Bind and selinux

Jason Vas Dias jvdias at redhat.com
Thu Dec 2 15:08:16 UTC 2004


Hi -

Yes, for added security, named must be explicitly
enabled to update its master zone files with the
 'named_write_master_zones=1' 
setting in /etc/selinux/targeted/booleans
and by granting write access to the 'named' user
for the directory in which dynamically updated
zone files are stored. Named will always create
.jnl files in the same directory as the zone to
be updated.
One solution would be to put the dynamically updated
zones in a 'ddns/' subdirectory of the $ROOTDIR/var/named
and make that directory owned by named:named; then for
each dynamically updated zone X, set the 'file ' option
in named.conf to 'ddns/X.db' .
A decision was made not to enable named to write its
zone files by default to prevent attackers gaining
control of the named process being able to change the
zone file contents.

On Thu, 2004-12-02 at 08:48, Daniel J Walsh wrote:
> Rogelio J. Baucells wrote:
> 
> > Hi,
> >
> > I have a server running FC3 + selinux (targeted) and I had some
> > problems with bind and dynamic DNS updates. This is how I fix it.
> >
> > The first thing I noticed is that the named server was not able to 
> > create the Journal files for the zones I was trying to update
> >
> > # ls -l /var/named/chroot/var
> > total 24
> > drwxr-x---  4 root  named 4096 Dec  1 14:42 named
> > drwxrwx---  3 root  named 4096 Nov 16 11:50 run
> > drwxrwx---  2 named named 4096 Mar 13  2003 tmp
> >
> > because the user "named" (the one running the daemon) did not have
> > access to create new files inside the named folder. I think this is a
> > problem in the bind-chroot rmp package. I ran the following command to 
> > give the user named access to create new files inside the named folder
> >
> > # chmod 770 /var/named/chroot/var/named
> > # ls -l /var/named/chroot/var
> > total 24
> > drwxrwx---  4 root  named 4096 Dec  1 14:42 named
> > drwxrwx---  3 root  named 4096 Nov 16 11:50 run
> > drwxrwx---  2 named named 4096 Mar 13  2003 tmp
> >
> > That fixed the problem. Now selinux!!!
> >
> > When I try to update one of the zones I get the following error in
> > /var/log/messages
> >
> > ----------------------------------------------------------------------
> > Dec  1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating
> > zone 'example.com/IN': adding an RR
> >
> > Dec  1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating
> > zone 'example.com/IN': adding an RR
> >
> > Dec  1 14:56:01 server named[22580]: journal file example.com.zone.jnl
> > does not exist, creating it
> >
> > Dec  1 14:56:01 server named[22580]: example.com.zone.jnl: create:
> > permission denied
> >
> > Dec  1 14:56:01 server kernel: audit(1101930961.025:0): avc:  denied  {
> > write } for  pid=22581 exe=/usr/sbin/named name=named dev=dm-0
> > ino=293768 scontext=root:system_r:named_t
> > tcontext=system_u:object_r:named_zone_t tclass=dir
> >
> > Dec  1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating
> > zone 'example.com/IN': error: journal open failed: unexpected error
> > ----------------------------------------------------------------------
> >
> > I ran the "Security Level Configuration" tool and enabled "Allow named 
> > to overwrite master zone files" and that fixed the problem.
> >
> > Without the ACL modifications of the folder 
> > /var/named/chroot/var/named the setting in the "Security Level 
> > Configuration" is useless. I hope this information helps somebody 
> > having the same problems...
> >
> > RJB
> >
> > -- 
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > http://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
> I think the prefered setup is to have the jnl files written to the 
> var/named/run directory.
> 
> Dan




More information about the fedora-selinux-list mailing list