[CentOS] Re: DNS Logging with Selinux enabled
Robert Spangler
mlists at zoominternet.net
Fri Sep 12 22:06:07 UTC 2008
On Friday 12 September 2008 14:56, Robert Nichols wrote:
> Josh Donovan wrote:
> > Robert Nichols wrote:
> >> When I asked about a similar problem a while back, the
> >> SELinux folks
> >> told me that bind-chroot was not supported under SELinux
> >> because
> >> SELinux already provides better protection.
> >
> > That is wrong. Every release of Fedora comes out and people ask how to
> > configure bind to work in a chroot with selinux enabled. As Fedora is a
> > testbed for upstream, we should have these things ironed out. Possibly
> > having a separate SELinux/Docs mailing list means they may not be aware
> > of what is going on in the mainstream.
> >
> > Some of the old Fedora Docs are informative. Even a work in progress
> > like
> > http://fedoraproject.org/wiki/Docs/Drafts/AdministrationGuide/Servers/DN
> >SBIND/BINDChroot
> >
> > shows bind-chroot can work with SELinux
>
> "Can work," yes. "Does upstream care that it doesn't install and work
> cleanly," no. That's the word I got from "upstream"
> (fedora-selinux-list).
bind-chroot works fine. The question is not if it work but if you are
configuring it to work in that environment. With SELinux running and bind in
a chroot environment it is allowed to write to slave/ and data/ (this is
going from memory haven't had to setup bind-chroot in some time) As long as
you setup your logging to data/ it will log everything and not complain.
Only when you setup a custom server do you have issues.
--
Regards
Robert
It is not just an adventure.
It is my job!!
Linux User #296285
http://counter.li.org
More information about the CentOS
mailing list