I just set up a CentOS 5.2 system with bind9 (9.3.4-6.0.1.P1.el5) and I'm running up against a problem that seems to be related to SELinux. If I set named_disable_trans to 1, everything works as expected, but if I leave it enabled the server will only give me data for the zones for which it is authoritative. For external sites it returns a ServFail error. This is with nslookup and dig.
If I start named from the command line with the command "named -u named", the server returns the expected response.
tcpdump shows that the server is querying itself and getting a ServFail response.
I figure that I'm missing something really basic, but not sure what.
Debug logs show this:
FAIL:
clientmgr @0x2b491728c1d0: createclients clientmgr @0x2b491728c1d0: recycle . . . fctx 0x2b49173153e0(www.google.com/A'): shutdown client 192.168.213.111#33096: view internal: error
Succeed:
clientmgr @0x2b109771bd30: createclients clientmgr @0x2b109771bd30: create new . . . res 0x2b109778cae0: dns_resolver_prime res 0x2b109778cae0: priming createfetch: . NS fctx 0x2b109781e280(./NS'): create fctx 0x2b109781e280(./NS'): join fetch 0x2b109781e260 (fctx 0x2b109781e280(./NS)): created dns_adb_createfind: found A for name 0x2b109780fa70 in db fctx 0x2b109781e280(./NS'): start res 0x2b109778cae0: dns_resolver_prime fctx 0x2b109781e280(./NS'): try fctx 0x2b109781e280(./NS'): cancelqueries fctx 0x2b109781e280(./NS'): getaddresses dns_adb_createfind: found AAAA for name 0x2b109780fa70 . . .
Any ideas? Thanks in advance,
M
On Thu, Jul 10, 2008 at 7:22 PM, Meenoo Shivdasani meenoo@gmail.com wrote:
I'm running up against a problem that seems to be related to SELinux. Any ideas?
If it's SELinux related, have a look at /var/log/audit/audit.log, that will tell you what is being blocked in SELinux. That would be a good start. Let us know what you found there, then we might be able to help you a little more.
HTH, Filipe
If it's SELinux related, have a look at /var/log/audit/audit.log, that will tell you what is being blocked in SELinux. That would be a good start. Let us know what you found there, then we might be able to help you a little more.
That's a huge help -- didn't occur to me to look in audit.log -- that said, I'm not entirely sure what SELinux is doing here (other than denying the connection). Or, to be more accurate, I don't understand why it's denying the connection, therefore don't know how to make it behave...
type=AVC msg=audit(1215740151.446:796): avc: denied { name_bind } for pid=21081 comm="named" src=16660 scontext=root:system_r:named_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1215740151.446:796): arch=c000003e syscall=49 success=no exit=-13 a0=1f a1=43c8ed40 a2=1c a3=43c8eb3c items=0 ppid=1 pid=21081 auid=0 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=60 comm="named" exe="/usr/sbin/named" subj=root:system_r:named_t:s0 key=(null)
Ideas & thoughts welcome... Thanks,
M
On Thu, Jul 10, 2008 at 9:41 PM, Meenoo Shivdasani meenoo@gmail.com wrote:
type=AVC msg=audit(1215740151.446:796): avc: denied { name_bind } for pid=21081 comm="named" src=16660 scontext=root:system_r:named_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
SELinux is preventing BIND to open port UDP/16660. Did you configure BIND to use that specific non-standard port?
Filipe
On 7/10/08, Meenoo Shivdasani meenoo@gmail.com wrote:
SELinux is preventing BIND to open port UDP/16660. Did you configure BIND to use that specific non-standard port?
I installed the latest version of BIND which randomizes the source port...do you think that's the problem? If so, how do I get SELinux to accept it?
To be more accurate, I installed the patched version of BIND which randomizes the source port to address the latest DNS vulnerability.
M
On Thu, Jul 10, 2008 at 10:39 PM, Meenoo Shivdasani meenoo@gmail.com wrote:
To be more accurate, I installed the patched version of BIND which randomizes the source port to address the latest DNS vulnerability.
Did you update the "selinux-policy" package at the same time?
On my system I have bind-9.3.4-6.0.1.P1.el5_2 and selinux-policy-2.4.6-137.1.el5, both of them were signed at approximately the same time, and were installed at approximately the same time on my system, which tells me they most probably came from the same update (it's easy to confirm that by looking at the centos-announce mails).
Also:
$ rpm -q --changelog selinux-policy * Tue Apr 29 2008 Dan Walsh dwalsh@redhat.com 2.4.6-137.1 - Allow named to bind to any udp port Resolves: #451971 ...
Well, I'm almost positive that is what you are missing.
HTH, Filipe
On 7/10/08, Filipe Brandenburger filbranden@gmail.com wrote:
Did you update the "selinux-policy" package at the same time?
Well, I'm almost positive that is what you are missing.
Filipe,
You nailed it. That was what I was missing.
Many thanks,
M
-
Filipe Brandenburger -
Meenoo Shivdasani