Re: Bind and selinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Rogelio J. Baucells wrote:

Hi,

I have a server running FC3 + selinux (targeted) and I had some
problems with bind and dynamic DNS updates. This is how I fix it.

The first thing I noticed is that the named server was not able to create the Journal files for the zones I was trying to update

# ls -l /var/named/chroot/var
total 24
drwxr-x---  4 root  named 4096 Dec  1 14:42 named
drwxrwx---  3 root  named 4096 Nov 16 11:50 run
drwxrwx---  2 named named 4096 Mar 13  2003 tmp

because the user "named" (the one running the daemon) did not have
access to create new files inside the named folder. I think this is a
problem in the bind-chroot rmp package. I ran the following command to give the user named access to create new files inside the named folder


# chmod 770 /var/named/chroot/var/named
# ls -l /var/named/chroot/var
total 24
drwxrwx---  4 root  named 4096 Dec  1 14:42 named
drwxrwx---  3 root  named 4096 Nov 16 11:50 run
drwxrwx---  2 named named 4096 Mar 13  2003 tmp

That fixed the problem. Now selinux!!!

When I try to update one of the zones I get the following error in
/var/log/messages

----------------------------------------------------------------------
Dec  1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating
zone 'example.com/IN': adding an RR

Dec  1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating
zone 'example.com/IN': adding an RR

Dec  1 14:56:01 server named[22580]: journal file example.com.zone.jnl
does not exist, creating it

Dec  1 14:56:01 server named[22580]: example.com.zone.jnl: create:
permission denied

Dec  1 14:56:01 server kernel: audit(1101930961.025:0): avc:  denied  {
write } for  pid=22581 exe=/usr/sbin/named name=named dev=dm-0
ino=293768 scontext=root:system_r:named_t
tcontext=system_u:object_r:named_zone_t tclass=dir

Dec  1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating
zone 'example.com/IN': error: journal open failed: unexpected error
----------------------------------------------------------------------

I ran the "Security Level Configuration" tool and enabled "Allow named to overwrite master zone files" and that fixed the problem.

Without the ACL modifications of the folder /var/named/chroot/var/named the setting in the "Security Level Configuration" is useless. I hope this information helps somebody having the same problems...

RJB

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list

I think the prefered setup is to have the jnl files written to the var/named/run directory.


Dan


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux