Control: reassign -1 src:refpolicy 2:2.20140206-1 On Lu, 03 mar 14, 15:14:58, Zack Weinberg wrote: > Source: selinux-policy-default > Version: 2:2.20140206-1 > Severity: normal > > There's a reasonable module for unbound in the existing policy (well, > it's a little weird that it's embedded in the module for BIND, but that's > not a big deal) but it is missing a couple of rules. First, the Debian > package caches an up-to-date copy of the root key under /var/lib/unbound, > so that needs to be labeled named_cache_t: please add > > /var/lib/unbound(/.*)? -- > gen_context(system_u:object_r:named_cache_t,s0) > > to modules/contrib/bind.fc (perhaps right after the similar rule for > /var/cache/bind(/.*)?) > > Second, unbound by default listens on local port 8953 for "remote control" > (see https://unbound.net/documentation/unbound-control.html), but the policy > doesn't permit this. This feature is needed by log rotation and resolvconf, > so I don't want to just disable it. As a local band-aid I did > > # semanage port -a -t dns_port_t -p tcp 8953 > > but I suspect this is not the ideal fix - if nothing else, it would be nice > if it could be limited to talking to localhost. > > zw > > -- System Information: > Debian Release: jessie/sid > APT prefers unstable > APT policy: (501, 'unstable'), (500, 'testing'), (101, 'experimental') > Architecture: amd64 (x86_64) > > Kernel: Linux 3.13-1-amd64 (SMP w/8 CPU cores) > Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash
-- http://wiki.debian.org/FAQsFromDebianUser Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic http://nuvreauspam.ro/gpg-transition.txt
signature.asc
Description: Digital signature
