[Pdns-users] SELinux with master & pdns fails

Frank Louwers frank+pdns at tembo.be
Mon Jul 31 09:40:51 UTC 2023


Hi,

There's also the issue that there's no such thing as "the" PowerDNS install: you have a choice of about backends (of which about 4 could be called "common"), you could enable the API or not, you could use Carbon or not, you could use Primary/Replica (AXFR-based) transfers etc.

So creating a "generic" one for everything sounds easier than it is.

Frank


> On 30 Jul 2023, at 12:57, Kevin P. Fleming via Pdns-users <pdns-users at mailman.powerdns.com> wrote:
> 
> If by "the RPM" you are referring to the ones distributed by the PowerDNS team (on repo.powerdns.com <http://repo.powerdns.com/>) then no, it does not. It also doesn't include a profile for AppArmor.
> 
> It is possible that the PowerDNS team would accept a contribution of such profiles to be included in the packages, but the ongoing cost of supporting those could be high, and it may not be possible to have the same profiles operate properly across all of the RPM-based distributions.
> 
> On Sun, Jul 30, 2023, at 06:48, Victor Hugo dos Santos wrote:
>> Hi
>> 
>> The rpm should come with the correct  selinux by default???
>> 
>> Salu2
>> 
>> 
>> On Sat, Jul 29, 2023, 17:27 Kevin P. Fleming via Pdns-users <pdns-users at mailman.powerdns.com <mailto:pdns-users at mailman.powerdns.com>> wrote:
>> 
>> There's nothing to 'fix' in pdns-auth. Its behavior is based on the functions it performs.
>> 
>> If there is no SELinux policy for it, or there is one but it's not correct, then SELinux will interfere. The proper solution is to determine whether any of the actions that pdns-auth is taking are invalid. If they are invalid, those are bugs (but this is unlikely); if they are valid, the SELinux policy needs to permit them.
>> 
>> On Sat, Jul 29, 2023, at 11:11, lejeczek via Pdns-users wrote:
>>> Hi guys.
>>> 
>>> Setting master=yes - on Centos 9s - results in SE denials and 'pdns' fails to start.
>>> ...
>>> About to create 3 backend threads for UDP
>>> Exiting because communicator thread died with error: Resolver binding to local UDP socket on '0.0.0.0': Permission denied
>>> Started PowerDNS Authoritative Server.
>>> ...
>>> 
>>> Would you know if there ia boolean I'm missing or perhaps pdns' end can be "fixed"?
>>> It'd be good not to have build dedicated se module for that.
>>> 
>>> many thanks, L.
>>> _______________________________________________
>>> Pdns-users mailing list
>>> Pdns-users at mailman.powerdns.com <mailto:Pdns-users at mailman.powerdns.com>
>>> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>>> 
>> 
>> _______________________________________________
>> Pdns-users mailing list
>> Pdns-users at mailman.powerdns.com <mailto:Pdns-users at mailman.powerdns.com>
>> https://mailman.powerdns.com/mailman/listinfo/pdns-users
> 
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20230731/2af3ccc0/attachment.htm>


More information about the Pdns-users mailing list