Rogelio J. Baucells wrote:
Hi,
I have a server running FC3 + selinux (targeted) and I had some problems with bind and dynamic DNS updates. This is how I fix it.
The first thing I noticed is that the named server was not able to create the Journal files for the zones I was trying to update
# ls -l /var/named/chroot/var total 24 drwxr-x--- 4 root named 4096 Dec 1 14:42 named drwxrwx--- 3 root named 4096 Nov 16 11:50 run drwxrwx--- 2 named named 4096 Mar 13 2003 tmp
because the user "named" (the one running the daemon) did not have
access to create new files inside the named folder. I think this is a
problem in the bind-chroot rmp package. I ran the following command to give the user named access to create new files inside the named folder
# chmod 770 /var/named/chroot/var/named # ls -l /var/named/chroot/var total 24 drwxrwx--- 4 root named 4096 Dec 1 14:42 named drwxrwx--- 3 root named 4096 Nov 16 11:50 run drwxrwx--- 2 named named 4096 Mar 13 2003 tmp
That fixed the problem. Now selinux!!!
When I try to update one of the zones I get the following error in /var/log/messages
---------------------------------------------------------------------- Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating zone 'example.com/IN': adding an RR
Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating zone 'example.com/IN': adding an RR
Dec 1 14:56:01 server named[22580]: journal file example.com.zone.jnl does not exist, creating it
Dec 1 14:56:01 server named[22580]: example.com.zone.jnl: create: permission denied
Dec 1 14:56:01 server kernel: audit(1101930961.025:0): avc: denied { write } for pid=22581 exe=/usr/sbin/named name=named dev=dm-0 ino=293768 scontext=root:system_r:named_t tcontext=system_u:object_r:named_zone_t tclass=dir
Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating zone 'example.com/IN': error: journal open failed: unexpected error ----------------------------------------------------------------------
I ran the "Security Level Configuration" tool and enabled "Allow named to overwrite master zone files" and that fixed the problem.
Without the ACL modifications of the folder /var/named/chroot/var/named the setting in the "Security Level Configuration" is useless. I hope this information helps somebody having the same problems...
RJB
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
I think the prefered setup is to have the jnl files written to the var/named/run directory.
Dan
