Site Navigation:
bugfix unbound-1.4.20-1.el6 bugfix update
Release: Fedora EPEL 6
Update ID: FEDORA-EPEL-2013-5465
Builds: unbound-1.4.20-1.el6 (logs)
Pushed: False
Date Submitted: 2013-04-16 16:57:57
Date Released: 2013-04-17 21:10:38
Submitter: pwouters
Karma: -1
Stable karma: 3
Unstable karma: -3

Mostly a minor bugfix release by upstream, unbound-anchor made more selinux friendly, hardened build

Bugs Fixed
896599 - SELinux is preventing /usr/sbin/unbound-anchor from 'remove_name' accesses on the directory root.anchor.9143-0.
891008 - SELinux is preventing /usr/sbin/unbound from write access on the directory /etc/unbound.
909691 - /etc/unbound should be owned by unbound-libs, not unbound
bodhi - 2013-04-16 16:58:56
This update has been submitted for testing by pwouters.
bodhi - 2013-04-17 20:13:36
This update is currently being pushed to the Fedora EPEL 6 testing updates repository.
bodhi - 2013-04-17 21:46:56
This update has been pushed to testing
pwouters - 2013-04-19 14:18:43
This update has been unpushed
alexanderhunt - 2013-06-06 06:39:54
After 2 days of fighting with unbound to get a local caching/recursive server up with full DNSSEC, here's what I came up with. The permissions I had to put on the 2 files listed below are ridiculous, but for now it works and I have a lot of faith in my iptables (unbound version 1.4.19-1.el6 x86_64 -- works with procedures outlined below) (unbound version 1.4.20-1.el6 x86_64 -- could not get rid of access denied to root.key, therefore DNSSEC wouldn't work either, even with specific DNSSEC servers listed in unbound.conf) root.key is in /var/lib/unbound (by default now) cd to that directory do: ln -P root.key /etc/unbound/root.key cd to /etc/unbound I did: chown -rv unbound:root roothints (this is a folder I created for the root-hints file) chmod 7777 roothints chown -v unbound:root rootkey chmod 7777 root.key That got rid of the cannot write/read problem I was having on those 2 files. Doing the recommended (?) SeLinux fix: # grep unbound /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp stopped the SeLinux denials (checked through audit.log quite carefully for more denials as I was working on this) Also (for more info) /etc/unbound is owner:(root:root) and "nameserverconfig" selinux context I hope that helps nail this down, or at least help someone having the same problems. Contact me if you need more info, I used to help Daniel and Miroslav on selinux problems I encountered when I was running Fedora releases. Now I use Scientific-Linux 6.4, the completely CERN version. I can always do a VM for testing, since I don't want to play with the server anymore...hahaha! Best regards, Alexander Hunt
bodhi - 2013-09-19 17:17:35
This update has been obsoleted by

Add a comment

Tip: Login to impact how quickly this update gets pushed or unpushed.
obfuscated letters