE1wOi5rDF68jyEmBrSPxKejy9qBd7t2+ytbKeSY0/y
imdzs4arYpAxXn+fBpTE
=IKCX
-----END PGP SIGNATURE-----