F9: Problems with named logging files
Paul Howarth
paul at city-fan.org
Thu Jul 10 06:33:41 UTC 2008
On Wed, 09 Jul 2008 18:53:05 -0700
Dan Thurman <dant at cdkkt.com> wrote:
> I have not been able to solve this issue but was able to 'get around'
> it via F8.
>
> Below is the named.conf, just for the logging group:
> =========================================
> logging {
> channel my_syslog { file "/var/log/named/named.log" versions 25;
> severity info;
> print-category yes;
> print-time yes;
> };
> channel my_lame { file "/var/log/named/lame.log" versions 25;
> severity info;
> print-category yes;
> print-time yes;
> // size 50M;
> };
> channel my_xfer { file "/var/log/named/xfer.log" versions 25;
> severity info;
> print-category yes;
> print-time yes;
> // size 50M;
> };
> channel my_update { file "/var/log/named/named.update" versions
> 25; severity info;
> print-category yes;
> print-time yes;
> // size 50M;
> };
> channel my_db { file "/var/log/named/db.log" versions 25;
> severity info;
> print-category yes;
> print-time yes;
> // size 50M;
> };
> channel my_query { file "/var/log/named/query.log" versions 25;
> severity info;
> print-category yes;
> print-time yes;
> // size 50M;
> };
> channel my_security { file "/var/log/named/security.log" versions
> 99; severity info;
> print-category yes;
> print-time yes;
> // size 50M;
> };
> channel my_debug { file "/var/log/named/named.debug" versions 20;
> severity dynamic;
> print-category yes;
> print-time yes;
> // size 50M;
> };
>
> category security { my_security; };
> category default { my_syslog; };
> category queries { my_query; };
> category lame-servers { my_lame; };
> category update { my_update; };
> // category db { my_db; };
> category xfer-in { my_xfer; };
> category xfer-out { my_xfer; };
> // category packet { null; };
> // category eventlib { my_syslog; };
>
> };
> =========================================
> Please note that the pathname is chrooted and is actually
> found in: /var/named/chroot/var/log/named and the files
> are initially set there with proper context of named_log_t
> and the directory permissions set with user named with
> access and context set accordingly.
>
> Below is the selinux complaint:
> =========================================
> From: /var/log/messages:
> -------------------------------
> Jul 9 18:43:27 bronze named[10903]: unable to rename log file
> '/var/log/named/named.log' to '/var/log/named/named.log.0':
> permission denied
> Jul 9 18:43:27 bronze setroubleshoot: SELinux is preventing named
> (named_t) "write" to ./named (named_conf_t). For complete SELinux
> messages. run sealert -l ebd583dd-e96e-49ad-b6ce-72eda7273b09
>
> # sealert -l ebd583dd-e96e-49ad-b6ce-72eda7273b09
> =========================================
> Summary:
>
> SELinux is preventing named (named_t) "write" to ./named
> (named_conf_t).
>
> Detailed Description:
>
> SELinux denied access requested by named. It is not expected that
> this access is
> required by named and this access may signal an intrusion attempt. It
> is also
> possible that the specific version or configuration of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> Sometimes labeling problems can cause SELinux denials. You could try
> to restore
> the default system file context for ./named,
>
> restorecon -v './named'
>
> If this does not work, there is currently no automatic way to allow
> this access.
> Instead, you can generate a local policy module to allow this access
> - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this
> package.
>
> Additional Information:
>
> Source Context unconfined_u:system_r:named_t:s0
> Target Context system_u:object_r:named_conf_t:s0
> Target Objects ./named [ dir ]
> Source named
> Source Path /usr/sbin/named
> Port <Unknown>
> Host bronze.cdkkt.com
> Source RPM Packages bind-9.5.0-32.rc1.fc9
> Target RPM Packages
> Policy RPM selinux-policy-3.3.1-74.fc9
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall_file
> Host Name bronze.cdkkt.com
> Platform Linux bronze.cdkkt.com
> 2.6.25.9-76.fc9.i686 #1 SMP
> Fri Jun 27 16:14:35 EDT 2008 i686 i686
> Alert Count 1
> First Seen Wed Jul 9 18:43:27 2008
> Last Seen Wed Jul 9 18:43:27 2008
> Local ID ebd583dd-e96e-49ad-b6ce-72eda7273b09
> Line Numbers
>
> Raw Audit Messages
>
> host=bronze.cdkkt.com type=AVC msg=audit(1215654207.611:139): avc:
> denied { write } for pid=10904 comm="named" name="named" dev=sda6
> ino=2023442 scontext=unconfined_u:system_r:named_t:s0
> tcontext=system_u:object_r:named_conf_t:s0 tclass=dir
>
> host=bronze.cdkkt.com type=SYSCALL msg=audit(1215654207.611:139):
> arch=40000003 syscall=38 success=no exit=-13 a0=b547a4e8 a1=b7ee488a
> a2=4932fc a3=b7ee488a items=0 ppid=10902 pid=10904 auid=500 uid=25
> gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none)
> ses=2 comm="named" exe="/usr/sbin/named"
> subj=unconfined_u:system_r:named_t:s0 key=(null)
> =========================================
>
> I have tried changing the context, permissions, restorecon and
> nothing seemed to help.
>
> Advice please?
Does this help?
# chcon -R -t named_log_t /var/named/chroot/var/log/named
Paul.
More information about the fedora-selinux-list
mailing list