Source: selinux-policy-default Version: 2:2.20140206-1 Severity: normal There's a reasonable module for unbound in the existing policy (well, it's a little weird that it's embedded in the module for BIND, but that's not a big deal) but it is missing a couple of rules. First, the Debian package caches an up-to-date copy of the root key under /var/lib/unbound, so that needs to be labeled named_cache_t: please add
/var/lib/unbound(/.*)? -- gen_context(system_u:object_r:named_cache_t,s0) to modules/contrib/bind.fc (perhaps right after the similar rule for /var/cache/bind(/.*)?) Second, unbound by default listens on local port 8953 for "remote control" (see https://unbound.net/documentation/unbound-control.html), but the policy doesn't permit this. This feature is needed by log rotation and resolvconf, so I don't want to just disable it. As a local band-aid I did # semanage port -a -t dns_port_t -p tcp 8953 but I suspect this is not the ideal fix - if nothing else, it would be nice if it could be limited to talking to localhost. zw -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (501, 'unstable'), (500, 'testing'), (101, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.13-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
