[prev in list] [next in list] [prev in thread] [next in thread]
List: pdns-users
Subject: Re: [Pdns-users] Error binding on UDP port 53 only when slave=yes
From: Sean Lair via Pdns-users <pdns-users () mailman ! powerdns ! com>
Date: 2020-06-09 1:04:08
Message-ID: 77d902a5b58a461b9be10578029d89a8 () ippathways ! com
[Download RAW message or body]
If anyone else has a similar issue, the problem is with SELinux's built in policies. \
Here is the Type Enforcement module I had to build and install. Just let me know if \
any questions:
------------------
module pdns_customized 1.0;
require {
type proc_t;
type usr_t;
type pdns_t;
type unreserved_port_t;
class udp_socket name_bind;
class file { map read };
}
#============= pdns_t ==============
allow pdns_t proc_t:file read;
allow pdns_t unreserved_port_t:udp_socket name_bind;
allow pdns_t usr_t:file map;
------------------
Sean
From: Pdns-users <pdns-users-bounces@mailman.powerdns.com> On Behalf Of Sean Lair via \
Pdns-users
Sent: Saturday, June 6, 2020 3:14 PM
To: pdns-users@mailman.powerdns.com
Subject: [Pdns-users] Error binding on UDP port 53 only when slave=yes
Please double check the sender's email address. The sender may not be who they claim \
to be. ----------------------------------------------------------------------- Hello!
Our Authorities PDNS servers are currently using native mode with MariaDB. We are \
attempting to enabled slave=yes (in pdns.conf) but when we do so, we get the error \
below. ***If we do not have slave=yes configured, then PDNS works fine (but not in \
slave mode of course).***
-----------------------------
Jun 6 19:57:54 ns1 systemd[1]: Starting PowerDNS Authoritative Server...
Jun 6 19:57:54 ns1 pdns_server[8154]: Loading '/usr/lib64/pdns/libgmysqlbackend.so'
Jun 6 19:57:54 ns1 pdns_server[8154]: This is a standalone pdns
Jun 6 19:57:54 ns1 pdns_server[8154]: Listening on controlsocket in \
'/var/run/pdns/pdns.controlsocket'
Jun 6 19:57:54 ns1 pdns_server[8154]: UDP server bound to 0.0.0.0:53
Jun 6 19:57:54 ns1 pdns_server[8154]: UDP server bound to [::]:53
Jun 6 19:57:54 ns1 pdns_server[8154]: TCP server bound to 0.0.0.0:53
Jun 6 19:57:54 ns1 pdns_server[8154]: TCP server bound to [::]:53
Jun 6 19:57:54 ns1 pdns_server[8154]: PowerDNS Authoritative Server 4.3.0 (C) \
2001-2020 PowerDNS.COM BV
Jun 6 19:57:54 ns1 pdns_server[8154]: Using 64-bits mode. Built using gcc 8.3.1 \
20190507 (Red Hat 8.3.1-4) on Apr 9 2020 19:45:37 by \
mockbuild@localhost.
Jun 6 19:57:54 ns1 pdns_server[8154]: PowerDNS comes with ABSOLUTELY NO WARRANTY. \
This is free software, and you are welcome to redistribute it according to the terms \
of the GPL version 2.
Jun 6 19:57:54 ns1 pdns_server[8154]: [webserver] Listening for HTTP requests on \
0.0.0.0:8081
Jun 6 19:57:54 ns1 pdns_server[8154]: Master/slave communicator launching
Jun 6 19:57:54 ns1 pdns_server[8154]: Creating backend connection for TCP
Jun 6 19:57:54 ns1 pdns_server[8154]: About to create 3 backend threads for UDP
Jun 6 19:57:54 ns1 pdns_server[8154]: Exiting because communicator thread died with \
error: Resolver binding to local UDP socket on 0.0.0.0: Permission \
denied
-----------------------------
It seems that when slave=yes is configured that PDNS drops its privilege level before \
opening it's sockets? If I turn off SELinux we have no issues, but with SELinux ON \
w/o slave=yes we also work without issue... Here is a line from our audit log, \
confirming that SELinux is blocking listening on port 53 - again this blocking only \
occurs if slave=yes.
-----------------------------
type=AVC msg=audit(1591472511.372:4842): avc: denied { name_bind } for pid=8081 \
comm="pdns/comm-main" src=14783 scontext=system_u:system_r:pdns_t:s0 \
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket \
permissive=0
-----------------------------
Let me know if there is anything else I can provide to help. We are CentOS8 and \
PowerDNS Authoritative Server 4.3.0.
Thanks!
