[CentOS] Selinux blocking bind access to named/data and slave directories
Robert Moskowitz
rgm at htt-consult.com
Fri Feb 15 05:30:54 UTC 2013
On 02/14/2013 11:09 PM, Peter Brady wrote:
> On 14/02/13 7:23 PM, Robert Moskowitz wrote:
>> I was getting permission errors (seen in /var/log/messages) in accessing
>> these two directories within my chroot tree. I was pulling out what
>> little hair I have, as the permissions were identical to those on my
>> Centos 5.5 server. So I switched selinux into permissive mode and now I
>> have /var/named/chroot/var/named/data/named.run and my ..../named/slave/
>> stubs.
>>
>> What is the selinux magic to allow bind to write here?
> Hi,
>
> This may start a debate but it is my understanding that RH recommends to
> not use chroot jails with bind as selinux is more secure.
Oh NO!!! A security debate!!!
Well this system is only for bind and as an internal ntp server, so
maybe I can keep selinux on. But then I am a communications security
specialist not an OS security specialist, so I can't contribute as to
which is more limiting on bind's access to things it should not see.
> For some additional information see the following extract from the BIND 9 FAQ:
>
> https://scs.senecac.on.ca/~raymond.chan/nad810/0701/SELinux-DNS.html
More reading.
> Right now I can't locate this on the new ISC website though.
A number of them are my IETF buddies, so I can (and will) ask them directly.
> There is also an selinux section in the named(8) manual page, for example:
>
> http://linux.die.net/man/8/named
>
> which states pretty much the same.
>
> If you wish to stay with chroot then the key is probably to install the
> bind-chroot package and ensure that the ROOTDIR variable is set
> correctly in:
>
> /etc/sysconfig/named
Done but that did not help with selinux and the named/data directory.
> For what its worth I'm running a number of master/slave DNS servers
> under selinux no problems. Any updates on the master propagates happily
> to the slaves. Mind you these are low traffic DNS servers that sit
> behind a firewall.
This will sit behind a firewall, but has an external view. Another
thing is I have to learn about supporting the 4096 possible UDP source
ports on my firewall. That is yet another thing to fix. And STILL not
yet to DNSSEC config.
I will probably rebuild the test box over the weekend and try without
chroot.
More information about the CentOS
mailing list