Hi - Yes, for added security, named must be explicitly enabled to update its master zone files with the 'named_write_master_zones=1' setting in /etc/selinux/targeted/booleans and by granting write access to the 'named' user for the directory in which dynamically updated zone files are stored. Named will always create .jnl files in the same directory as the zone to be updated. One solution would be to put the dynamically updated zones in a 'ddns/' subdirectory of the $ROOTDIR/var/named and make that directory owned by named:named; then for each dynamically updated zone X, set the 'file ' option in named.conf to 'ddns/X.db' . A decision was made not to enable named to write its zone files by default to prevent attackers gaining control of the named process being able to change the zone file contents. On Thu, 2004-12-02 at 08:48, Daniel J Walsh wrote: > Rogelio J. Baucells wrote: > > > Hi, > > > > I have a server running FC3 + selinux (targeted) and I had some > > problems with bind and dynamic DNS updates. This is how I fix it. > > > > The first thing I noticed is that the named server was not able to > > create the Journal files for the zones I was trying to update > > > > # ls -l /var/named/chroot/var > > total 24 > > drwxr-x--- 4 root named 4096 Dec 1 14:42 named > > drwxrwx--- 3 root named 4096 Nov 16 11:50 run > > drwxrwx--- 2 named named 4096 Mar 13 2003 tmp > > > > because the user "named" (the one running the daemon) did not have > > access to create new files inside the named folder. I think this is a > > problem in the bind-chroot rmp package. I ran the following command to > > give the user named access to create new files inside the named folder > > > > # chmod 770 /var/named/chroot/var/named > > # ls -l /var/named/chroot/var > > total 24 > > drwxrwx--- 4 root named 4096 Dec 1 14:42 named > > drwxrwx--- 3 root named 4096 Nov 16 11:50 run > > drwxrwx--- 2 named named 4096 Mar 13 2003 tmp > > > > That fixed the problem. Now selinux!!! > > > > When I try to update one of the zones I get the following error in > > /var/log/messages > > > > ---------------------------------------------------------------------- > > Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating > > zone 'example.com/IN': adding an RR > > > > Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating > > zone 'example.com/IN': adding an RR > > > > Dec 1 14:56:01 server named[22580]: journal file example.com.zone.jnl > > does not exist, creating it > > > > Dec 1 14:56:01 server named[22580]: example.com.zone.jnl: create: > > permission denied > > > > Dec 1 14:56:01 server kernel: audit(1101930961.025:0): avc: denied { > > write } for pid=22581 exe=/usr/sbin/named name=named dev=dm-0 > > ino=293768 scontext=root:system_r:named_t > > tcontext=system_u:object_r:named_zone_t tclass=dir > > > > Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating > > zone 'example.com/IN': error: journal open failed: unexpected error > > ---------------------------------------------------------------------- > > > > I ran the "Security Level Configuration" tool and enabled "Allow named > > to overwrite master zone files" and that fixed the problem. > > > > Without the ACL modifications of the folder > > /var/named/chroot/var/named the setting in the "Security Level > > Configuration" is useless. I hope this information helps somebody > > having the same problems... > > > > RJB > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list@xxxxxxxxxx > > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > I think the prefered setup is to have the jnl files written to the > var/named/run directory. > > Dan