Sean
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:x="urn:schemas-microsoft-com:office:excel" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle20
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">If anyone else has a similar issue, \
the problem is with SELinux’s built in policies. Here is the Type \
Enforcement module I had to build and install. Just let me know if any \
questions:<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D">------------------<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="color:#1F497D">module pdns_customized \
1.0;<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D">require {<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D"> type \
proc_t;<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D"> type \
usr_t;<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D"> type \
pdns_t;<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D"> type \
unreserved_port_t;<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D"> class udp_socket \
name_bind;<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D"> class file { map \
read };<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D">}<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D">#============= pdns_t ==============<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="color:#1F497D">allow pdns_t proc_t:file \
read;<o:p></o:p></span></p> <p class="MsoNormal"><span style="color:#1F497D">allow \
pdns_t unreserved_port_t:udp_socket name_bind;<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="color:#1F497D">allow pdns_t usr_t:file \
map;<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D">------------------<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span style="color:#1F497D">Sean<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p> <div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Pdns-users \
<pdns-users-bounces@mailman.powerdns.com> <b>On Behalf Of </b>Sean Lair via \
Pdns-users<br> <b>Sent:</b> Saturday, June 6, 2020 3:14 PM<br>
<b>To:</b> pdns-users@mailman.powerdns.com<br>
<b>Subject:</b> [Pdns-users] Error binding on UDP port 53 only when \
slave=yes<o:p></o:p></p> </div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New \
Roman",serif">Please double check the sender's email address. The sender may not \
be who they claim to be. \
----------------------------------------------------------------------- \
<o:p></o:p></span></p> <div>
<p class="MsoNormal">Hello!<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Our Authorities PDNS servers are currently using native mode \
with MariaDB. We are attempting to enabled slave=yes (in pdns.conf) but when we \
do so, we get the error below. ***If we do not have slave=yes configured, then \
PDNS works fine (but not in slave mode of course).***<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">-----------------------------<o:p></o:p></p>
<p class="MsoNormal">Jun 6 19:57:54 ns1 systemd[1]: Starting PowerDNS \
Authoritative Server...<o:p></o:p></p> <p class="MsoNormal">Jun 6 19:57:54 ns1 \
pdns_server[8154]: Loading '/usr/lib64/pdns/libgmysqlbackend.so'<o:p></o:p></p> <p \
class="MsoNormal">Jun 6 19:57:54 ns1 pdns_server[8154]: This is a standalone \
pdns<o:p></o:p></p> <p class="MsoNormal">Jun 6 19:57:54 ns1 pdns_server[8154]: \
Listening on controlsocket in '/var/run/pdns/pdns.controlsocket'<o:p></o:p></p> <p \
class="MsoNormal">Jun 6 19:57:54 ns1 pdns_server[8154]: UDP server bound to \
0.0.0.0:53<o:p></o:p></p> <p class="MsoNormal">Jun 6 19:57:54 ns1 \
pdns_server[8154]: UDP server bound to [::]:53<o:p></o:p></p> <p \
class="MsoNormal">Jun 6 19:57:54 ns1 pdns_server[8154]: TCP server bound to \
0.0.0.0:53<o:p></o:p></p> <p class="MsoNormal">Jun 6 19:57:54 ns1 \
pdns_server[8154]: TCP server bound to [::]:53<o:p></o:p></p> <p \
class="MsoNormal">Jun 6 19:57:54 ns1 pdns_server[8154]: PowerDNS Authoritative \
Server 4.3.0 (C) 2001-2020 PowerDNS.COM BV<o:p></o:p></p> <p \
class="MsoNormal">Jun 6 19:57:54 ns1 pdns_server[8154]: Using 64-bits mode. \
Built using gcc 8.3.1 20190507 (Red Hat 8.3.1-4) on Apr 9 2020 19:45:37 by \
mockbuild@localhost.<o:p></o:p></p> <p class="MsoNormal">Jun 6 19:57:54 ns1 \
pdns_server[8154]: PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, \
and you are welcome to redistribute it according to the terms of the GPL version \
2.<o:p></o:p></p> <p class="MsoNormal">Jun 6 19:57:54 ns1 pdns_server[8154]: \
[webserver] Listening for HTTP requests on 0.0.0.0:8081<o:p></o:p></p> <p \
class="MsoNormal">Jun 6 19:57:54 ns1 pdns_server[8154]: Master/slave \
communicator launching<o:p></o:p></p> <p class="MsoNormal">Jun 6 19:57:54 ns1 \
pdns_server[8154]: Creating backend connection for TCP<o:p></o:p></p> <p \
class="MsoNormal">Jun 6 19:57:54 ns1 pdns_server[8154]: About to create 3 \
backend threads for UDP<o:p></o:p></p> <p class="MsoNormal">Jun 6 19:57:54 ns1 \
pdns_server[8154]: Exiting because communicator thread died with error: Resolver \
binding to local UDP socket on 0.0.0.0: Permission denied<o:p></o:p></p> <p \
class="MsoNormal">-----------------------------<o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">It seems that when \
slave=yes is configured that PDNS drops its privilege level before opening it’s \
sockets? If I turn off SELinux we have no issues, but with SELinux ON w/o \
slave=yes we also work without issue… Here is a line from our audit log, \
confirming that SELinux is blocking listening on port 53 – again this blocking \
only occurs if slave=yes.<o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">-----------------------------<o:p></o:p></p>
<p class="MsoNormal">type=AVC msg=audit(1591472511.372:4842): avc: denied \
{ name_bind } for pid=8081 comm="pdns/comm-main" src=14783 \
scontext=system_u:system_r:pdns_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 \
tclass=udp_socket permissive=0<o:p></o:p></p> <p \
class="MsoNormal">-----------------------------<o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">Let me know if there is \
anything else I can provide to help. We are CentOS8 and PowerDNS Authoritative Server \
4.3.0.<o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks!<o:p></o:p></p>
<p class="MsoNormal">Sean<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
--===============2134922845564829296==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic