From 24ebb2238492a25da4287ce53ba815c896238135 Mon Sep 17 00:00:00 2001
From: Paul Wouters <pwouters@redhat.com>
Date: Thu, 19 Sep 2013 10:25:20 -0400
Subject: [PATCH] unbound.conf: also add outgoing-port-avoid: 0-32767 to ensure
 we don't hit the SElinux restrictions of ephemeral ports

---
 unbound.conf | 3 ++-
 unbound.spec | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/unbound.conf b/unbound.conf
index ce36ad1..9f48471 100644
--- a/unbound.conf
+++ b/unbound.conf
@@ -80,7 +80,8 @@ server:
 	# Use this to make sure unbound does not grab a UDP port that some
 	# other server on this computer needs. The default is to avoid
 	# IANA-assigned port numbers.
-	# outgoing-port-avoid: "3200-3208"
+	# Our SElinux policy does not allow non-ephemeral ports to be used
+	outgoing-port-avoid: 0-32767
 
 	# number of outgoing simultaneous tcp buffers to hold per thread.
 	# outgoing-num-tcp: 10
diff --git a/unbound.spec b/unbound.spec
index e614e48..7b74dc2 100644
--- a/unbound.spec
+++ b/unbound.spec
@@ -282,6 +282,7 @@ exit 0
 - Enabled new max-udp-size: 3072 (so ANY isc.org won't fit)
 - Removed patched merged in by upstream
 - Enable statistics-cumulative for munin-plugin
+- Added outgoing-port-avoid: 0-32767 conformant to SElinux restrictions
 - Updated unbound.conf
 
 * Mon Aug 26 2013 Tomas Hozza <thozza@redhat.com> - 1.4.20-19