Bind and selinux

Rogelio J. Baucells rj at baucells.net
Thu Dec 2 14:53:26 UTC 2004 

Daniel J Walsh wrote:
> Rogelio J. Baucells wrote:
> 
>> Hi,
>>
>> I have a server running FC3 + selinux (targeted) and I had some
>> problems with bind and dynamic DNS updates. This is how I fix it.
>>
>> The first thing I noticed is that the named server was not able to 
>> create the Journal files for the zones I was trying to update
>>
>> # ls -l /var/named/chroot/var
>> total 24
>> drwxr-x---  4 root  named 4096 Dec  1 14:42 named
>> drwxrwx---  3 root  named 4096 Nov 16 11:50 run
>> drwxrwx---  2 named named 4096 Mar 13  2003 tmp
>>
>> because the user "named" (the one running the daemon) did not have
>> access to create new files inside the named folder. I think this is a
>> problem in the bind-chroot rmp package. I ran the following command to 
>> give the user named access to create new files inside the named folder
>>
>> # chmod 770 /var/named/chroot/var/named
>> # ls -l /var/named/chroot/var
>> total 24
>> drwxrwx---  4 root  named 4096 Dec  1 14:42 named
>> drwxrwx---  3 root  named 4096 Nov 16 11:50 run
>> drwxrwx---  2 named named 4096 Mar 13  2003 tmp
>>
>> That fixed the problem. Now selinux!!!
>>
>> When I try to update one of the zones I get the following error in
>> /var/log/messages
>>
>> ----------------------------------------------------------------------
>> Dec  1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating
>> zone 'example.com/IN': adding an RR
>>
>> Dec  1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating
>> zone 'example.com/IN': adding an RR
>>
>> Dec  1 14:56:01 server named[22580]: journal file example.com.zone.jnl
>> does not exist, creating it
>>
>> Dec  1 14:56:01 server named[22580]: example.com.zone.jnl: create:
>> permission denied
>>
>> Dec  1 14:56:01 server kernel: audit(1101930961.025:0): avc:  denied  {
>> write } for  pid=22581 exe=/usr/sbin/named name=named dev=dm-0
>> ino=293768 scontext=root:system_r:named_t
>> tcontext=system_u:object_r:named_zone_t tclass=dir
>>
>> Dec  1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating
>> zone 'example.com/IN': error: journal open failed: unexpected error
>> ----------------------------------------------------------------------
>>
>> I ran the "Security Level Configuration" tool and enabled "Allow named 
>> to overwrite master zone files" and that fixed the problem.
>>
>> Without the ACL modifications of the folder 
>> /var/named/chroot/var/named the setting in the "Security Level 
>> Configuration" is useless. I hope this information helps somebody 
>> having the same problems...
>>
>> RJB
>>
>> -- 
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
> 
> I think the prefered setup is to have the jnl files written to the 
> var/named/run directory.
> 
> Dan
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Hi,

Is there a setting in the named.conf to do that? I think the default is 
to store the jnl files in the same location as the zone files.

RJB

More information about the fedora-selinux-list mailing list