Bind and selinux
Daniel J Walsh
dwalsh at redhat.com
Thu Dec 2 18:36:35 UTC 2004
Rogelio J. Baucells wrote:
> Daniel J Walsh wrote:
>
>> Rogelio J. Baucells wrote:
>>
>>> Hi,
>>>
>>> I have a server running FC3 + selinux (targeted) and I had some
>>> problems with bind and dynamic DNS updates. This is how I fix it.
>>>
>>> The first thing I noticed is that the named server was not able to
>>> create the Journal files for the zones I was trying to update
>>>
>>> # ls -l /var/named/chroot/var
>>> total 24
>>> drwxr-x--- 4 root named 4096 Dec 1 14:42 named
>>> drwxrwx--- 3 root named 4096 Nov 16 11:50 run
>>> drwxrwx--- 2 named named 4096 Mar 13 2003 tmp
>>>
>>> because the user "named" (the one running the daemon) did not have
>>> access to create new files inside the named folder. I think this is a
>>> problem in the bind-chroot rmp package. I ran the following command
>>> to give the user named access to create new files inside the named
>>> folder
>>>
>>> # chmod 770 /var/named/chroot/var/named
>>> # ls -l /var/named/chroot/var
>>> total 24
>>> drwxrwx--- 4 root named 4096 Dec 1 14:42 named
>>> drwxrwx--- 3 root named 4096 Nov 16 11:50 run
>>> drwxrwx--- 2 named named 4096 Mar 13 2003 tmp
>>>
>>> That fixed the problem. Now selinux!!!
>>>
>>> When I try to update one of the zones I get the following error in
>>> /var/log/messages
>>>
>>> ----------------------------------------------------------------------
>>> Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating
>>> zone 'example.com/IN': adding an RR
>>>
>>> Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating
>>> zone 'example.com/IN': adding an RR
>>>
>>> Dec 1 14:56:01 server named[22580]: journal file example.com.zone.jnl
>>> does not exist, creating it
>>>
>>> Dec 1 14:56:01 server named[22580]: example.com.zone.jnl: create:
>>> permission denied
>>>
>>> Dec 1 14:56:01 server kernel: audit(1101930961.025:0): avc: denied {
>>> write } for pid=22581 exe=/usr/sbin/named name=named dev=dm-0
>>> ino=293768 scontext=root:system_r:named_t
>>> tcontext=system_u:object_r:named_zone_t tclass=dir
>>>
>>> Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating
>>> zone 'example.com/IN': error: journal open failed: unexpected error
>>> ----------------------------------------------------------------------
>>>
>>> I ran the "Security Level Configuration" tool and enabled "Allow
>>> named to overwrite master zone files" and that fixed the problem.
>>>
>>> Without the ACL modifications of the folder
>>> /var/named/chroot/var/named the setting in the "Security Level
>>> Configuration" is useless. I hope this information helps somebody
>>> having the same problems...
>>>
>>> RJB
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>>
>>
>> I think the prefered setup is to have the jnl files written to the
>> var/named/run directory.
>>
>> Dan
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
> Hi,
>
> Is there a setting in the named.conf to do that? I think the default
> is to store the jnl files in the same location as the zone files.
>
Yes I was wrong, Jason explained to me what is going on, so I believe
you set it up correctly to handle your situation.
> RJB
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list