[CentOS] Selinux blocking bind access to named/data and slave directories

Fri Feb 15 04:09:46 UTC 2013
Peter Brady <subscriptions at simonplace.net>

On 14/02/13 7:23 PM, Robert Moskowitz wrote:
> I was getting permission errors (seen in /var/log/messages) in accessing 
> these two directories within my chroot tree.  I was pulling out what 
> little hair I have, as the permissions were identical to those on my 
> Centos 5.5 server.  So I switched selinux into permissive mode and now I 
> have /var/named/chroot/var/named/data/named.run and my ..../named/slave/ 
> stubs.
> 
> What is the selinux magic to allow bind to write here?

Hi,

This may start a debate but it is my understanding that RH recommends to
not use chroot jails with bind as selinux is more secure.  For some
additional information see the following extract from the BIND 9 FAQ:

https://scs.senecac.on.ca/~raymond.chan/nad810/0701/SELinux-DNS.html

Right now I can't locate this on the new ISC website though.  There is
also an selinux section in the named(8) manual page, for example:

http://linux.die.net/man/8/named

which states pretty much the same.

If you wish to stay with chroot then the key is probably to install the
bind-chroot package and ensure that the ROOTDIR variable is set
correctly in:

/etc/sysconfig/named

For what its worth I'm running a number of master/slave DNS servers
under selinux no problems.  Any updates on the master propagates happily
to the slaves.  Mind you these are low traffic DNS servers that sit
behind a firewall.

Cheers
-pete

-- 
Peter Brady
Email: pdbrady at ans.com.au
Skype: pbrady77

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 937 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20130214/b6d817a3/attachment-0004.sig>