Selinux and named
Erik LaBianca
erik at totalcirculation.com
Mon Mar 29 23:45:47 UTC 2004
> -----Original Message-----
> From: fedora-devel-list-bounces at redhat.com [mailto:fedora-devel-list-
> bounces at redhat.com] On Behalf Of Ivan Gyurdiev
> Sent: Monday, March 29, 2004 6:35 PM
> To: fedora-devel-list at redhat.com
> Subject: Selinux and named
>
> Named complains: capset failed whether in enforcing mode or not.
>
> Online documentation suggests ./configure --disable-linux-caps,
> but I'd like to keep my bind rpm.
>
> What could be the problem?
>
Bind automatically tries to escalate its priority, and something
(selinux?) is denying it. I'd like to suggest that the officially
distributed bind be built with --disable-linux-caps. Programs should not
automatically attempt to escalate themselves IMHO. If the process
priority needs to be changed, it should be done in the init script.
This change would also allow fedora's bind to work under a vserver
without modifications, which would certainly make a few of us happy.
You could probably fix this problem by changing the selinux policy, but
I can't help you much there. With vserver, you would need to allow
CAP_SYS_RESOURCE, and I'm guessing the solution under selinux would be
close to that.
--erik
More information about the fedora-devel-list
mailing list