[CentOS] Selinux blocking bind access to named/data and slave directories

Fri Feb 15 05:30:54 UTC 2013
Robert Moskowitz <rgm at htt-consult.com>

On 02/14/2013 11:09 PM, Peter Brady wrote:
> On 14/02/13 7:23 PM, Robert Moskowitz wrote:
>> I was getting permission errors (seen in /var/log/messages) in accessing
>> these two directories within my chroot tree.  I was pulling out what
>> little hair I have, as the permissions were identical to those on my
>> Centos 5.5 server.  So I switched selinux into permissive mode and now I
>> have /var/named/chroot/var/named/data/named.run and my ..../named/slave/
>> stubs.
>>
>> What is the selinux magic to allow bind to write here?
> Hi,
>
> This may start a debate but it is my understanding that RH recommends to
> not use chroot jails with bind as selinux is more secure.

Oh NO!!! A security debate!!!

Well this system is only for bind and as an internal ntp server, so 
maybe I can keep selinux on.  But then I am a communications security 
specialist not an OS security specialist, so I can't contribute as to 
which is more limiting on bind's access to things it should not see.

> For some additional information see the following extract from the BIND 9 FAQ:
>
> https://scs.senecac.on.ca/~raymond.chan/nad810/0701/SELinux-DNS.html

More reading.

> Right now I can't locate this on the new ISC website though.

A number of them are my IETF buddies, so I can (and will) ask them directly.

> There is also an selinux section in the named(8) manual page, for example:
>
> http://linux.die.net/man/8/named
>
> which states pretty much the same.
>
> If you wish to stay with chroot then the key is probably to install the
> bind-chroot package and ensure that the ROOTDIR variable is set
> correctly in:
>
> /etc/sysconfig/named

Done but that did not help with selinux and the named/data directory.

> For what its worth I'm running a number of master/slave DNS servers
> under selinux no problems.  Any updates on the master propagates happily
> to the slaves.  Mind you these are low traffic DNS servers that sit
> behind a firewall.

This will sit behind a firewall, but has an external view.  Another 
thing is I have to learn about supporting the 4096 possible UDP source 
ports on my firewall.  That is yet another thing to fix.  And STILL not 
yet to DNSSEC config.

I will probably rebuild the test box over the weekend and try without 
chroot.