On 14/02/13 7:23 PM, Robert Moskowitz wrote:
I was getting permission errors (seen in /var/log/messages) in accessing these two directories within my chroot tree. I was pulling out what little hair I have, as the permissions were identical to those on my Centos 5.5 server. So I switched selinux into permissive mode and now I have /var/named/chroot/var/named/data/named.run and my ..../named/slave/ stubs.
What is the selinux magic to allow bind to write here?
Hi,
This may start a debate but it is my understanding that RH recommends to not use chroot jails with bind as selinux is more secure. For some additional information see the following extract from the BIND 9 FAQ:
https://scs.senecac.on.ca/~raymond.chan/nad810/0701/SELinux-DNS.html
Right now I can't locate this on the new ISC website though. There is also an selinux section in the named(8) manual page, for example:
http://linux.die.net/man/8/named
which states pretty much the same.
If you wish to stay with chroot then the key is probably to install the bind-chroot package and ensure that the ROOTDIR variable is set correctly in:
/etc/sysconfig/named
For what its worth I'm running a number of master/slave DNS servers under selinux no problems. Any updates on the master propagates happily to the slaves. Mind you these are low traffic DNS servers that sit behind a firewall.
Cheers -pete