I was getting permission errors (seen in /var/log/messages) in accessing these two directories within my chroot tree. I was pulling out what little hair I have, as the permissions were identical to those on my Centos 5.5 server. So I switched selinux into permissive mode and now I have /var/named/chroot/var/named/data/named.run and my ..../named/slave/ stubs.
What is the selinux magic to allow bind to write here?
Robert,
Send output of this two commands:
ps -eZ | grep named ls -alZ into directorys that you want to allow bind to write
Att,
Frederico Madeira fmadeira@gmail.com www.madeira.eng.br
2013/2/14 Robert Moskowitz rgm@htt-consult.com
I was getting permission errors (seen in /var/log/messages) in accessing these two directories within my chroot tree. I was pulling out what little hair I have, as the permissions were identical to those on my Centos 5.5 server. So I switched selinux into permissive mode and now I have /var/named/chroot/var/named/data/named.run and my ..../named/slave/ stubs.
What is the selinux magic to allow bind to write here?
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 14/02/13 7:23 PM, Robert Moskowitz wrote:
I was getting permission errors (seen in /var/log/messages) in accessing these two directories within my chroot tree. I was pulling out what little hair I have, as the permissions were identical to those on my Centos 5.5 server. So I switched selinux into permissive mode and now I have /var/named/chroot/var/named/data/named.run and my ..../named/slave/ stubs.
What is the selinux magic to allow bind to write here?
Hi,
This may start a debate but it is my understanding that RH recommends to not use chroot jails with bind as selinux is more secure. For some additional information see the following extract from the BIND 9 FAQ:
https://scs.senecac.on.ca/~raymond.chan/nad810/0701/SELinux-DNS.html
Right now I can't locate this on the new ISC website though. There is also an selinux section in the named(8) manual page, for example:
http://linux.die.net/man/8/named
which states pretty much the same.
If you wish to stay with chroot then the key is probably to install the bind-chroot package and ensure that the ROOTDIR variable is set correctly in:
/etc/sysconfig/named
For what its worth I'm running a number of master/slave DNS servers under selinux no problems. Any updates on the master propagates happily to the slaves. Mind you these are low traffic DNS servers that sit behind a firewall.
Cheers -pete
On 02/14/2013 11:09 PM, Peter Brady wrote:
On 14/02/13 7:23 PM, Robert Moskowitz wrote:
I was getting permission errors (seen in /var/log/messages) in accessing these two directories within my chroot tree. I was pulling out what little hair I have, as the permissions were identical to those on my Centos 5.5 server. So I switched selinux into permissive mode and now I have /var/named/chroot/var/named/data/named.run and my ..../named/slave/ stubs.
What is the selinux magic to allow bind to write here?
Hi,
This may start a debate but it is my understanding that RH recommends to not use chroot jails with bind as selinux is more secure.
Oh NO!!! A security debate!!!
Well this system is only for bind and as an internal ntp server, so maybe I can keep selinux on. But then I am a communications security specialist not an OS security specialist, so I can't contribute as to which is more limiting on bind's access to things it should not see.
For some additional information see the following extract from the BIND 9 FAQ:
https://scs.senecac.on.ca/~raymond.chan/nad810/0701/SELinux-DNS.html
More reading.
Right now I can't locate this on the new ISC website though.
A number of them are my IETF buddies, so I can (and will) ask them directly.
There is also an selinux section in the named(8) manual page, for example:
http://linux.die.net/man/8/named
which states pretty much the same.
If you wish to stay with chroot then the key is probably to install the bind-chroot package and ensure that the ROOTDIR variable is set correctly in:
/etc/sysconfig/named
Done but that did not help with selinux and the named/data directory.
For what its worth I'm running a number of master/slave DNS servers under selinux no problems. Any updates on the master propagates happily to the slaves. Mind you these are low traffic DNS servers that sit behind a firewall.
This will sit behind a firewall, but has an external view. Another thing is I have to learn about supporting the 4096 possible UDP source ports on my firewall. That is yet another thing to fix. And STILL not yet to DNSSEC config.
I will probably rebuild the test box over the weekend and try without chroot.
-
Frederico Madeira -
Peter Brady -
Robert Moskowitz