F9: Problems with named logging files

Dan Thurman dant at cdkkt.com
Thu Jul 10 01:53:05 UTC 2008 

I have not been able to solve this issue but was able to 'get around' it 
via F8.

Below is the named.conf, just for the logging group:
=========================================
logging {
    channel my_syslog { file "/var/log/named/named.log" versions 25;
        severity info;
        print-category yes;
        print-time yes;
    };
    channel my_lame { file "/var/log/named/lame.log" versions 25;
        severity info;
        print-category yes;
        print-time yes;
//        size 50M;
    };
    channel my_xfer { file "/var/log/named/xfer.log" versions 25;
        severity info;
        print-category yes;
        print-time yes;
//        size 50M;
    };
    channel my_update { file "/var/log/named/named.update" versions 25;
        severity info;
        print-category yes;
        print-time yes;
//        size 50M;
    };
    channel my_db { file "/var/log/named/db.log" versions 25;
        severity info;
        print-category yes;
        print-time yes;
//        size 50M;
    };
    channel my_query { file "/var/log/named/query.log" versions 25;
        severity info;
        print-category yes;
        print-time yes;
//        size 50M;
    };
    channel my_security { file "/var/log/named/security.log" versions 99;
        severity info;
        print-category yes;
        print-time yes;
//        size 50M;
    };
    channel my_debug { file "/var/log/named/named.debug" versions 20;
        severity dynamic;
        print-category yes;
        print-time yes;
//        size 50M;
    };
 
    category security { my_security; };
    category default { my_syslog; };
    category queries { my_query; };
    category lame-servers { my_lame; };
    category update { my_update; };
//    category db { my_db; };
    category xfer-in { my_xfer; };
    category xfer-out { my_xfer; };
//    category packet { null; };
//    category eventlib { my_syslog; };
 
};
=========================================
Please note that the pathname is chrooted and is actually
found in: /var/named/chroot/var/log/named and the files
are initially set there with proper context of named_log_t
and the directory permissions set with user named with
access and context set accordingly.

Below is the selinux complaint:
=========================================
From: /var/log/messages:
-------------------------------
  Jul  9 18:43:27 bronze named[10903]: unable to rename log file 
'/var/log/named/named.log' to '/var/log/named/named.log.0': permission 
denied
  Jul  9 18:43:27 bronze setroubleshoot: SELinux is preventing named 
(named_t) "write" to ./named (named_conf_t). For complete SELinux 
messages. run sealert -l ebd583dd-e96e-49ad-b6ce-72eda7273b09

# sealert -l ebd583dd-e96e-49ad-b6ce-72eda7273b09
=========================================
Summary:

SELinux is preventing named (named_t) "write" to ./named (named_conf_t).

Detailed Description:

SELinux denied access requested by named. It is not expected that this 
access is
required by named and this access may signal an intrusion attempt. It is 
also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to 
restore
the default system file context for ./named,

restorecon -v './named'

If this does not work, there is currently no automatic way to allow this 
access.
Instead, you can generate a local policy module to allow this access - 
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can 
disable
SELinux protection altogether. Disabling SELinux protection is not 
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:named_t:s0
Target Context                system_u:object_r:named_conf_t:s0
Target Objects                ./named [ dir ]
Source                        named
Source Path                   /usr/sbin/named
Port                          <Unknown>
Host                          bronze.cdkkt.com
Source RPM Packages           bind-9.5.0-32.rc1.fc9
Target RPM Packages          
Policy RPM                    selinux-policy-3.3.1-74.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     bronze.cdkkt.com
Platform                      Linux bronze.cdkkt.com 
2.6.25.9-76.fc9.i686 #1 SMP
                              Fri Jun 27 16:14:35 EDT 2008 i686 i686
Alert Count                   1
First Seen                    Wed Jul  9 18:43:27 2008
Last Seen                     Wed Jul  9 18:43:27 2008
Local ID                      ebd583dd-e96e-49ad-b6ce-72eda7273b09
Line Numbers                 

Raw Audit Messages           

host=bronze.cdkkt.com type=AVC msg=audit(1215654207.611:139): avc:  
denied  { write } for  pid=10904 comm="named" name="named" dev=sda6 
ino=2023442 scontext=unconfined_u:system_r:named_t:s0 
tcontext=system_u:object_r:named_conf_t:s0 tclass=dir

host=bronze.cdkkt.com type=SYSCALL msg=audit(1215654207.611:139): 
arch=40000003 syscall=38 success=no exit=-13 a0=b547a4e8 a1=b7ee488a 
a2=4932fc a3=b7ee488a items=0 ppid=10902 pid=10904 auid=500 uid=25 
gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) 
ses=2 comm="named" exe="/usr/sbin/named" 
subj=unconfined_u:system_r:named_t:s0 key=(null)
=========================================

I have tried changing the context, permissions, restorecon and nothing 
seemed to help.

Advice please?

Thanks!
Dan

More information about the fedora-selinux-list mailing list