(Centos 8) SELinux preventing pdns_server from name_bind access on the udp_socket port (random high port)

[ghost]

• Program: Authoritative, pdns-ansible
• Issue type: Bug report

Short description

SELinux (permissive) complains that if enforcing it would not allow pdns_server to bind to the random high v4/v6 UDP query/notify sockets.

Environment

• Operating system: Centos 8 Stream
• Software version: pdns: pdns-4.3.1-1.el8, pdns-ansible: f0ac78c
• Software source: EPEL (pdns), github (pdns-ansible)

Steps to reproduce

1. use pdns-ansible to install pdns on CentOS 8
2. Selinux targeted/permissive or enforcing
3. Start pdns service

Expected behaviour

No SELinux complaints in journal

Actual behaviour

message in systemd journal:

SELinux is preventing /usr/sbin/pdns_server from name_bind access on the udp_socket port 12023

Other information

UPDATE: tracing the ansible run, .../tasks/selinux.yml is called and the 'allow pdns to bind to udp high ports' seport task is run but it seems not to have the desired effect.

From freenode/#selinux, a working solution seems to be something to the effect of:

echo '(allow pdns_t unreserved_port_type (udp_socket (name_bind)))' > mypdnsfix.cil && sudo semodule -i mypdnsfix.cil

I'm not sure how to refine that to limit the range to 10000-20000 as listed in selinux.yml

My Ansible-fu is not sufficiently strong to submit a PR at this time.