On 02/11/2017 08:56 PM, Robert Moskowitz wrote:
This seems to be bug 1103439 which was 'fixed' for Centos6.
What should I do about this? Is there a SELinux policy to apply or
should I the avoid upd-ports option in Bind?
It looks like that bug was assigned to the selinux-policy component,
where it was CLOSED NOTABUG, and then mistakenly marked CLOSED ERRATA.
The solution is probably to specify the allowed ports. However, I must
be reading something wrong, because on my system, it looks like named_t
is allowed to use those ports.
# sesearch -A -s named_t | grep port | grep bind
...indicates that named_t is allowed to bind to both unreserved
ports and ephemeral ports.
# semanage port -l | grep unreserved_port_t
unreserved_port_t tcp 61001-65535, 1024-32767
unreserved_port_t udp 61001-65535, 1024-32767
# semanage port -l | grep ephemeral_port_t
ephemeral_port_t tcp 32768-61000
ephemeral_port_t udp 32768-61000
I'm not seeing those errors logged, either, so maybe your system differs
from mine. If I'm misreading, hopefully someone will chime in to clarify.
It's probably safe to specify some range of higher numbered ports:
use-v4-udp-ports { range 10240 65535; };
use-v6-udp-ports { range 10240 65535; };
_______________________________________________
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
