19 Dub
2018
19 Dub
'18
13:19
On 04/19/2018 12:19 PM, Tomas Krizek wrote:
--
Martin Sehnoutka | Associate Software Engineer
PGP: 5FD64AF5
UTC+1 (CET)
RED HAT | TRIED. TESTED. TRUSTED.
Hi!
On 2018-04-19 11:24, Martin Sehnoutka wrote:> I have a fresh
installation of the Knot Resolver on my Fedora 27
It is still in testing. Anyway I tried to turn off SELinux, but the
result was the same. Isn't it supposed to work in that case?
Anyway thanks for your prompt response!
but it does not work out of the box.
Short answer:
$ dnf update selinux-policy The problem is, that the user
"knot-resolver" cannot bind to a privileged port. Why is the systemd
service file using knot-resolver user? It works just fine, when I remove
the "User=" option from service file and add this line into the
kres.conf file:
user('knot-resolver', 'knot-resolver')
Long answer:
The kresd service isn't supposed to bind to any port. Instead, this is
handled by systemd, which passes kresd.socket to the kresd service. The
purpose of this is to reduce the attack surface of the service by
reducing its privileges to the absolute necessities.
However, there were bugs in selinux-policy [bz1366968, bz1543049] which
prevented the proper creation of the socket by systemd. When systemd
fails to provide kresd with a socket, the service falls back to attempt
to bind to a port, which fails, because it doesn't have the needed
privileges. That's why you see these messages in the log.
I've encountered this issue before and the log messages are quite
misleading and don't help to debug the cause of the problem at all. I
think this is something we should fix, so I've opened an issue [#342]
for it.
bz1366968 - https://bugzilla.redhat.com/show_bug.cgi?id=1366968
bz1543049 - https://bugzilla.redhat.com/show_bug.cgi?id=1543049
#342 - https://gitlab.labs.nic.cz/knot/knot-resolver/issues/342