<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Daniel J Walsh wrote:
<blockquote cite="mid:48443B9B.20102@redhat.com" type="cite">
<meta http-equiv="Content-Type" content="text/html; ">
<meta name="Generator"
content="MS Exchange Server version 6.0.6619.12">
<title>Re: Issues setting up a 2nd Private DNS server</title>
<!-- Converted from text/plain format -->
<p><font size="2">Daniel B. Thurman wrote:<br>
><br>
> I am trying to setup a 2nd private DNS server in my private<br>
> network, behind the firewall (with DNS access enabled) and<br>
> I am able to resolve all of my local systems. However, I have<br>
> some problems. One involves SELinux and the other involved<br>
> forwarding as shown below:<br>
><br>
> 1) SELinux errors are reported only when
starting/stopping/restarting<br>
> named.<br>
> ++++++++++++++++++++++++++++++++++++++++++++++</font><br>
>[snipped!]<br>
<font size="2">> host=gold.cdkkt.com type=AVC
msg=audit(1212426103.808:4122): avc:<br>
> denied { read write } for pid=7037 comm="named"
path="socket:[874313]"<br>
> dev=sockfs ino=874313 scontext=system_u:system_r:named_t:s0<br>
> tcontext=system_u:system_r:unconfined_t:s0
tclass=unix_stream_socket<br>
><br>
> host=gold.cdkkt.com type=SYSCALL msg=audit(1212426103.808:4122):<br>
> arch=40000003 syscall=11 success=yes exit=0 a0=9b05a68 a1=9b05e38<br>
> a2=9b04fe0 a3=0 items=0 ppid=7036 pid=7037 auid=500 uid=0 gid=0
euid=0<br>
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="named"<br>
> exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)<br>
> ++++++++++++++++++++++++++++++++++++++++++++++<br>
</font><font size="2">> [snipped!]</font><font size="2"> <br>
> host=gold.cdkkt.com type=AVC msg=audit(1212426103.905:4123): avc:<br>
> denied { read write } for pid=7064 comm="rndc"
path="socket:[874313]"<br>
> dev=sockfs ino=874313 scontext=system_u:system_r:ndc_t:s0<br>
> tcontext=system_u:system_r:unconfined_t:s0
tclass=unix_stream_socket<br>
><br>
> host=gold.cdkkt.com type=SYSCALL msg=audit(1212426103.905:4123):<br>
> arch=40000003 syscall=11 success=yes exit=0 a0=90000d0 a1=9000078<br>
> a2=8fe12e0 a3=0 items=0 ppid=7055 pid=7064 auid=500 uid=0 gid=0
euid=0<br>
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="rndc"<br>
> exe="/usr/sbin/rndc" subj=system_u:system_r:ndc_t:s0 key=(null)<br>
> ++++++++++++++++++++++++++++++++++++++++++++++<br>
> [snipped!]<br>
> host=gold.cdkkt.com type=AVC msg=audit(1212426103.790:4120): avc:<br>
> denied { read write } for pid=7034 comm="mount"
path="socket:[874313]"<br>
> dev=sockfs ino=874313 scontext=system_u:system_r:mount_t:s0<br>
> tcontext=system_u:system_r:unconfined_t:s0
tclass=unix_stream_socket<br>
><br>
> host=gold.cdkkt.com type=SYSCALL msg=audit(1212426103.790:4120):<br>
> arch=40000003 syscall=11 success=yes exit=0 a0=870e610 a1=86e8fa8<br>
> a2=86eb2e0 a3=0 items=0 ppid=7014 pid=7034 auid=500 uid=0 gid=0
euid=0<br>
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mount"<br>
> exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null)<br>
> ++++++++++++++++++++++++++++++++++++++++++++++<br>
> <br>
> 2) Forwarders do not work:<br>
> ++++++++++++++++++++++++++++++++++++++++++++++<br>
> ** server can't find msn.com: NXDOMAIN<br>
> ++++++++++++++++++++++++++++++++++++++++++++++<br>
><br>
> Please advise,<br>
> Dan<br>
><br>
This looks like either a leaked file descriptor, which can be<br>
ingored/dontaudited<br>
<br>
Or it could be a redirection of the terminal to a unix_stream_socket.<br>
</font></p>
</blockquote>
Huh? I am not sure what you are saying nor am I sure<br>
what to in fixing these selinux avc errors.<br>
<br>
As for DNS forwarding, selinux does not seem to have<br>
anything to do with preventing forwarding AFAIK, I<br>
tested by setting 'setenforce 0', then using nslookup<br>
on 'msn.com.' - it still fails.<br>
<br>
I wonder how to debug the named to see why forwarding<br>
fails... can anyone help?<br>
<br>
Thanks-<br>
Dan<br>
</body>
</html>