If anyone else has a similar issue, the problem is with SELinux's built in
policies. Here is the Type Enforcement module I had to build and install.
Just let me know if any questions:
------------------
module pdns_customized 1.0;
require {
type proc_t;
type usr_t;
type pdns_t;
type unreserved_port_t;
class udp_socket name_bind;
class file { map read };
}
#============= pdns_t ==============
allow pdns_t proc_t:file read;
allow pdns_t unreserved_port_t:udp_socket name_bind;
allow pdns_t usr_t:file map;
------------------
Sean
From: Pdns-users <pdns-users-boun...@mailman.powerdns.com> On Behalf Of Sean
Lair via Pdns-users
Sent: Saturday, June 6, 2020 3:14 PM
To: pdns-users@mailman.powerdns.com
Subject: [Pdns-users] Error binding on UDP port 53 only when slave=yes
Please double check the sender's email address. The sender may not be who they
claim to be.
-----------------------------------------------------------------------
Hello!
Our Authorities PDNS servers are currently using native mode with MariaDB. We
are attempting to enabled slave=yes (in pdns.conf) but when we do so, we get
the error below. ***If we do not have slave=yes configured, then PDNS works
fine (but not in slave mode of course).***
-----------------------------
Jun 6 19:57:54 ns1 systemd[1]: Starting PowerDNS Authoritative Server...
Jun 6 19:57:54 ns1 pdns_server[8154]: Loading
'/usr/lib64/pdns/libgmysqlbackend.so'
Jun 6 19:57:54 ns1 pdns_server[8154]: This is a standalone pdns
Jun 6 19:57:54 ns1 pdns_server[8154]: Listening on controlsocket in
'/var/run/pdns/pdns.controlsocket'
Jun 6 19:57:54 ns1 pdns_server[8154]: UDP server bound to 0.0.0.0:53
Jun 6 19:57:54 ns1 pdns_server[8154]: UDP server bound to [::]:53
Jun 6 19:57:54 ns1 pdns_server[8154]: TCP server bound to 0.0.0.0:53
Jun 6 19:57:54 ns1 pdns_server[8154]: TCP server bound to [::]:53
Jun 6 19:57:54 ns1 pdns_server[8154]: PowerDNS Authoritative Server 4.3.0 (C)
2001-2020 PowerDNS.COM BV
Jun 6 19:57:54 ns1 pdns_server[8154]: Using 64-bits mode. Built using gcc
8.3.1 20190507 (Red Hat 8.3.1-4) on Apr 9 2020 19:45:37 by mockbuild@localhost.
Jun 6 19:57:54 ns1 pdns_server[8154]: PowerDNS comes with ABSOLUTELY NO
WARRANTY. This is free software, and you are welcome to redistribute it
according to the terms of the GPL version 2.
Jun 6 19:57:54 ns1 pdns_server[8154]: [webserver] Listening for HTTP requests
on 0.0.0.0:8081
Jun 6 19:57:54 ns1 pdns_server[8154]: Master/slave communicator launching
Jun 6 19:57:54 ns1 pdns_server[8154]: Creating backend connection for TCP
Jun 6 19:57:54 ns1 pdns_server[8154]: About to create 3 backend threads for UDP
Jun 6 19:57:54 ns1 pdns_server[8154]: Exiting because communicator thread died
with error: Resolver binding to local UDP socket on 0.0.0.0: Permission denied
-----------------------------
It seems that when slave=yes is configured that PDNS drops its privilege level
before opening it's sockets? If I turn off SELinux we have no issues, but with
SELinux ON w/o slave=yes we also work without issue... Here is a line from our
audit log, confirming that SELinux is blocking listening on port 53 - again
this blocking only occurs if slave=yes.
-----------------------------
type=AVC msg=audit(1591472511.372:4842): avc: denied { name_bind } for
pid=8081 comm="pdns/comm-main" src=14783 scontext=system_u:system_r:pdns_t:s0
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0
-----------------------------
Let me know if there is anything else I can provide to help. We are CentOS8 and
PowerDNS Authoritative Server 4.3.0.
Thanks!
Sean
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
