[CentOS] Re: DNS Logging with Selinux enabled

Fri Sep 12 22:06:07 UTC 2008
Robert Spangler <mlists at zoominternet.net>

On Friday 12 September 2008 14:56, Robert Nichols wrote:

>  Josh Donovan wrote:
>  > Robert Nichols wrote:
>  >> When I asked about a similar problem a while back, the
>  >> SELinux folks
>  >> told me that bind-chroot was not supported under SELinux
>  >> because
>  >> SELinux already provides better protection.
>  >
>  > That is wrong. Every release of Fedora comes out and people ask how to
>  > configure bind to work in a chroot with selinux enabled. As Fedora is a
>  > testbed for upstream, we should have these things ironed out. Possibly
>  > having a separate SELinux/Docs mailing list means they may not be aware
>  > of what is going on in the mainstream.
>  >
>  > Some of the old Fedora Docs are informative. Even a work in progress
>  > like
>  > http://fedoraproject.org/wiki/Docs/Drafts/AdministrationGuide/Servers/DN
>  >SBIND/BINDChroot
>  >
>  > shows bind-chroot can work with SELinux
>
>  "Can work," yes.  "Does upstream care that it doesn't install and work
>  cleanly," no.  That's the word I got from "upstream"
> (fedora-selinux-list).

bind-chroot works fine.  The question is not if it work but if you are 
configuring it to work in that environment.  With SELinux running and bind in 
a chroot environment it is allowed to write to slave/ and data/ (this is 
going from memory haven't had to setup bind-chroot in some time)  As long as 
you setup your logging to data/ it will log everything and not complain.  
Only when you setup a custom server do you have issues.


-- 

Regards
Robert

It is not just an adventure.
It is my job!!

Linux User #296285
http://counter.li.org