On 02/14/2013 11:09 PM, Peter Brady wrote: > On 14/02/13 7:23 PM, Robert Moskowitz wrote: >> I was getting permission errors (seen in /var/log/messages) in accessing >> these two directories within my chroot tree. I was pulling out what >> little hair I have, as the permissions were identical to those on my >> Centos 5.5 server. So I switched selinux into permissive mode and now I >> have /var/named/chroot/var/named/data/named.run and my ..../named/slave/ >> stubs. >> >> What is the selinux magic to allow bind to write here? > Hi, > > This may start a debate but it is my understanding that RH recommends to > not use chroot jails with bind as selinux is more secure. Oh NO!!! A security debate!!! Well this system is only for bind and as an internal ntp server, so maybe I can keep selinux on. But then I am a communications security specialist not an OS security specialist, so I can't contribute as to which is more limiting on bind's access to things it should not see. > For some additional information see the following extract from the BIND 9 FAQ: > > https://scs.senecac.on.ca/~raymond.chan/nad810/0701/SELinux-DNS.html More reading. > Right now I can't locate this on the new ISC website though. A number of them are my IETF buddies, so I can (and will) ask them directly. > There is also an selinux section in the named(8) manual page, for example: > > http://linux.die.net/man/8/named > > which states pretty much the same. > > If you wish to stay with chroot then the key is probably to install the > bind-chroot package and ensure that the ROOTDIR variable is set > correctly in: > > /etc/sysconfig/named Done but that did not help with selinux and the named/data directory. > For what its worth I'm running a number of master/slave DNS servers > under selinux no problems. Any updates on the master propagates happily > to the slaves. Mind you these are low traffic DNS servers that sit > behind a firewall. This will sit behind a firewall, but has an external view. Another thing is I have to learn about supporting the 4096 possible UDP source ports on my firewall. That is yet another thing to fix. And STILL not yet to DNSSEC config. I will probably rebuild the test box over the weekend and try without chroot.