Re: Issues setting up a 2nd Private DNS server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Daniel B. Thurman wrote:
> 
> I am trying to setup a 2nd private DNS server in my private
> network, behind the firewall (with DNS access enabled) and
> I am able to resolve all of my local systems.  However, I have
> some problems. One involves SELinux and the other involved
> forwarding as shown below:
> 
> 1) SELinux errors are reported only when starting/stopping/restarting
>    named.
> ++++++++++++++++++++++++++++++++++++++++++++++
> Source Context                system_u:system_r:named_t:s0
> Target Context                system_u:system_r:unconfined_t:s0
> Target Objects                socket [ unix_stream_socket ]
> Source                        named-checkconf
> Source Path                   /usr/sbin/named-checkconf
> Port                          <Unknown>
> Host                          gold.cdkkt.com
> Source RPM Packages           bind-9.5.0-26.b3.fc8
> Target RPM Packages          Policy RPM                   
> selinux-policy-3.0.8-101.fc8
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall
> Host Name                     gold.cdkkt.com
> Platform                      Linux gold.cdkkt.com 2.6.24.7-92.fc8 #1
> SMP Wed
>                              May 7 16:50:09 EDT 2008 i686 i686
> Alert Count                   4
> First Seen                    Mon 02 Jun 2008 10:00:25 AM PDT
> Last Seen                     Mon 02 Jun 2008 10:01:43 AM PDT
> Local ID                      7faef252-f1ea-4e36-8f51-167799fcb429
> Line Numbers                
> Raw Audit Messages          
> host=gold.cdkkt.com type=AVC msg=audit(1212426103.808:4122): avc: 
> denied  { read write } for  pid=7037 comm="named" path="socket:[874313]"
> dev=sockfs ino=874313 scontext=system_u:system_r:named_t:s0
> tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket
> 
> host=gold.cdkkt.com type=SYSCALL msg=audit(1212426103.808:4122):
> arch=40000003 syscall=11 success=yes exit=0 a0=9b05a68 a1=9b05e38
> a2=9b04fe0 a3=0 items=0 ppid=7036 pid=7037 auid=500 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="named"
> exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)
> ++++++++++++++++++++++++++++++++++++++++++++++
> Source Context                system_u:system_r:ndc_t:s0
> Target Context                system_u:system_r:unconfined_t:s0
> Target Objects                socket [ unix_stream_socket ]
> Source                        rndc
> Source Path                   /usr/sbin/rndc
> Port                          <Unknown>
> Host                          gold.cdkkt.com
> Source RPM Packages           bind-9.5.0-26.b3.fc8
> Target RPM Packages          Policy RPM                   
> selinux-policy-3.0.8-101.fc8
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall
> Host Name                     gold.cdkkt.com
> Platform                      Linux gold.cdkkt.com 2.6.24.7-92.fc8 #1
> SMP Wed
>                              May 7 16:50:09 EDT 2008 i686 i686
> Alert Count                   4
> First Seen                    Mon 02 Jun 2008 10:00:23 AM PDT
> Last Seen                     Mon 02 Jun 2008 10:01:43 AM PDT
> Local ID                      cc0e5f4b-aa41-4543-9569-df7d65f83f1c
> Line Numbers                
> Raw Audit Messages          
> host=gold.cdkkt.com type=AVC msg=audit(1212426103.905:4123): avc: 
> denied  { read write } for  pid=7064 comm="rndc" path="socket:[874313]"
> dev=sockfs ino=874313 scontext=system_u:system_r:ndc_t:s0
> tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket
> 
> host=gold.cdkkt.com type=SYSCALL msg=audit(1212426103.905:4123):
> arch=40000003 syscall=11 success=yes exit=0 a0=90000d0 a1=9000078
> a2=8fe12e0 a3=0 items=0 ppid=7055 pid=7064 auid=500 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="rndc"
> exe="/usr/sbin/rndc" subj=system_u:system_r:ndc_t:s0 key=(null)
> ++++++++++++++++++++++++++++++++++++++++++++++
> Source Context                system_u:system_r:mount_t:s0
> Target Context                system_u:system_r:unconfined_t:s0
> Target Objects                socket [ unix_stream_socket ]
> Source                        umount
> Source Path                   /bin/umount
> Port                          <Unknown>
> Host                          gold.cdkkt.com
> Source RPM Packages           util-linux-ng-2.13.1-2.fc8
> Target RPM Packages          Policy RPM                   
> selinux-policy-3.0.8-101.fc8
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall
> Host Name                     gold.cdkkt.com
> Platform                      Linux gold.cdkkt.com 2.6.24.7-92.fc8 #1
> SMP Wed
>                              May 7 16:50:09 EDT 2008 i686 i686
> Alert Count                   4
> First Seen                    Mon 02 Jun 2008 10:00:25 AM PDT
> Last Seen                     Mon 02 Jun 2008 10:01:43 AM PDT
> Local ID                      439fbb1b-17d2-40b4-9242-744d5d69e303
> Line Numbers                
> Raw Audit Messages          
> host=gold.cdkkt.com type=AVC msg=audit(1212426103.790:4120): avc: 
> denied  { read write } for  pid=7034 comm="mount" path="socket:[874313]"
> dev=sockfs ino=874313 scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket
> 
> host=gold.cdkkt.com type=SYSCALL msg=audit(1212426103.790:4120):
> arch=40000003 syscall=11 success=yes exit=0 a0=870e610 a1=86e8fa8
> a2=86eb2e0 a3=0 items=0 ppid=7014 pid=7034 auid=500 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mount"
> exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null)
> ++++++++++++++++++++++++++++++++++++++++++++++
> 
> 2) Forwarders do not work:
> ++++++++++++++++++++++++++++++++++++++++++++++
> ** server can't find msn.com: NXDOMAIN
> ++++++++++++++++++++++++++++++++++++++++++++++
> 
> 
> Please advise,
> Dan
> 
This looks like either a leaked file descriptor, which can be
ingored/dontaudited

Or it could be a redirection of the terminal to a unix_stream_socket.


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux