I rebuilt my server and setup bind to log queries in a chroot.
################################################################################ # Logging Configuration # logging { # # Define channels for the two log files # channel query_log { severity info; print-time yes; file "/var/log/query.log" versions 3 size 100M; }; channel activity_log { severity info; print-time yes; print-category yes; print-severity yes; file "/var/log/activity.log" versions 3 size 100M;
Below is the security context of the files in the chroot.
[root@josh log]# ls -alZ /var/named/chroot/var/log/activity.log -rw-r--r-- named named root:object_r:named_conf_t /var/named/chroot/var/log/activity.log
[root@josh log]# ls -alZ /var/named/chroot/var/log/query.log -rw-r--r-- named named root:object_r:named_conf_t /var/named/chroot/var/log/query.log
I temporarily disabled selinux but there was one simple step I missed (forgot since i did this years ago). I briefly recall creating a symlink and/or using chcon or one of the selinux commands.
Thanks, Josh
Josh Donovan wrote:
I rebuilt my server and setup bind to log queries in a chroot. [root@josh log]# ls -alZ /var/named/chroot/var/log/activity.log -rw-r--r-- named named root:object_r:named_conf_t /var/named/chroot/var/log/activity.log
That should be root:object_r:named_log_t, IIRC.
Ralph
--- On Wed, 10/9/08, Ralph Angenendt ra+centos@br-online.de wrote:
From: Ralph Angenendt ra+centos@br-online.de Subject: Re: [CentOS] DNS Logging with Selinux enabled To: centos@centos.org Date: Wednesday, 10 September, 2008, 9:27 AM Josh Donovan wrote:
I rebuilt my server and setup bind to log queries in a
chroot.
[root@josh log]# ls -alZ
/var/named/chroot/var/log/activity.log
-rw-r--r-- named named
root:object_r:named_conf_t /var/named/chroot/var/log/activity.log
That should be root:object_r:named_log_t, IIRC.
Ralph _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[root@josh named]# ls -alZ drwxrwx--- named named root:object_r:named_log_t . drwxrwx--- root root system_u:object_r:named_log_t .. -rw------- named named system_u:object_r:named_log_t activity.log -rw------- named named system_u:object_r:named_log_t query.log
How do I get root:object_r:named_log_t as its now system_u:object_r:named_log_t on the logs?
Thanks, Josh
Josh Donovan wrote:
--- On Wed, 10/9/08, Ralph Angenendt ra+centos@br-online.de wrote:
That should be root:object_r:named_log_t, IIRC.
-rw------- named named system_u:object_r:named_log_t query.log
How do I get root:object_r:named_log_t as its now system_u:object_r:named_log_t on the logs?
That doesn't matter. For the normal targeted policy only the last part of the policy listing is important (named_log_t in this case).
Cheers,
Ralph
PS: Please trim your mails
--- On Thu, 11/9/08, Ralph Angenendt ra+centos@br-online.de wrote:
From: Ralph Angenendt ra+centos@br-online.de Subject: Re: [CentOS] DNS Logging with Selinux enabled To: "CentOS mailing list" centos@centos.org Date: Thursday, 11 September, 2008, 5:48 PM
That doesn't matter. For the normal targeted policy only the last part of the policy listing is important (named_log_t in this case).
Cheers,
Ralph
PS: Please trim your mails
That did it. Its a wonder how upstream never fix these issues, considering the average admin would like to log dns queries in a chroot. As for trimming the mail its a while since I was on the mailing list, but I remembered not to top post. :-)
Thanks, Josh
Josh Donovan wrote:
--- On Thu, 11/9/08, Ralph Angenendt ra+centos@br-online.de wrote:
From: Ralph Angenendt ra+centos@br-online.de Subject: Re: [CentOS] DNS Logging with Selinux enabled To: "CentOS mailing list" centos@centos.org Date: Thursday, 11 September, 2008, 5:48 PM
That doesn't matter. For the normal targeted policy only the last part of the policy listing is important (named_log_t in this case).
Cheers,
Ralph
PS: Please trim your mails
That did it. Its a wonder how upstream never fix these issues, considering the average admin would like to log dns queries in a chroot. As for trimming the mail its a while since I was on the mailing list, but I remembered not to top post. :-)
When I asked about a similar problem a while back, the SELinux folks told me that bind-chroot was not supported under SELinux because SELinux already provides better protection.
Robert Nichols wrote:
When I asked about a similar problem a while back, the SELinux folks told me that bind-chroot was not supported under SELinux because SELinux already provides better protection.
That is wrong. Every release of Fedora comes out and people ask how to configure bind to work in a chroot with selinux enabled. As Fedora is a testbed for upstream, we should have these things ironed out. Possibly having a separate SELinux/Docs mailing list means they may not be aware of what is going on in the mainstream.
Some of the old Fedora Docs are informative. Even a work in progress like http://fedoraproject.org/wiki/Docs/Drafts/AdministrationGuide/Servers/DNSBIN...
shows bind-chroot can work with SELinux
Josh Donovan wrote:
Robert Nichols wrote:
When I asked about a similar problem a while back, the SELinux folks told me that bind-chroot was not supported under SELinux because SELinux already provides better protection.
That is wrong. Every release of Fedora comes out and people ask how to configure bind to work in a chroot with selinux enabled. As Fedora is a testbed for upstream, we should have these things ironed out. Possibly having a separate SELinux/Docs mailing list means they may not be aware of what is going on in the mainstream.
Some of the old Fedora Docs are informative. Even a work in progress like http://fedoraproject.org/wiki/Docs/Drafts/AdministrationGuide/Servers/DNSBIN...
shows bind-chroot can work with SELinux
"Can work," yes. "Does upstream care that it doesn't install and work cleanly," no. That's the word I got from "upstream" (fedora-selinux-list).
On Friday 12 September 2008 14:56, Robert Nichols wrote:
Josh Donovan wrote:
Robert Nichols wrote:
When I asked about a similar problem a while back, the SELinux folks told me that bind-chroot was not supported under SELinux because SELinux already provides better protection.
That is wrong. Every release of Fedora comes out and people ask how to configure bind to work in a chroot with selinux enabled. As Fedora is a testbed for upstream, we should have these things ironed out. Possibly having a separate SELinux/Docs mailing list means they may not be aware of what is going on in the mainstream.
Some of the old Fedora Docs are informative. Even a work in progress like http://fedoraproject.org/wiki/Docs/Drafts/AdministrationGuide/Servers/DN SBIND/BINDChroot
shows bind-chroot can work with SELinux
"Can work," yes. "Does upstream care that it doesn't install and work cleanly," no. That's the word I got from "upstream" (fedora-selinux-list).
bind-chroot works fine. The question is not if it work but if you are configuring it to work in that environment. With SELinux running and bind in a chroot environment it is allowed to write to slave/ and data/ (this is going from memory haven't had to setup bind-chroot in some time) As long as you setup your logging to data/ it will log everything and not complain. Only when you setup a custom server do you have issues.
-
Josh Donovan -
Ralph Angenendt -
Robert Nichols -
Robert Spangler