Discussion:
[Unbound-users] Can't Bind Socket Error
Jarno Huuskonen
2014-11-20 17:30:24 UTC
Permalink
Just following up on this socket error - we are still seeing it
including a
couple of new servers I turned up today. It does not appear to be
operationally impacting (at least anything obvious).
All of these servers are running CentOS7 64 bit under VmWare 5.5 - just
wondering if anyone else running CentOS7 ?
Are you still getting "error: can't bind socket: Permission denied
for..." errors in your logs ?
(and do you have selinux enabled ?)

I just started testing unbound on RHEL7 and noticed that selinux
policy denies unbound to use port 5546:
type=AVC msg=audit(1416495730.557:3528): avc: denied { name_bind } for
pid=15009 comm="unbound" src=5546 scontext=system_u:system_r:named_t:s0
tcontext=system_u:object_r:dhcpc_port_t:s0 tclass=udp_socket

(I think these are in dontaudit rules so to get these in logs you
have to: semodule --disable_dontaudit --build
(and to get silent dontaudit rules back: semodule --build))
(https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html)

So maybe this in config will help: outgoing-port-avoid: 5546

(BTW what's correct way to define multiple
outgoing-port-avoid (without using ranges):
outgoing-port-avoid: 5546
outgoing-port-avoid: 8853
or outgoing-port-avoid: 5546,8853 ?)

-Jarno
--
Jarno Huuskonen
W.C.A. Wijngaards
2014-11-21 08:14:51 UTC
Permalink
Hi Jarno,
Post by Jarno Huuskonen
Just following up on this socket error - we are still seeing it
including a couple of new servers I turned up today. It does not
appear to be operationally impacting (at least anything
obvious).
All of these servers are running CentOS7 64 bit under VmWare 5.5
- just wondering if anyone else running CentOS7 ?
Are you still getting "error: can't bind socket: Permission denied
for..." errors in your logs ? (and do you have selinux enabled ?)
I just started testing unbound on RHEL7 and noticed that selinux
policy denies unbound to use port 5546: type=AVC
msg=audit(1416495730.557:3528): avc: denied { name_bind } for
pid=15009 comm="unbound" src=5546
scontext=system_u:system_r:named_t:s0
tcontext=system_u:object_r:dhcpc_port_t:s0 tclass=udp_socket
(I think these are in dontaudit rules so to get these in logs you
have to: semodule --disable_dontaudit --build (and to get silent
dontaudit rules back: semodule --build))
(https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Possible_Causes_of_Silent_Denials.html)
So maybe this in config will help: outgoing-port-avoid: 5546
(BTW what's correct way to define multiple outgoing-port-avoid
outgoing-port-avoid: 5546 outgoing-port-avoid: 8853
This is correct. Multiple lines. (also for outgoing-port-permit)

The lines are processed in the order encountered, in case you mix
permit and avoid lines in a weird way. An easy way to write them is
to first permit some ranges and then after the permit lines, write
avoid lines with some specific cases you want to avoid.

Best regards,
Wouter

Continue reading on narkive:
Loading...