Bind and selinux

Rogelio J. Baucells rj at baucells.net
Wed Dec 1 20:52:24 UTC 2004 

Hi,

I have a server running FC3 + selinux (targeted) and I had some
problems with bind and dynamic DNS updates. This is how I fix it.

The first thing I noticed is that the named server was not able to 
create the Journal files for the zones I was trying to update

# ls -l /var/named/chroot/var
total 24
drwxr-x---  4 root  named 4096 Dec  1 14:42 named
drwxrwx---  3 root  named 4096 Nov 16 11:50 run
drwxrwx---  2 named named 4096 Mar 13  2003 tmp

because the user "named" (the one running the daemon) did not have
access to create new files inside the named folder. I think this is a
problem in the bind-chroot rmp package. I ran the following command to 
give the user named access to create new files inside the named folder

# chmod 770 /var/named/chroot/var/named
# ls -l /var/named/chroot/var
total 24
drwxrwx---  4 root  named 4096 Dec  1 14:42 named
drwxrwx---  3 root  named 4096 Nov 16 11:50 run
drwxrwx---  2 named named 4096 Mar 13  2003 tmp

That fixed the problem. Now selinux!!!

When I try to update one of the zones I get the following error in
/var/log/messages

----------------------------------------------------------------------
Dec  1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating
zone 'example.com/IN': adding an RR

Dec  1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating
zone 'example.com/IN': adding an RR

Dec  1 14:56:01 server named[22580]: journal file example.com.zone.jnl
does not exist, creating it

Dec  1 14:56:01 server named[22580]: example.com.zone.jnl: create:
permission denied

Dec  1 14:56:01 server kernel: audit(1101930961.025:0): avc:  denied  {
write } for  pid=22581 exe=/usr/sbin/named name=named dev=dm-0
ino=293768 scontext=root:system_r:named_t
tcontext=system_u:object_r:named_zone_t tclass=dir

Dec  1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating
zone 'example.com/IN': error: journal open failed: unexpected error
----------------------------------------------------------------------

I ran the "Security Level Configuration" tool and enabled "Allow named 
to overwrite master zone files" and that fixed the problem.

Without the ACL modifications of the folder /var/named/chroot/var/named 
the setting in the "Security Level Configuration" is useless. I hope 
this information helps somebody having the same problems...

RJB

More information about the selinux mailing list