Issues setting up a 2nd Private DNS server
Daniel J Walsh
dwalsh at redhat.com
Mon Jun 2 18:27:39 UTC 2008
Daniel B. Thurman wrote:
>
> I am trying to setup a 2nd private DNS server in my private
> network, behind the firewall (with DNS access enabled) and
> I am able to resolve all of my local systems. However, I have
> some problems. One involves SELinux and the other involved
> forwarding as shown below:
>
> 1) SELinux errors are reported only when starting/stopping/restarting
> named.
> ++++++++++++++++++++++++++++++++++++++++++++++
> Source Context system_u:system_r:named_t:s0
> Target Context system_u:system_r:unconfined_t:s0
> Target Objects socket [ unix_stream_socket ]
> Source named-checkconf
> Source Path /usr/sbin/named-checkconf
> Port <Unknown>
> Host gold.cdkkt.com
> Source RPM Packages bind-9.5.0-26.b3.fc8
> Target RPM Packages Policy RPM
> selinux-policy-3.0.8-101.fc8
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name gold.cdkkt.com
> Platform Linux gold.cdkkt.com 2.6.24.7-92.fc8 #1
> SMP Wed
> May 7 16:50:09 EDT 2008 i686 i686
> Alert Count 4
> First Seen Mon 02 Jun 2008 10:00:25 AM PDT
> Last Seen Mon 02 Jun 2008 10:01:43 AM PDT
> Local ID 7faef252-f1ea-4e36-8f51-167799fcb429
> Line Numbers
> Raw Audit Messages
> host=gold.cdkkt.com type=AVC msg=audit(1212426103.808:4122): avc:
> denied { read write } for pid=7037 comm="named" path="socket:[874313]"
> dev=sockfs ino=874313 scontext=system_u:system_r:named_t:s0
> tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket
>
> host=gold.cdkkt.com type=SYSCALL msg=audit(1212426103.808:4122):
> arch=40000003 syscall=11 success=yes exit=0 a0=9b05a68 a1=9b05e38
> a2=9b04fe0 a3=0 items=0 ppid=7036 pid=7037 auid=500 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="named"
> exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)
> ++++++++++++++++++++++++++++++++++++++++++++++
> Source Context system_u:system_r:ndc_t:s0
> Target Context system_u:system_r:unconfined_t:s0
> Target Objects socket [ unix_stream_socket ]
> Source rndc
> Source Path /usr/sbin/rndc
> Port <Unknown>
> Host gold.cdkkt.com
> Source RPM Packages bind-9.5.0-26.b3.fc8
> Target RPM Packages Policy RPM
> selinux-policy-3.0.8-101.fc8
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name gold.cdkkt.com
> Platform Linux gold.cdkkt.com 2.6.24.7-92.fc8 #1
> SMP Wed
> May 7 16:50:09 EDT 2008 i686 i686
> Alert Count 4
> First Seen Mon 02 Jun 2008 10:00:23 AM PDT
> Last Seen Mon 02 Jun 2008 10:01:43 AM PDT
> Local ID cc0e5f4b-aa41-4543-9569-df7d65f83f1c
> Line Numbers
> Raw Audit Messages
> host=gold.cdkkt.com type=AVC msg=audit(1212426103.905:4123): avc:
> denied { read write } for pid=7064 comm="rndc" path="socket:[874313]"
> dev=sockfs ino=874313 scontext=system_u:system_r:ndc_t:s0
> tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket
>
> host=gold.cdkkt.com type=SYSCALL msg=audit(1212426103.905:4123):
> arch=40000003 syscall=11 success=yes exit=0 a0=90000d0 a1=9000078
> a2=8fe12e0 a3=0 items=0 ppid=7055 pid=7064 auid=500 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="rndc"
> exe="/usr/sbin/rndc" subj=system_u:system_r:ndc_t:s0 key=(null)
> ++++++++++++++++++++++++++++++++++++++++++++++
> Source Context system_u:system_r:mount_t:s0
> Target Context system_u:system_r:unconfined_t:s0
> Target Objects socket [ unix_stream_socket ]
> Source umount
> Source Path /bin/umount
> Port <Unknown>
> Host gold.cdkkt.com
> Source RPM Packages util-linux-ng-2.13.1-2.fc8
> Target RPM Packages Policy RPM
> selinux-policy-3.0.8-101.fc8
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name gold.cdkkt.com
> Platform Linux gold.cdkkt.com 2.6.24.7-92.fc8 #1
> SMP Wed
> May 7 16:50:09 EDT 2008 i686 i686
> Alert Count 4
> First Seen Mon 02 Jun 2008 10:00:25 AM PDT
> Last Seen Mon 02 Jun 2008 10:01:43 AM PDT
> Local ID 439fbb1b-17d2-40b4-9242-744d5d69e303
> Line Numbers
> Raw Audit Messages
> host=gold.cdkkt.com type=AVC msg=audit(1212426103.790:4120): avc:
> denied { read write } for pid=7034 comm="mount" path="socket:[874313]"
> dev=sockfs ino=874313 scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket
>
> host=gold.cdkkt.com type=SYSCALL msg=audit(1212426103.790:4120):
> arch=40000003 syscall=11 success=yes exit=0 a0=870e610 a1=86e8fa8
> a2=86eb2e0 a3=0 items=0 ppid=7014 pid=7034 auid=500 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mount"
> exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null)
> ++++++++++++++++++++++++++++++++++++++++++++++
>
> 2) Forwarders do not work:
> ++++++++++++++++++++++++++++++++++++++++++++++
> ** server can't find msn.com: NXDOMAIN
> ++++++++++++++++++++++++++++++++++++++++++++++
>
>
> Please advise,
> Dan
>
This looks like either a leaked file descriptor, which can be
ingored/dontaudited
Or it could be a redirection of the terminal to a unix_stream_socket.
More information about the fedora-selinux-list
mailing list