On 02/14/2013 11:09 PM, Peter Brady wrote:
On 14/02/13 7:23 PM, Robert Moskowitz wrote:
I was getting permission errors (seen in /var/log/messages) in accessing these two directories within my chroot tree. I was pulling out what little hair I have, as the permissions were identical to those on my Centos 5.5 server. So I switched selinux into permissive mode and now I have /var/named/chroot/var/named/data/named.run and my ..../named/slave/ stubs.
What is the selinux magic to allow bind to write here?
Hi,
This may start a debate but it is my understanding that RH recommends to not use chroot jails with bind as selinux is more secure.
Oh NO!!! A security debate!!!
Well this system is only for bind and as an internal ntp server, so maybe I can keep selinux on. But then I am a communications security specialist not an OS security specialist, so I can't contribute as to which is more limiting on bind's access to things it should not see.
For some additional information see the following extract from the BIND 9 FAQ:
https://scs.senecac.on.ca/~raymond.chan/nad810/0701/SELinux-DNS.html
More reading.
Right now I can't locate this on the new ISC website though.
A number of them are my IETF buddies, so I can (and will) ask them directly.
There is also an selinux section in the named(8) manual page, for example:
http://linux.die.net/man/8/named
which states pretty much the same.
If you wish to stay with chroot then the key is probably to install the bind-chroot package and ensure that the ROOTDIR variable is set correctly in:
/etc/sysconfig/named
Done but that did not help with selinux and the named/data directory.
For what its worth I'm running a number of master/slave DNS servers under selinux no problems. Any updates on the master propagates happily to the slaves. Mind you these are low traffic DNS servers that sit behind a firewall.
This will sit behind a firewall, but has an external view. Another thing is I have to learn about supporting the 4096 possible UDP source ports on my firewall. That is yet another thing to fix. And STILL not yet to DNSSEC config.
I will probably rebuild the test box over the weekend and try without chroot.