Re: Not - Re: New DNS server up and running

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Thursday 21 February 2013 11:25:44 Robert Moskowitz wrote:
> On 02/21/2013 04:30 AM, James Hogarth wrote:
> > On 21 February 2013 01:28, Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> 
wrote:
> >> It looks like no system, internal or external could access the
> >> DNS on my new server.  IPTABLES was set for 53 both UDP and TCP.
> >> Firewall was OK. In fact a local system on the same subnet, thus
> >> NOT going through my firewall was denied access to the internal
> >> domain.  Localhost of course works.
> >>
> >> So it is either the Linux firewall and bind port randomization,
> >> or it is SELINUX.  How do I test to find out which?
> >>
> >> Since the new server is on the same IP address as the old, it is
> >> unplugged from the switch.  I can switch back and forth between
> >> to two boxes, only taking the time for ARP table updates.
> >>
> >> So I hope someone can point me to what I have missed.
> >
> > audit2allow -a will tell you if it's selinux ... and specifically
> > what is wrong...
> 
> Great.  I have to make notes on how to test about selinux
>  reporting.
> 
> > A quick test would be getenforce Permissive and restarting bind
> > ...
> 




Hi,

setenforce 0  sets SELinux to permissive
setenforce 1  sets it to enmforcing
sestatus         to check the current status

You can use the following to build a custom SElinux module

#  Generate local policy
grep http  /var/log/audit/audit.log | audit2allow -m myhttp > 
myhttp.te

#  could also use grep  http to just get the http AVC

#  Compile the module
checkmodule -M -m -o local.mod myhttp.te

#  Create the package
semodule_package -o myhttp.pp -m local.mod

#  Load the module into the kernel
semodule -i myhttp.pp

Tony

















_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux