Project

General

Profile

Bug #30849

Cleanup DNS rules

Added by Lukas Zapletal about 1 year ago. Updated about 1 year ago.

Status:
New
Priority:
Normal
Category:
General Foreman
Target version:
-
Difficulty:
Triaged:
Yes
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

We allow bind of all ports while we should probably only allow high ports. This was allowed in #8030.


Related issues

Related to SELinux - Bug #8030: Permission denied - bind(2) on DNS lookup when creating a hostClosed2014-10-22

History

#1 Updated by Lukas Zapletal about 1 year ago

  • Related to Bug #8030: Permission denied - bind(2) on DNS lookup when creating a host added

#2 Updated by Lukas Zapletal about 1 year ago

I think we still need those rules tho. This is in `dnsmasq.te`, a DNS server:

corenet_all_recvfrom_netlabel(dnsmasq_t)
corenet_tcp_sendrecv_generic_if(dnsmasq_t)
corenet_udp_sendrecv_generic_if(dnsmasq_t)
corenet_raw_sendrecv_generic_if(dnsmasq_t)
corenet_tcp_sendrecv_generic_node(dnsmasq_t)
corenet_udp_sendrecv_generic_node(dnsmasq_t)
corenet_raw_sendrecv_generic_node(dnsmasq_t)
corenet_tcp_sendrecv_all_ports(dnsmasq_t)
corenet_udp_sendrecv_all_ports(dnsmasq_t)
corenet_tcp_bind_generic_node(dnsmasq_t)
corenet_udp_bind_generic_node(dnsmasq_t)

Also available in: Atom PDF