Bind and selinux

Daniel J Walsh dwalsh at redhat.com
Thu Dec 2 18:36:35 UTC 2004 

Rogelio J. Baucells wrote:

> Daniel J Walsh wrote:
>
>> Rogelio J. Baucells wrote:
>>
>>> Hi,
>>>
>>> I have a server running FC3 + selinux (targeted) and I had some
>>> problems with bind and dynamic DNS updates. This is how I fix it.
>>>
>>> The first thing I noticed is that the named server was not able to 
>>> create the Journal files for the zones I was trying to update
>>>
>>> # ls -l /var/named/chroot/var
>>> total 24
>>> drwxr-x---  4 root  named 4096 Dec  1 14:42 named
>>> drwxrwx---  3 root  named 4096 Nov 16 11:50 run
>>> drwxrwx---  2 named named 4096 Mar 13  2003 tmp
>>>
>>> because the user "named" (the one running the daemon) did not have
>>> access to create new files inside the named folder. I think this is a
>>> problem in the bind-chroot rmp package. I ran the following command 
>>> to give the user named access to create new files inside the named 
>>> folder
>>>
>>> # chmod 770 /var/named/chroot/var/named
>>> # ls -l /var/named/chroot/var
>>> total 24
>>> drwxrwx---  4 root  named 4096 Dec  1 14:42 named
>>> drwxrwx---  3 root  named 4096 Nov 16 11:50 run
>>> drwxrwx---  2 named named 4096 Mar 13  2003 tmp
>>>
>>> That fixed the problem. Now selinux!!!
>>>
>>> When I try to update one of the zones I get the following error in
>>> /var/log/messages
>>>
>>> ----------------------------------------------------------------------
>>> Dec  1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating
>>> zone 'example.com/IN': adding an RR
>>>
>>> Dec  1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating
>>> zone 'example.com/IN': adding an RR
>>>
>>> Dec  1 14:56:01 server named[22580]: journal file example.com.zone.jnl
>>> does not exist, creating it
>>>
>>> Dec  1 14:56:01 server named[22580]: example.com.zone.jnl: create:
>>> permission denied
>>>
>>> Dec  1 14:56:01 server kernel: audit(1101930961.025:0): avc:  denied  {
>>> write } for  pid=22581 exe=/usr/sbin/named name=named dev=dm-0
>>> ino=293768 scontext=root:system_r:named_t
>>> tcontext=system_u:object_r:named_zone_t tclass=dir
>>>
>>> Dec  1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating
>>> zone 'example.com/IN': error: journal open failed: unexpected error
>>> ----------------------------------------------------------------------
>>>
>>> I ran the "Security Level Configuration" tool and enabled "Allow 
>>> named to overwrite master zone files" and that fixed the problem.
>>>
>>> Without the ACL modifications of the folder 
>>> /var/named/chroot/var/named the setting in the "Security Level 
>>> Configuration" is useless. I hope this information helps somebody 
>>> having the same problems...
>>>
>>> RJB
>>>
>>> -- 
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>>
>>
>> I think the prefered setup is to have the jnl files written to the 
>> var/named/run directory.
>>
>> Dan
>>
>> -- 
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
> Hi,
>
> Is there a setting in the named.conf to do that? I think the default 
> is to store the jnl files in the same location as the zone files.
>
Yes I was wrong,  Jason explained to me what is going on, so I believe 
you set it up correctly to handle your situation.

> RJB
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list